The seduction of data sovereignty in India
by Nayantara Ranganathan
As currently conceptualised in India, data sovereignty threatens Indians’ individual sovereignty, undermines citizen rights, and is a lost chance to meaningfully grapple with data colonisation, argues Nayantara Ranganathan in this column, originally published in the Hindustan times, on 26 August 2019. The column is the last in a four part series on data governance in India by the Data Governance Network.
Data is a sovereign asset,” said the Union minister of railways and commerce, Piyush Goyal, at the G20 meeting in Japan. Goyal was against using free trade agreements to justify the free flow of data. Instead, he said, government restrictions on data flows would allow India to be able to use “personal, community and public data” generated in the country towards the welfare and development of its people.
Undeniably, data sovereignty is an attractive concept. Anyone familiar with the business models of companies like Facebook, Google and Amazon would have an uneasy feeling about the extent of access these companies have to our behaviours and habits, and the magnitude of value they have amassed from the promise of this data. Their growing power creates not just concerns of privacy, but extends to encroaching public infrastructure functions like transport, health care and finance, often bulldozing local interests. Pit this against the challenges of unemployment, and the worldwide rush by regulators to make amends to the asymmetry of power between companies and people, and data sovereignty looks like a seductive proposition.
But how much do the people of the country really have to gain from the government’s flavour of data sovereignty? At first blush, the concept has an anti-colonial ring. But a closer look reveals that the government’s approach to data sovereignty simply replaces foreign companies reaping benefits from technological solutionism with Indian companies, while leaving the dangers created by data extractivism for Indian people intact.
Indeed, if resisting data colonisation was really the issue, a broader and more thoughtful frame would need to be adopted — one that acknowledges the colonisation inherent in the intensified datafication of people and things, in the seamless facilitation of these data flows to private interests and the State, as well as in the unquestioned adoption of the Silicon Valley narrative that data is an objective truth-teller. As long as these conditions remain unchanged, treating data as a sovereign asset takes away from individual rights over data, and trades them away for a higher GDP figure and greater State control. What follows are examples to illustrate the unhelpful frame of State sovereignty over data. Two notable instruments that animate the State’s vision for data sovereignty are the draft e‑commerce policy and the Personal Data Protection bill.
The data protection bill proposes a horizontal data localisation requirement, meaning that anyone systematically dealing with the personal data of Indians would have to store a copy of that data within the country. Such a measure would heighten and consolidate the access to data by the government for surveillance, while also reducing the range of options available for an individual to choose services on the Internet, creating a very real trade-off between state sovereignty over data and individual autonomy and choice.
While many parts of the e‑commerce policy are worthy of attention, its creative categorisation of data is a cause for concern. The policy proposes a separate class of data called “community data”. This is an important conceptual step that holds promise for thinking about a more collective approach to data ownership and management. Unfortunately, the policy uses community data as a means to automatically achieve data sovereignty vesting in the State. By conflating data belonging to the people of the country with data belonging to the country itself, the policy makes individual rights and collective interests subservient to an abstract national interest. It also ignores the fact that different groups necessarily have different and often conflicting interests.
There are alternative conceptions of sovereignty that aim to bring back control and autonomy to people. These conceptions provide a framework within which there is a possibility to articulate questions about the agency of the individual, and of collective interest. Without this, our experience of technologies is a choice between being tied to the exploitation by big tech companies, or being content with the tightening grip of the State over our data. The State does, however, have a role in enabling an exercise of individual or collective sovereignty through several concrete regulatory measures: through positive actions like instituting strong encryption policies and requiring the adoption of open source software in governance functions, as well as through abstaining from restricting data flows resulting in the restriction of choices.
So far, the government’s conception of data sovereignty seems to mostly amount to an assertion of power over foreign companies and an attempt to gain a competitive advantage, vying to be leaders in artificial intelligence, while also strengthening control over the citizenry. However, it threatens the possibility of individuals’ exercise of sovereignty, undermining the rights of the citizens, and is a lost chance to meaningfully grapple with data colonisation.