Keeping data flowing is in India’s interest

Co-authored with Geoffrey Manne. Originally published by The Times of India (28 March 2023).

Mandates to restrict the flow of data across national boundaries have taken hold in a growing number of jurisdictions, including India. Spearheaded by nations like China, Iran, and Russia, the idea has vocal proponents among those who claim it will forward the goal of “digital sovereignty.”

Learning from global experiences can help Indian lawmakers build regulations that align with global standards and benefit businesses in growth. However, just as some Indian politicians have raised concerns about “technological colonization,” India would be well-advised not to rush into unreflective copying of foreign policy fashions. The free and open Internet, perhaps unpopular in some Western policy circles, remains among the key tools for economic advancement on the global stage.

What is popular in some Western policy circles, is to present restrictions of cross-border data flows as a mechanism to build national prosperity or resilience. This narrative is misleading. Especially for a growth-leading economy like India’s, this policy can easily become a significant impediment to trade and technological innovation. Indeed, the growth potential of India’s digital economy can be realized only if the country creates an enabling environment of policies, platforms, and partnerships suited to the “borderless” character of the digital world, in which capital, innovation, data, and design capabilities flow to countries that offer the fewest impediments. This is of paramount importance given that a 2019 report by India’s Ministry of Electronics and Information Technology predicted that India could have a $1 trillion digital economy by 2025.

There are, of course, legitimate reasons to restrict the flow of personal data to specific places that pose genuine and significant risks of that data being abused. The European Union’s General Data Protection Regulation (GDPR) started with a sensible idea of implementing a principle-based assessment of whether transferring personal data to a third country would come with such risks.

The saga of EU-US data flows has shown, however, that such legal principles can take on a life of their own. Indeed, they can be interpreted against the intent of their makers and even arguably against the general interest of those they were created to protect. Due to some well-meaning but myopic legal interpretations, the free flow of information between Europe and America may be in peril, and we must hold out hope that the new framework for EU-US data flows drafted by the European Commission will withstand judicial scrutiny.

The lesson for India is that, even if Europe and America could perhaps afford an “Internet decoupling,” neither side is willing to accept the cost, and both have worked hard to avoid it. Crucially, India would pay a much heavier price for such decoupling from Europe or America. A rapidly developing economy with ambitions to leverage technological progress as a bridge to prosperity cannot afford to throw away the greatest catalysts: the free exchange of knowledge and access to state-of-the-art digital services.

Even short of a full decoupling, data localisation initiatives can have costly and unintended effects. In 2018, the Reserve Bank of India imposed a data-localisation requirement on payments data, intentionally making it more difficult for international payments processors to operate. It remains unclear how this policy benefited Indians in general, but it very likely made life easier for illicit finance. The requirement added considerable friction for state-of-the-art compliance systems, which normally rely on cross-border transfers of data.

India’s proposed Digital Personal Data Protection Bill should be seen in this context. The Ministry of Electronics & Information Technology released the latest draft of the bill (its fourth iteration) on November 18, 2022. In an encouraging sign, the government removed some strong data-localisation provisions that were present in an earlier draft. Nevertheless, the still-included rule on transfer of personal data outside of India remains concerning. Unlike the GDPR, it does not provide any principles by which the lawfulness of data transfers are to be judged, creating a sphere of significant legal uncertainty.

The draft of the Digital Personal Data Protection Bill permits cross-border interactions of data with “certain notified countries and territories.” According to the bill, “The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.” No countries are named in the draft. This proposal creates regulatory uncertainty that could deter strategic investments in the field.

​​The current draft of the bill also contemplates creating two entities: a Data Protection Board of India and another, unnamed legal entity that would seemingly be part of the Electronics Ministry itself. This supervisory scheme risks being seen as lacking sufficient independence, which could create problems for compatibility of India’s data protection law with the EU’s GDPR. In turn, such incompatibility with the GDPR could lead to similar problems for India’s technological cooperation with the EU as we now observe between the US and the EU.

Also, unlike the GDPR, the bill makes the lawfulness of data transfers exclusively dependent on the whims of the central government. Even in the absence of an “adequacy” decision from the European Commission for a given third country—for example, after the EU-US Privacy Shield was struck down—the GDPR still allows individual businesses to assess the risks associated with data transfers and to conduct them, for example, under “standard contractual clauses.” Hence, in addition to notifying countries for data transfers, the government should also consider alternative mechanisms of data transfer such as model contractual clauses, certifications, and binding corporate rules in line with global precedents (e.g., GDPR, Japan, Australia, Singapore). Such additions will help provide predictability and some flexibility to companies in cases where a certain country is not whitelisted.

Yet even if the Digital Personal Data Protection Bill is improved to provide more legal certainty, the question remains whether restricting data flows is the right approach for India. Such restrictions may come with momentous consequences, such that they probably should be subjected to the democratic process, with any prohibited jurisdictions detailed explicitly in the statute. In other words, given the potential costs involved, where there is a genuine national security reason to “decouple” from some country, this decision should be taken by Parliament.

With hindsight, even the EU would likely not have adopted some of its current regulations. India has an opportunity to avoid some of the pitfalls of the GDPR regime, and to tailor its data protection rules to its unique circumstances. It would be a mistake to hew too closely to the European regime, especially those aspects which EU officials have reasons to regret.