Whose Data Is It Anyway?

Rulers are judged, in the long run, by the path-breaking changes they bring in to their country of their rule. Some could be necessitated by the time, many others could be innovative, visionary thoughts by the rulers.

India today is in a state that needs a change necessitated by the time. The change will revolutionise the country, future of its citizens, and its long-term prospects as a major economy and world power. The change India needs is in the space of data.

India has been historically ruled by invaders who plundered its wealth, ruined the economy, and changed the countrymen into just about bonded labourers. The last in the series was the British who came in the pretext of doing business with India in AD 1700 when India was contributing 27 per cent of the global gross domestic product, which was systematically reduced to 23 per cent by AD 1800 and to a little over 3 per cent by the time the British left India in 1947, leaving 90 per cent of Indians under poverty.

India, today, is in a similar path, in a different area though. If India was known for its spices, cotton and diamond wealth in 1700 when the British began conquering princely states one after another, India, today, is a global leader in data – of data generation and data processing. That’s bringing in a lot of global companies and global leaders to New Delhi. To be precise, if there is a swarm of global leaders prostrating before India, today, it is to be attributed to one single factor – data.

Everyone wants data. Individuals want others’ data. Companies want other companies’ data, citizens’ data, governments’ data. Countries want other countries’ data, large corporations’ data, civil groups’ data. It’s a crazy world out there fighting for a share in the data pie – from individuals to corporations to nation states. The reason is just that the next world order will almost be decided on the power of data. As Prime Minister Narendra Modi righty reflected in the World Economic Forum this year, ‘the one who controls data will be the (next) world leader’.

This calls for ample policies to control one’s own data, if not reaching out to another’s data. If there is a second country after the US that has understood this early on and started working on in that direction, it is China.

China has been acting on this space in a very well designed manner since early this century. Therefore, China today has a hard grip on data – anything to do with data in its territory. China does not allow in its territory global biggies which mine and monetise data such as Google, Facebook, Instagram and most of the US-based social media companies. China realised early on that these US companies are doing nothing but pillaging the users off their data, storing within the US territory and offering users ‘value added services’ using their own data. China banned them, and instead, allowed its local clones to mushroom and thrive, thereby creating a homegrown social media ecosystem.

Chinese restrictions are not just on personal data collection, but also on ‘all critical information infrastructure’, a phrase used for anything and everything on data.

There are two critical aspects China is duly concerned about in allowing foreign companies to loot its citizens of their data. While allowing the foreign companies to take Chinese data out of its territory and store in a different geography, the country has lost control over its own data permanently because geographic jurisdiction takes precedence over other commitments of contracts and bilateral/international treaties. Data once gone out of one’s territory is gone forever, China believes.

Secondly, what is the sovereign imperative for a country in allowing foreign companies to loot its citizens’ of their data and allow them to monetise with little or very little value addition. It is a repeat of colonial fortune hunters who have gone on expeditions for spices, cotton, coal, gold, diamond and oil over the last many centuries.

It is not just China that is getting tough on data with the new age clones of these fortune hunters, it’s Russia, Germany, Australia, Brazil, and even smaller African countries like Nigeria. The much publicised European General Data Protection Regulation (GDPR) restricts movement of data to another country unless European Union (EU) certifies the country as having same level of data protection standards as EU. Only 12 countries have so far been approved for sharing of data by EU. Even data sharing with the US is being limited to the privacy shield framework over there.

Therefore, the Indian policy makers should be really worried about allowing movement of data out of India and permitting foreign companies to make profit out of Indian citizens’ data under the proposed Personal Data Protection Act (PDPA). Did Indian policy makers understand its implications?

The most important Indian citizen who understood the ramifications of the emerging global economic order from data hegemony is none other than the Chairman of the Committee that drafted the PDPA Bill Justice B N Srikrishna. Without mincing words, he referred to this in his report that accompanied the bill, “in its operation, the freedom to share personal data in the digital economy operates selectively in the interest of certain countries that have been early movers. For example, the US can, without any detriment to its national interest, support a completely open digital economy by virtue of its technological advancement. The need for local enforcement is also largely accounted forowing to the personal jurisdiction that the US exercises over a large number of technology companies as well as the large volumes of data stored in its territory”. He, therefore, warned that “any advocacy of complete freedom of transfer of personal data in the digital economy, must perhaps be viewed cautiously”.

The Committee under Justice Srikishna has done phenomenal work in assessing, understanding, analysing and concluding what is the most appropriate for the country, keeping in mind the interest of the country, the need to grow its IT industry and its innovation capabilities.

During the process of consultations, Justice Srikrishna explored a policy to prevent copies of personal data from being moved out. He pondered over keeping one serving copy of personal data in India while transferring another or a stricter requirement that personal data be processed only within India, and finally reached the conclusion that it is in the best interest of the country to allow processing anywhere, but to have a control on the data by ensuring a mirror copy within its territory. Local storage of personal data, he found, is intrinsically connected to the enforcement of domestic law in general and data protection, in particular.

Expectedly, this position is being opposed tooth and nail by US data hegemonies who want to take control of the data soon after it is originated, and to become a law unto themselves in dealing with data. It is also a larger US agenda to monopolise the global data and store it in its territory, through its cloud, social media and processing companies, in order to retain its global leadership position in the new and emerging world order.

The kind of half-baked truths and lies that have been parried around with the intention of defeating India’s well deserving right to ask foreign companies to keep a copy of Indian citizens data in India while moving Data overseas makes one believe that their intentions are not well meant. For instance, under the recently enacted CLOUD Act in the US every time a government needs an access to any data from a private US company, it needs to go through an elaborate legal process of subpoena (court order).

Therefore, once an Indian citizen’s personal Data has gone out of Indian territory and becomes the property of US company sitting in the US territory, Indian law enforcement agencies too have to go through a legal process. Not just that, India needs to enter into a bilateral/multilateral agreements accepting the CLOUD Act to seek access to data sitting in the US territory.

Justice Srikrishna has foreseen some of these criticisms and was smart in dealing with these in the report. “A requirement to store personal data locally would boost law enforcement efforts to access information required for the detection of crime as well as in gathering evidence for prosecution. This is because it is easier for law enforcement agencies to access information within their jurisdiction as compared to awaiting responses to requests made to foreign entities which store data abroad,” the report noted.

The report also rightly captured that The Mutual Legal Assistance Treaty (MLAT) process for accessing data across the border as flawed and time-consuming and noted that these may not be the ideal enforcement solution to access data for third countries.

Beyond the localisation requirement, India PDPA Bill has provided for classifying data based on its criticality – as personal data, sensitive personal data and critical sensitive personal data, and left it to the government to decide on what kind of sensitive personal data should be critical data that cannot be moved out of India. Going by examples set by some of the large nation states, biometric, genetic, health and finance data should form critical data. In fact, this is the data set most of the US companies are interested in, going by their thirst for data and the drive for making profit from data.

So, a prudent Indian government will classify these critical personal data to be out of bounds of global corporations with profit motives, in order to offer the kind of privacy Indian citizens deserve, without succumbing to the mounting pressure from the US companies, some of them have annual turnover larger than the combined GDP of blocks of countries in Africa, Asia and Latin America.

In the long term interest of the country and its citizens, Indian policy makers will have to manoeuvre through the pressures being put through the US government, US corporations and their money power, and offer the country a data legislation that protects the interests of its citizens, and not that of US corporations.

Vikramaditya contributes on burning technological issues.