Building trust in Shinzo Abe’s Idea of Data Free Flow with trust.
By – Anupam Jha and Mohd. Owais
India assumed the Presidency of G20 on 1st December 2022. The Troika now consists of India, Indonesia and Brazil which are seen as representing the global south. In the words of Prime Minister Modi “On one hand, India has close relations with developed countries and on the other, it understands the views of developing countries very well and it gives voice to them. It is on this basis that we will create a framework for G20’s presidency along with all those countries of the global south that have been for decades fellow travellers of India in the development journey,”. Therefore India has a lot to work on during this G20 summit. While it is clear that this year’s agenda will include ‘Food Security’ and ‘Energy Security’ due to the Russia-Ukraine War, India must also address the issue of Data Security and Data Localisation. India in 2020 at a G20 meeting said no to the idea of ‘Data Free Flow with Trust’.
G20 was established in September 1999 as a forum of the Finance Ministers and the Central Bank Governors of the 19 major Economies and the EU in the aftermath of the East Asian Financial Crisis of 1997. It was Elevated to Head of State’s forum in 2008 at the initiative of then US President Bush in the wake of the global economic and financial crisis. G20 countries account for 85% of the Global GDP, nearly 76% of global trade, and represent 64% (two-thirds) of the world’s population. As the World Economy digitises more and more, we can imagine the huge amount of data that is being generated and will be generated in the times to come. According to an estimate, over 90% of all the data in the world was created in the last two years. This gives rise to the need for a global understanding of how to collect, store, protect, monetize and leverage data and brings us to the debate of Data localisation vs Borderless Data.
The concept of ‘Data Free Flow with Trust’(DFFT) was introduced by Shinzo Abe for the first time at Davos, World Economic Forum 2019. Later in the year of 2019 DFFT was made the centrepiece when Japan hosted the G20 leaders summit in Osaka. The Osaka Declaration on Digital Economy was made by 24 countries, including the USA, CHINA, EU, RUSSIA, LATIN AMERICA and EAST ASIAN Countries. However, India, Egypt, Indonesia and South Africa did not participate.
Shinzo Abe argued for a regime wherein we must be able to put our personal data, data embodying intellectual property, national security intelligence, and so on, under careful protection, while on the other hand, we must enable the free flow of medical, industrial, traffic and other most useful, non-personal, anonymous data to see no borders. He called this, Data Free Flow with Trust(D.F.F.T.).
The Argument was that the cross-border flow of data, information, ideas and knowledge will generate higher productivity, greater innovation, and improved sustainable development.
Piyush Goyal at a G20 meeting in 2020 said that India is not in a position to accept the concept of Data Free Flow with Trust (DFFT) as the concept of DFFT is neither well understood nor is comprehensive enough in the legislation of many countries. Moreover, in view of the huge digital divide among countries, there is a need for policy space for developing countries who still have to finalise laws around digital trade and data. Data is a potent tool for development and equitable access to data is a critical aspect for us. India, like many other developing countries, is still in the phase of preparing a framework for its data protection and e-commerce laws. Moreover, the existing regulations on which DFFT is sought to be premised, such as uninhibited cross border flow of data, are grossly inadequate to address our concerns on data access. This could further aggravate the digital divide, he added.
It was due to these reservations that India did not participate in the Osaka track in 2019.
India currently does not have a data protection law in place. The draft Data Protection Bill 2019 was pending in parliament for a long time and was recently withdrawn. The withdrawal came as a surprise, particularly after so much effort was put into it over the last five years. The sudden withdrawal indicates a desire in the top echelons of the government for a serious rethink on the shape and scope of data regulation. The genesis of this law was the K.S. Puttaswamy v. Union of India judgement wherein the court held that the right to privacy had both a positive and negative aspect. Positive, meaning that the state needs to take measures to protect the individual’s privacy. Thus, it became somewhat mandatory for the government to initiate the drafting of data protection law. The growing importance of the digital economy and the consequent economic interests coupled with security concerns contributed to the contestations between the various stakeholders as the law was being deliberated. A law could limit intrusive data processing and also promote geopolitical, strategic or regulatory interests. But on the other hand, a poorly drafted law could legitimise certain intrusive practices.
The Government has suggested that it will come with a comprehensive framework and will introduce multiple legislations to maintain some polycentricity in the governance of a complex digital economy.
15 out of 19 of the G20 countries have full fledged data protection laws except India, China, Saudi Arabia and the United States. India must come up with relevant legislation and especially one keeping in mind the use of data in International Business and trade.
As India holds the G20 Presidency, it is for it to bring all countries on a common ground with regard to the debate of free flow of data vs data localisation. As per Information technology and Innovation foundation , data localisation laws have more than doubled from 2017 to 2021. Such laws allow governments and law enforcement agencies to work more efficiently but may act as a hindrance to global trade and increase the operational costs of businesses. India has an opportunity now to not only keep its own concerns more vocally but also to become the voice of other developing countries who have a problem with DFFT.
The data localisation requirements must be necessary and proportionate. Also, an absolute free flow may put the developing countries in a spot.
As of now most of the cross border data transfer is governed under individual bilateral “mutual legal assistance treaties”. Localisation will make it mandatory for companies collecting critical consumer data to store and process it in data centres present within a country. Based on the recommendations of the Justice Srikrishna Committee in 2018, the Reserve Bank of India (RBI) mandated companies dealing with data of various digital payment services to locally store and process sensitive data belonging to Indian users. Until then, most data from India was being stored on a cloud database outside the country.
Foreign firms are uncomfortable as it would require them to spend money on infrastructure in the form of servers and buildings, and, also on employing local professionals to manage it. Also, there are concerns that barriers to the free flow of data may hurt businesses by increasing delays and higher costs of collaborative research or partnerships outside India.
U.S. criticised India’s proposed norms on data localisation in the past as ‘most discriminatory’ and ‘trade-distortive’. In September 2018, the EU had said in its response to India’s data protection draft bill that “data localisation requirements appear both unnecessary and potentially harmful as they would create unnecessary costs, difficulties and uncertainties that could hamper business and investments” . The European Union’s General Data Protection Regulation (GDPR) does not mandate all data to be localised, but rather restricts flow to countries with a strong data protection framework.
Russia has the most restrictive regulation for data flow. Law in Russia mandates data controllers store and update data collected from Russian citizens using Russian servers. The Chinese government mandates localisation for all “important data” held by “critical information infrastructure” and all cross border personal data transfers must undergo a security assessment. The United States regulates data state and sector-wise. Canada and Australia are known to protect their health data very carefully.
China-Russia model is focused on ‘localisation’. Personal data of Russian citizens must be kept in the country. Its data localisation law also contains a provision that allows it to block websites that don’t process Russian data within the country. Therefore even if India agrees to free flow of data until and unless all countries do not come to the same page the world will not be able to reap its benefit. Moreover, security issues come to the forefront particularly with respect to India and China.
While Governments worry about National Security and Law Enforcement issues, the ordinary citizens expect their right to privacy to be upheld. The ‘Right to be forgotten’(RTBF) gained importance after the 2014 decision of the Court of Justice of the European Union in the Google Spain case. The Supreme Court of India in Puttaswamy v. Union of India, 2017 said that the RTBF was a part of the broader right of privacy. The RTBF emerges from the right to privacy under Article 21 and partly from the right to dignity under Article 21. The Concept of ‘RTBF’ is said to be still under development in India in the absence of any legislation.
Abe’s idea of DFFT does seem to address the concern of privacy at the surface, but more needs to be done to develop and understand this concept to suit the Developing world’s needs. The concept of ‘Data Sovereignty’ might seem today as absolutely opposed to the idea of Data Free Flow, but these two ideas can be developed further together to reach a common ground, and Shinzo Abe’s idea of DFFT would be a good place to start with. Obviously, in doing so India needs to keep its security and economic interests at the forefront but at the same time it may hear out the world as well. Legitimate Trade and Business concerns must be addressed for the mutual benefit of all.
A Country like India with a population of 1.3 billion deserves to have some control over its data for the benefit of its citizens, Therefore concerns over some data localisation requirements are not well founded. India should use its presidency at G20 to try to bring major economies and the global south to a common ground. India must make sure that it works towards bridging the global digital divide and amplifies the voice of the developing world. Also, post pandemic recovery requires that International trade and Business become smooth. India has time and again repeated its vision of ‘Vasudhaiva Kutumbakam’ and this makes it the best candidate to create a consensus on the debate of data localisation. It is an opportunity for India to remind the world about its economic and security concerns. All countries leverage the unique resources they have to further their interests, OPEC countries use oil, United States uses technological advancement and security capabilities, Singapore uses its unique position in the malacca strait, therefore it is only logical and reasonable for India to look to make the best use of its demography, population, market and the consequent Data generated to its benefit. As they say, Data is the new oil. India can look into developing the concept of DFFT further by moulding it to address the developing world’s concerns while balancing the issue of International Trade and Business. All the minute details for any such understanding must be made clear during India’s Presidency and India must aim to pass its own domestic legislations related to data protection and a comprehensive and exhaustive draft declaration on the Free flow of Data during its tenure of the G20 Presidency.
Anupam Jha is a Professor of Law at the University of Delhi and Mohd. Owais is pursuing an LL.B at the University of Delhi.