The long-awaited data protection bill was introduced by the Bharatiya Janata Party-led Government in the Lok Sabha on 11 December. Immediately, the Personal Data Protection Bill, 2019 (PDP 19) ran into controversy.
The principal bone of contention is the power the proposed law gives the government to allow law enforcement agencies and authorised third parties to access citizen data to investigate crimes faster, with seemingly total exemption from any legal obligations.
The agencies do not need any permission from any court or have to cite any specific criminal investigation to access the personal data of any Indian.
This obviously has led to fears of misuse. Justice B.N. Srikrishna, the chief architect of the first draft bill, which did not give government this untrammelled power, said these exemptions for government agencies can be “disastrous” and that this can turn India into an “Orwellian State”.
The law also seems to fly in the face of the 2017 Supreme Court judgement, which upheld the right to privacy as a fundamental right. The bill has now been referred to a Joint Parliamentary Committee.
What has, however, gone mostly unnoticed in India, is that on 19 February, the European Commission (EC), the executive body of the European Union (EU), released a far-reaching document titled A European Strategy For Data.
The paper outlines the way the EC wants the 27-country economic coalition to move over the next five years, in a world where data could be simultaneously the most valuable commodity, currency, enabler and socio-economic development tool, and the most lethal weapon.
Why EU Matters
The document is significant for two reasons. One, much of the world’s data now resides in the “cloud”, massive server farms, but three-quarters of the cloud is owned by four companies three American and one Chinese.
Both the US and China have laws that can give their governments access to the data stored on their companies’ servers in fact, China can access the data at will. This extreme asymmetry can have serious consequences.
Two, the EU has led the world in matters of data privacy and security. Its landmark 2016 General Data Protection Regulation (GDPR) serves as a guide for the world’s lawmakers. India’s PDP 19 bill, for instance, has clearly relied on the GDPR for definitions of and transfer restrictions on personal data.
So the EC’s data strategy, though it is focused on European interests, could be valuable to countries across the globe trying to protect themselves and thrive in what the document calls, “the data-agile economy”.
The EC is calling for nothing short of a European common data market, like its economic common market. Digital Europe and its laws, the EC says, should reflect the best of European, fair, diverse, democratic, and confident.
The EU should not compromise on its principles, it asserts all companies which sell goods or services related to the EU must respect EU legislation and this should not be compromised by jurisdictional claims from outside the EU.
The strategy lays great emphasis on correcting the imbalance caused by the vast amounts of data collected by the Big Tech companies, and on helping European small and micro enterprises (SME) to grow to their potential.
This would entail both legislative actions to level the playing field and creating conditions for a local cloud services marketplace to grow, where competition is fair and innovation is not stifled by entrenched and non-European muscle power.
“The EU has the potential to be successful in the data-agile economy,” reads the document.
“It has the technology, the know-how and a highly skilled workforce. However, competitors such as China and the US are already innovating quickly and projecting their concepts of data access and use across the globe… In order to release Europe’s potential we have to find our European way.”
Now, just replace “EU” and “Europe” in that statement with “India”. There is much in the document from the current situation to a specific strategy that is equally applicable to India.
How Things Stand
The world produced 33 zettabytes of data in 2018 (one zettabyte = one trillion billion bytes, that’s 21 zeroes). This is expected to go up to 175 zettabytes in 2025. This ranges from the emoji you sent as a response to a WhatsApp joke, to your biometrics, which, if they fall into the wrong hands, could be potentially catastrophic.
The global public cloud infrastructure market was worth $214.3 billion in 2019, according to research firm Gartner, which estimates it to grow to $333.1 billion by 2022. But a stunning 75% of this market is owned by four companies Amazon, Microsoft, Alibaba and Google.
Amazon alone controls 48%. This is unbelievable power in the hands of a few
It not only makes the rest of the world (whether EU or India) almost entirely dependent on foreign providers, and vulnerable to external data threats, but also with little investment potential for an indigenous data processing industry.
While any data stored by Chinese companies can be accessed by the government, the US passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act in 2018, which allows federal law enforcement agencies to compel American tech firms to provide them with stored data for a customer or subscriber on any server they own and operate, even data stored on foreign soil.
The CLOUD Act does have safeguards, for instance, companies or courts can challenge or reject a request on certain grounds. But the EU has expressed strong reservations because it seems to clash directly with its GDPR.
The EC strategy document says that it is working on an “EU-US Agreement to facilitate cross-border access to electronic evidence, alleviating the risk of conflict of laws and establishing clear safeguards for the data of EU citizens and companies”.
But, among these challenges also lie opportunities that can be seized. A large part of the data of the future will come from industrial and professional applications, and areas of public interest, be it health, environment or education.
As the Internet of Things becomes a part of our daily lives, entirely new vistas could open up, especially in areas such as cloud at the edge, where data processing takes place close to the user.
No techno-savant, however many viral TED talk videos he may have racked up, can foretell the coming transformation with full confidence. Says the EC: “These trends indicate that the winners of today will not necessarily be the winners of tomorrow. But the sources of competitiveness for the next decades in the data economy are determined now. This is why the EU should act now.”
The Way Forward
Each new wave of data represents major opportunities for the EU to become a world leader in this area,” says the EC.
“Furthermore, the way in which data is stored and processed will change dramatically over the coming five years.
Aside from the economic and sustainability advantages that this development presents, it opens up additional opportunities for businesses to develop tools for data producers to increase control over their own data.”
So what does the EC want to do? One, it will continue to closely monitor Big Tech. It is analysing “the role of data in creating or reinforcing imbalances in bargaining power and the way these companies use and share the data across sectors”.
Once that is done, the EC “will consider how best to address systemic issues related to platforms and data, including by ex-ante regulation if appropriate, to ensure that markets stay open and fair”.
(Ex-ante regulation seeks to foresee problems and shape stakeholder behaviour through pre-emptive intervention.)
Two, build a thriving ecosystem of private actors to create economic and societal value from data. The EC sees startups and scale-ups playing a key role here.
But for this to happen, these SMEs need help. So the EC plans to invest in a “High Impact Project” that will fund infrastructures, data-sharing tools, architectures and governance mechanisms for data-sharing and artificial intelligence ecosystems, addressing specific needs of industries in the EU.
Three, facilitate the setting up of a cloud services marketplace for EU users.
If the EU has a supply-side problem in the non-EU oligopoly in the cloud services market, it also has a demand issue in low cloud uptake in the public sector and among SMEs.
This leads to less efficient public services, and lower productivity and competitiveness. In other words, it’s in the same boat as India.
The EC believes this marketplace will be particularly useful for the public sector and SMEs, which may not be so tech-savvy. Only companies vetted on parameters like data protection, security, data portability and energy efficiency, will be allowed to sell their products.
Conversely, since the public sector demand should be high, it will be able to support the marketplace, thus giving a chance for smaller providers to grow.
Four, the long-term strategic intent is to shift the centre of gravity of the global data economy and make the EU an attractive site for the storage and processing of data from all over the world.
The EC plans to measure the flow of data, both within the EU and between the EU and the rest of the world and put an economic value to it. It will then attempt to leverage this commercial heft along with its talent pool to get international data services investment.
The EC strategy document is clear about the EU’s unique selling proposition: “the EU’s fundamental values, including protection of privacy”.
It will ensure the free and safe flow of data across the planet, without prejudice to the EU’s framework for the protection of personal data “an open but assertive international data approach based on (the EU’s) values”.
In parallel, the EU will actively promote its standards and values. It will work in multilateral fora to fight abuses such as the disproportionate access of governments to data, for instance, access to personal data that is not in line with the EU’s data protection rules.
In particular, the EC notes an opportunity to “support Africa in creating an African data economy for the benefit of its citizens and businesses”.
What India Can Learn
Whether the EC will be able to achieve its ambitions is a question that only time can answer. Acrimony among the EU member-states has been rising over the past few years, on issues ranging from contributions due to and from members, and corruption charges, to migrants and participation in China’s Belt & Road Initiative.
No one particularly likes the amount of clout that Germany and France wield. However, the EC’s strategy document can be of great value to India.
The European scenario it describes the current situation, challenges, opportunities and potential—is almost exactly the same as India’s. The strategy it proposes can be easily adapted for the Indian context.
In fact, while the EC can only talk right now about goals like helping create an African data economy, India already has all the tools in place.
In June last year, the government had spoken about Russia and several countries in Africa and West Asia showing interest in building Aadhaar-like systems. Was any progress made on this?
The Unified Payments Interface (UPI) is acknowledged as the world’s best digital financial transaction service. In December, Google wrote to the US Federal Reserve to look at UPI to build FedNow, its new interbank settlement system. Have we followed up on that?
While India evolves the regulations we need on data localisation and transfer, and non-India-based tech companies, expectedly, complain, why can’t we set our sights slightly higher than just keeping our data within India’s borders, to making India a hub for the global data economy?
India has all that is required, from connectivity to talent pool. Sure, Europe scores as it can tout its “European values” of liberal democracy and individual rights.
But in reality, other than in North and Western Europe, how many of its 27 member-states do actually have a real functioning liberal democracy?
The data economy offers a big opportunity for India. But the government giving itself the power to access all personal data without due process is definitely not going to help grab it.