A new vision for EU-Asia data privacy cooperation

The European Union (EU) and nine countries in the Indo-Pacific have a bold new plan for promoting global data governance: link Europe and Asia’s data privacy frameworks through common principles and lay the foundation for a new digital order.

This vision, articulated on Monday through a joint declaration following the recent “EU Ministerial Forum for Cooperation in the Indo-Pacific,” raises intriguing new possibilities for bilateral and multilateral cooperation on data governance. It also cuts against the dominant narratives of the day of growing tech wars and splinternets, presenting a glimpse of the alternative digital economy that lies within reach if digital democracies come together. 

For this alone, the joint statement is worth parsing and considering closely. Four observations stand out:

1. Japan’s “Data Free Flow with Trust” concept returns
At the 2019 G20 meeting in Osaka, the Japanese government introduced the concept of “data free flow with trust”—focused on bringing together countries on data governance frameworks that, essentially, encouraged open data flows with appropriate safeguards in place. If it sounds vague, that’s because it was; Tokyo’s intent was to begin a conversation among countries (India, the US, and the EU bloc included) about data policy cooperation. Nonetheless, the Indian government rejected the concept following the G20 session and refused to sign the so-called Osaka Track agreement. Piyush Goyal, India’s Minister of Commerce and Industry, later elaborated: “Moreover, in view of the huge digital divide among countries, there is a need for policy space for developing countries who still have to finalize laws around digital trade and data. Data is a potent tool for development and equitable access of data is a critical aspect for us.”

This begs the question of why the Indian Ministry of External Affairs is now endorsing a statement that says in the second sentence that it wants “to foster data free flow with trust.” One possibility is that this is somewhat of a pivot. The phrase “data free flow with trust” is very closely tied to the Japanese government’s 2019 efforts, and New Delhi had vocally rejected that agreement. Yet it is more likely this is just a communique from the Indian Ministry of External Affairs. India quite clearly had previously agreed in general with the statement that countries should encourage open data flows with safeguards in place. It was the operational specifics of that view which put India in quite a different place than Japan and the EU—for instance, a push for data localization and a greater desire to impose costs on powerful, American technology firms. The ministry is likely just reiterating its interest in that general idea.

2. India’s Personal Data Protection Bill will put the declaration to the test
The Modi government’s efforts to chart a comprehensive data regime, via its Data Protection Bill, will be the litmus test of its aspirations and overall approach to integrating digital economies. Will the bill minimize data-localization restrictions and create space for India to align more closely with Europe and digital democracies in Asia, or will India chart its own course on data governance in the name of digital self-reliance? This question carries added weight and geopolitical salience as India sits at odds with the West vis-à-vis Russia’s invasion of Ukraine and as the Indian elite react to Western tech companies severing ties with Russia in one fell swoop. Indian commentators and private sector leaders observing the recent developments have claimed that they vindicate Indian Prime Minister Narendra Modi’s self-reliance campaign, India’s concerns around digital colonialism by Big Tech, and its desire to build up domestic champions and indigenous platforms. These views could limit India’s appetite and ability to coordinate with European and Asian partners on data governance.

3. Principles reflect the EU’s first-mover advantage
Though all this may signal somewhat of a pivot in India’s position on data free flow with trust ideas, the statement’s principles reflect EU concepts and cements the EU’s advantage as a first-mover. Many components in India’s data bill already mirror–at least in part–Europe’s General Data Protection Regulation (GDPR), such as with language around consent, controllers, processors, and data subjects. The statement’s emphasis on lawfulness, fairness, transparency, purpose limitation, data minimization, limited data retention, data security, and accountability underscore that European concepts continue to inform the global data governance discourse. For even if they did not come from Europe per se, these terms have become associated with the EU’s privacy regime, and their continued use bolsters some notion of the GDPR’s influence. As always, though, the devil is in the details. Lawfulness quite likely means something very different to the current Indian government than it does to many EU officials.

4. Engagement with the US? And more with the EU?
There have been many challenges in India-United States data cooperation, as a new Atlantic Council issue brief describes. American policymakers and companies quite aggressively lobbied against data localization provisions in India’s data protection bill, and many Indian policymakers would say that US counterparts were too quick to dismiss data localization out of hand without hearing more about specific concerns behind it (e.g., the broken India-US Mutual Legal Assistance Treaty process for Indian law enforcement to request data on Indian citizens from US companies). For its part, the Indian government has also been reluctant to engage the US government directly on data policy issues, often saying to wait until the data bill is passed. The language in the statement about engaging bilaterally and multilaterally could signal a slowly shifting view on the Indian government side, though that is purely speculative at this stage. It could also indicate more Indian government outreach to the EU—which is informative as the United States has largely dominated New Delhi’s data policy thinking, and because the EU would need to give India adequacy for data transfers if the data bill became law.

Conclusion
Looking ahead, the EU and its Asian partners have profound and tantalizing opportunities to reshape the global digital commons. Interlinking privacy regimes to foster secure cross-border data flows while protecting individual privacy is just the start, though it represents no small task. As the EU looks to implement the newly finalized Digital Markets Act, policymakers in Asia will likely explore similar regulations to exert greater oversight over large global technology companies and the data they control. 2022 could very well mark the opening salvo of an emerging regulatory blitz, and US companies long accustomed to light touch regulation will have to rethink business strategies in view of these coming policy shifts. 

Anand Raghuraman (@akraghuraman) is a non-resident fellow at the Atlantic Council’s South Asia Center.

Justin Sherman (@jshermcyber) is a fellow at the Atlantic Council’s Cyber Statecraft Initiative.

The South Asia Center serves as the Atlantic Council’s focal point for work on the region as well as relations between these countries, neighboring regions, Europe, and the United States.

Related Experts: Anand Raghuraman and Justin Sherman

Image: European Union flags fly outside the European Commission headquarters in Brussels, Belgium, February 19, 2020. REUTERS/Yves Herman/File Photo