With its latest draft data privacy bill, India has opened up intriguing possibilities for a shift in global digital diplomacy—a new alignment between New Delhi, Washington, and Brussels that could reinvigorate digital trade and reshape the rules of the road in the digital economy. The key to it all is India’s new approach to data localization, which would now permit cross-border data flow into “certain notified countries.”
The new approach marks a relaxation of India’s hardline stance on data localization, and it comes as New Delhi looks to streamline and pass national privacy legislation after nearly five years of exhaustive deliberations. Previous versions of the privacy bill—which restricted transfer and storage of sensitive and critical data outside Indian borders—were criticized by foreign governments and global technology companies as introducing unnecessary barriers to digital trade and promoting the rise of a splinternet. For their part, Indian officials maintained that data localization was necessary to defend national sovereignty, ensure timely law enforcement access to data, bolster local firms vis-à-vis Big Tech competitors, and spur investment in local cloud storage.
Setting aside the specific merits of these arguments, it’s clear that the tensions on data localization came with diplomatic costs—for India and for its strategic partners. For example, the tensions strained trade ties with the United States and the European Union (EU) and helped forestall any serious attempt to negotiate bilateral free trade agreements. In 2019, it resulted in India refusing to sign on to the G-20 Osaka Track declaration, in which host nation Japan pitched “data free flow with trust” (DFFT) as a model framework for secure cross-border data flows. More recently, Indian trade officials cited the country’s stance on data localization to explain, in part, why New Delhi would not join the trade pillar of the Biden administration’s Indo-Pacific Economic Framework (IPEF).
Indeed, India was the only nation participating in IPEF that would not agree to discuss all four pillars of the agreement.
The bottom line is this: India’s stance on data localization constrained its ability to engage in digital diplomacy. With a new privacy bill, however, it has outlined a compromise option. While it may not satisfy critics of the bill batting for more permissive cross-border data flow regimes or the hardened nationalists favoring sharper data localization restrictions, the Indian bill gives New Delhi flexibility to balance multiple national interests.
However, India’s data localization pivot also raises two obvious questions. Which countries will the Indian government deem safe for cross-border data flow? Moreover, what criteria will New Delhi use to make that determination? India’s draft bill is silent on both matters, stating only that “an assessment of relevant factors by [the] Central Government would precede such a notification.” Final legislation or subsequent implementing regulations will need to offer clarity.
This process puts India squarely in the driver’s seat. For example, India could choose to whitelist strategic partners like the United States or European Union on the basis of shared values and national security interests. It could require that whitelisted countries have a sound data protection framework that provides suitable protection to Indian data transferred overseas—just as the EU has adequacy standards under the General Data Protection Regulation regime. It could even leverage the whitelist as a bartering chip in bilateral trade talks with the European Union and the United States, securing reciprocal concessions in exchange for deeming both countries fit for cross-border data flow.
The possibilities are vast, but they do not eliminate the need to make choices and move swiftly. India will hold the G-20 presidency in 2023 and look to elevate digital cooperation as a centerpiece of its global agenda. While the Indian government is likely to prioritize efforts to export India’s model of digital public goods, there is a clear opportunity to forge a baseline consensus on cross-border data flows, perhaps through a reimagined “DFFT 2.0” framework or a flagship “New Delhi Digital Compact.” This would be a lasting achievement for India’s G-20 presidency and one that could help knit together the US, European, and Indian digital ecosystems in the years to come.
With these goals in mind, India should advance four key efforts over the course of the next year:
- Move quickly to pass the data privacy bill in parliament early in the year. If there is space for more permissive cross-border data flow regimes—i.e., a “blacklist approach” where only nations deemed “untrustworthy” face cross-border flow restrictions—India should pursue it. At the very least, it should maintain the opening for cross-border data flow into trusted foreign countries.
- Spell out the broad criteria they will use to whitelist countries safe for cross-border data flow. These should include countries’ geostrategic alignments, respect for democratic values, domestic data privacy frameworks, and trade and investment potential. Whitelisted countries should ideally satisfy criteria drawn from all four buckets, but India could opt to maintain leeway to select non-democratic countries in the Gulf with whom it enjoys strong geopolitical and economic ties.
- For key strategic partners such as the United States and European Union, signal a willingness to allow cross-border data flow but use the opportunity to kickstart a broader negotiation on digital economy issues. India and the EU have already set up the EU-India Trade and Technology Council, but the United States and India lack a similar high-level forum to align policy frameworks for the digital economy. Filling this gap with a new “digital economy ministerial” is vital to driving US-India trade and technology cooperation forward and operationalizing the vision for a bilateral “digital handshake.” The United States and India should look to begin these conversations early next year when US Secretary of Commerce Gina Raimondo visits India for the US-India CEO Forum.
- Finally, India and its partners within the Quadrilateral Security Dialogue (QUAD) should explore ways to strengthen interoperability between the four countries’ emerging privacy laws and cross-border data flow frameworks. This would help substantiate the existing “Quad Principles on Technology Design, Development, Governance, and Use” which remain a statement of ambition, not a basis for action. The QUAD can also begin to explore targeted areas for deeper law enforcement cooperation and evidence sharing. This will require tough conversations around the role of state surveillance in each country and institutional checks on government power. Yet, this is precisely the kind of frank discussion that trusted partners should drive.
Indeed, trust is increasingly the coin of the realm in the global digital ecosystem. It is vital to sustaining the cross-border data flows that underpin global commerce and connectivity in the twenty-first century. With its data localization pivot, India has opened space for more robust digital diplomacy that can bridge the gaps between the world’s largest digital democracies and help prevent the global digital ecosystem from splintering further.
This is an exciting project for an ambitious country—one that is ready to show the world that Digital India has arrived.
Anand Raghuraman is a non-resident fellow with the Atlantic Council’s South Asia Center and Director at the Mastercard Policy Center for the Digital Economy.
The South Asia Center is the hub for the Atlantic Council’s analysis of the political, social, geographical, and cultural diversity of the region. At the intersection of South Asia and its geopolitics, SAC cultivates dialogue to shape policy and forge ties between the region and the global community.