Digital Policy Economy & Business India South Asia

Issue Brief

September 16, 2020

Aligning India’s data governance frameworks

By Mark Linscott and Anand Raghuraman

Catalyzing digital India’s growth

Prime Minister Narendra Modi’s vision to usher in another half a billion Indians online is a fitting goal for an ambitious, young digital nation. Yet closing India’s digital divides and developing a robust digital economy will require a moonshot effort that leaves little room for error. Each actor in India’s digital ecosystem has a vital role to play and unique value to contribute. India is too big and its challenges too immense to become the exclusive domain of current global technology leaders or the walled garden of homegrown champions. Policy frameworks must recognize that the enduring strength of the nation lies in its diversity, dynamism, and connectivity, and that the digital domain must reflect this ethos. Fair and fluid competition, sustained innovation, protection of privacy, and holistic national security policies—these are the hallmarks of a leading digital economy and the benchmarks that should guide India’s emerging data governance and digital trade frameworks in the twenty-first century. With clarity of purpose and unity in effort, India can lead with confidence and forge a digital architecture that is a model for the world and a linchpin of its global partnerships.

Core recommendations

Creating one privacy-focused regulator:

The PDPB, e-commerce policy, and NPD report each call for new regulators that would have broad jurisdiction, enforcement authority, and unique compliance requirements. Multiple sources of oversight are likely to generate misaligned directives on privacy and data governance for foreign and domestic companies alike, bureaucratic infighting among new and existing regulators, a heavier compliance burden on Indian startups, and a new set of reasons for foreign investors to think twice about increasing their exposure in the Indian market. Streamlining the regulatory architecture will therefore yield clear dividends. As a first step, India should set up a single Data Protection Authority focused primarily on protecting personal data privacy. This is a huge and important task in and of itself, and successful enforcement of privacy protections will help safeguard Indian citizens’ constitutional rights across digital domains. Meanwhile, lawmakers in Delhi should recognize that not all policy challenges require new regulators. They should scrap plans to create an NPD regulator and remove data regulation from the jurisdiction of e-commerce regulators, which should instead focus on consumer protection. Indeed, India already has regulators, such as the Competition Commission of India (CCI), that can help address concerns about data dominance and network effects that animate the push for NPD regulation and e-commerce regulation. Ensuring these existing bodies can address such challenges and coordinate with sectoral bodies and other ministries will be crucial for effective oversight going forward.

Leveraging cross border data flows:

The PDPB, e-commerce policy, and NPD report each call for some form of data localization focused on critical and sensitive data. Broad localization requirements will not only raise compliance costs for companies investing in India but also set a precedent that could lead other countries to impose similar localization restrictions—which would limit Indian firms’ ability to serve cross-border customers. As such, India should approach data localization with caution and surgical precision, and simultaneously create flexible and reciprocal pathways and mechanisms allowing for cross-border storage and processing of Indian data in countries that meet specific standards of privacy protection and law enforcement cooperation. Though MeitY officials have previously alluded to this possibility, formally embedding and developing these

mechanisms in the PDPB would create natural opportunities to strengthen digital cooperation and defuse trade tensions with trusted partners, especially the United States and the European Union, and propel India on its path to global leadership in this area as it looks ahead to hosting the G20.

Building a global consensus on non-personal data:

As a matter of first principles, the GOI should only encourage data sharing by companies on a voluntary basis through partnerships or other systems that respect property rights and create incentives for data pooling. Data sharing mechanisms envisioned by the NPD report would give uninhibited power to the data regulator and leave firms little to no recourse to appeal frivolous or strategic data sharing requests by their competitors or the state. Far from promoting innovation and investment in India, this approach to data sharing would radically undermine it. India should recognize that NPD regulation is a new and untested field where widely accepted international norms have yet to emerge. Before committing to significant overhauls of existing data governance and intellectual property frameworks, India should create a new working group among fellow leading digital powers to carefully study emerging and comparative approaches to NPD governance and help shape a global consensus on this issue.

Reforming intermediary liability regimes to curb online harms without compromising on an open internet:

GOI attempts, as reported by the media, to define specific requirements for “social media intermediaries” are a significant development, as industry has raised concerns around broadly applying such requirements to all intermediaries (e.g., to cloud service providers and data processors).1Karishma Mehrotra, “IT rules to separate social media firms, other online platforms,” the Indian Express, January 16, 2020, technology/social/it-rules-to-separate-social-media-firms-other-online-platforms-6218697/. However, these proposed requirements appear to include obligations such as proactive monitoring of content and local incorporation, which would discourage innovation and curtail freedom of expression. A more practical approach to intermediary liability reform could involve: (1) making proactive monitoring voluntary with good samaritan protections; (2) allowing social media intermediaries to appoint a nodal point of contact for engagement with law enforcement agencies instead of requiring social media intermediaries to establish permanent local offices; and (3) prioritizing content review for certain content categories like child sexual exploitation. Further, the GOI should introduce more transparency around its own takedown requests, as well as processes, and regularly publish such information, to create a more predictable regulatory environment and better promote compliance.

The South Asia Center (SAC) is the hub for the Atlantic Council’s analysis of the political, social, geographical, and cultural diversity of the region. ​

At the intersection of South Asia and its geopolitics, SAC cultivates dialogue to shape policy and forge ties between the region and the global community.

Related Experts: Mark Linscott and Anand Raghuraman

Image: Image by evelyneviret from Pixabay