In April this year, US President Joe Biden enacted the Reforming Intelligence and Securing America Act (RISAA). This law renews Section 702 of the Foreign Intelligence Surveillance Act (FISA), known as the US Wiretap program. It extends the program for two more years. FISA forces US companies to share foreign users’ communications with the US government without a warrant when the issue is considered a matter of “national security”. The communication data covered includes emails, texts, and call details.
The US government can demand that cloud services like AWS, Google Cloud, and Microsoft Azure (all Americans) hand over data from Indian users that are considered security threats. FISA also covers businesses that have access to devices like routers. Commercial landlords with office spaces must allow the US government access to their communication networks. Foreign citizens using American platforms could have their data accessed by the US government without their knowledge or consent.
RISAA thus demands a shift in global information governance and management practices, privacy rights, and operations involving data, particularly those related to military, security, and mission-critical infrastructure. For a country like India, with its exponentially burgeoning digital infrastructure—both private and public—and a population heading towards 1.5 billion, the enormous volume of data generated daily can hold the potential to drive innovation and economic growth. however, if left unprotected and subject to the whims of one or more global superpowers, it can make India susceptible to surveillance, cyber threats, and, more importantly, economic exploitation.
Given the global hyper-connectivity and information fluidity across borders, ensuring data sovereignty is necessary, but more is needed. Data sovereignty advocates that data be subject to the laws and regulations of the country and be located locally to ensure compliance. Data sovereignty is a matter of regulatory compliance and a strategic necessity for India’s aspirations for economic self-reliance, technological leadership, and safeguarding democratic values in the digitized world.
India’s rationale for adopting and enforcing enhanced data sovereignty laws is multifaceted. Firstly, it’s a crucial step towards protecting the privacy of Indian citizens, who are increasingly vulnerable to data breaches. A solid legislative framework can act as a bulwark against foreign surveillance, safeguarding sensitive government and military operations while promoting national security, indigenous enterprises, and economic prosperity. A sovereign stance on data also empowers India to negotiate more effectively, shaping global digital standards that reflect its interests and enhancing public confidence in digital initiatives.
We must also move beyond the traditional narrative surrounding data sovereignty that focuses predominantly on “localization” – the concept that data should be stored within the country of origin. Merely storing data locally does not shield Indians from foreign surveillance, nor does it address how local actors might exploit this data. The perspective of conflating data sovereignty with data localization, without considering accompanying data protection and data infrastructure ownership, is thus incomplete and inadequate.
Protections
The European Union’s General Data Protection Regulation (GDPR) has set a precedent by enforcing guidelines that grant EU citizens significant control over their data while imposing strict obligations relating to the access and management of data on companies. The EU’s digital approach, focusing on safe data handling, privacy, and open algorithmic actions, might be a sensible starting point for a unified method towards ensuring digital independence while encouraging innovation and economic growth.
Another example is the UK-US bilateral agreement addressing concerns about surveillance under FISA’s Section 702. The UK-US Data Access Agreement, effective October 2022, does not directly limit Section 702 surveillance; however, it provides a structured framework for balancing law enforcement demands while addressing surveillance concerns. Key provisions include reciprocal data access, serious crime investigations, judicial oversight, and restrictions on targeting the citizens of other countries. The agreement formally emphasizes data minimisation, prohibits bulk data collection, and maintains encryption integrity and human rights safeguards. While the deal doesn’t fully address mass surveillance concerns, it represents a practical approach to more accountable data access for legitimate law enforcement purposes. Moreover, it insists on a reciprocal arrangement, making the process legitimate and more transparent. However, relying solely on a bilateral agreement is insufficient to safeguard Indian citizens, India’s democratic structure, and even Indian corporate data.
India could potentially establish, with other countries, bilateral (or multilateral via, say, BRICS) arrangements similar to the UK-US Data Access Agreement. To make such agreements work, India must negotiate and ratify a bilateral (or multilateral) agreement that aligns with other countries’ legal systems and data protection laws. For example, In India, a future comprehensive data protection law should be the starting point, but the agency of ownership for the data should be the individual; in the US, it would involve the CLOUD Act (Clarifying Lawful Overseas Use of Data Act), which provides the legal basis for such agreements.
Such an exercise would undoubtedly require significant diplomatic effort and careful consideration of legal and technological realities. However, if successfully implemented, it could provide a structured framework for data sharing that balances law enforcement claims with privacy protections and sovereignty concerns.
Moving towards a vision of digital sovereignty for India involves a comprehensive and strategic approach. India has the opportunity to pioneer a unique path toward digital sovereignty. Besides paper policies and regulations, investments in hosting and processing facilities within India will minimize reliance on foreign data centres, thus retaining control while paving the way for a surge in tech-driven, high-value economic activity.
India might consider adopting industry-specific data localization measures. These measures would selectively apply stricter controls on sensitive information such as financial and health records while allowing more flexibility for other data types. This stratification can maintain data sovereignty without undermining global commerce and collaboration.
Most importantly, India must build domestically owned and operated cloud infrastructure to maintain the sanctity of its data and competitive digital economy.
Local infrastructure, global pipes
Another crucial step forward is enhancing India’s digital infrastructure. It is vital to develop local digital platforms and technologies that can compete with international giants while adhering to Indian laws. Beyond merely building physical infrastructure, cultivating indigenous technologies and digital ecosystems is essential to support India’s aspirations for digital autonomy.
Internet infrastructure is generally conflated with data centres. Also critical are the pipes and plumbing through which Internet data flows—mainly undersea cables. Most of these tens of thousands of cables, which carry nearly 99 per cent of global internet traffic, are built and owned by the US-dominated G7 grouping, with China aggressively increasing its share of the traffic at an even faster rate.
India should be concerned about the vulnerability of subsea cables to espionage and physical disruption, as highlighted by the ongoing US-China tech battle over underwater internet cables. Any disruption could significantly impact India’s internet connectivity and data sovereignty. Allegations of Chinese repair ships potentially engaging in espionage and geopolitical tensions heighten security risks around these vital data pipes. To address these risks, India should begin investing in its undersea internet pipes on a war footing. This proactive measure will help ensure the security and resilience of India’s subsea cable infrastructure, safeguarding national security and maintaining robust international communications.
Through diplomacy, India can advocate for cross-border data treaties that equitably address surveillance concerns and establish robust standards for data protection and cyber intelligence sharing.
Equipping citizens with knowledge about the value and vulnerabilities of their data will empower them to make informed choices, demand better protections, and drive market forces toward more secure data practices and services. Stringent guidelines must be established on how domestic and foreign entities can access and use data. These rules must prioritise the individual’s right to privacy and demand a judicial review before any surveillance can be conducted. An unequivocal procedure must be in place to disclose data access practices. Knowing when, why, and how entities access personal data is crucial for accountability.
By embracing these measures, India can forge a path toward digital sovereignty that secures its citizens’ data and national interests and establishes India as a formidable global digital power. In doing so, India can navigate the intricacies of global data politics, assert its digital autonomy, and balance individual rights and collective digital prosperity. By tailoring lessons from global best practices to fit the domestic context, India can take an international lead by example.
K Yatish Rajawat and D. Chandrashekar work at a Gurgaon-based think-and-do tank, Centre for Innovation in Public Policy. The views expressed in the above piece are personal and solely those of the authors. They do not necessarily reflect News18’s views.
Comments
0 comment