This is my Op-Ed piece published in the "February 2, 2020" issue of ORGANISER
****x****
A
report prepared by the cyber-security company, Innefu Labs, reveals
that around 1,079 Twitter accounts were created in Pakistan to spread
hate and propagate violence in India over the Citizenship Amendment
Act, 2019. The report showed that Pakistan is the hotspot for
disseminating fake content and anti-national sentiment aimed at
creating internal conflict, disrupting social harmony and
destabilizing government.
So,
questions that beg answers:
- Can inherent fault-lines and vulnerabilities in our socio-political edifice be permitted to be easily leveraged for hijacking the narrative; and, waging a proxy war against India using social media?
- Should bots, handles, hashtags and influencers overseas be recklessly allowed to derail the destiny of our nation founded after centuries of trials and tribulations?
No.
Never!
This
sets the context for examining the need for “data sovereignty”
laws in India.
Enduring
Concept of Sovereignty
“Sovereignty”
refers to the
exercise by any State of its supreme power and authority over a
distinct polity and territory. The legal tenets governing sovereignty
owe their origin to the Peace of Westphalia treaties signed in the
17th
Century and are applied when a new political order emerges in some
part of the world and an independent State is established. Thus,
notion of “sovereignty” of the State extends over people and
property; agents and authorities within its territories.
The
supreme authority that imbues
“sovereignty” is always derived from a widely acknowledged source
of legitimacy―
be it Divinity; conquest; hereditary succession; customary laws; act
of the comity of nations; or, a drafted Constitution. Regardless,
sovereignty is asserted as a legitimate claim to authority and the
ideal exercise of power for affording opportunity to all people to
achieve optimal good within the collective.
Sovereignty
and the Republic of India
In
post-colonial India, sovereignty is robustly manifested in our
Constitution, which has a potent framework for resisting hegemonic
forms of colonialism and imperialism. Our visionary founding fathers
were wary of diversity and divisiveness destroying the fabric of the
nation. Hence, they strove to subtly coalesce a pluralistic society
and unite its disparate populace without erasing the syncretic
character therein.
Our
nuanced Constitution vests sovereignty in the people, who have
transferred some of their powers to the Republic created with the
fervent hope and firm desire that a strong State would better protect
their individual rights and safeguard national interests. Therefore,
any legislative initiative, policy measure or regulatory formula has
to be viewed from the prism of balancing societal needs with personal
goals of citizenry.
Against
the backdrop of national imperatives being accorded paramountcy over
individual aspirations within our constitutional schema, the concept
of “sovereignty” is
witnessing renewed relevance in today's information age.
What
is data sovereignty?
There
is no singular articulation of the emerging concept of “data
sovereignty”, which refers to not only the right of natural persons
and juristic entities to manage the creation, storage, ownership and
application of their own data; but, also the power of sovereign
nations to govern and regulate the residency, collection and
transmission of such data.
The
term broadly denotes forms of independence, control and autonomy over
data creation, content sharing, information usage and electronic
transactions in a connected, border-less world and with ubiquitous
computing environments. Most crucially, it is about the
jurisdiction
where data resides;
the legal, regulatory, and tax rules to be adhered therein for
compliance purposes; and, the challenges thereof.
The
Internet revolution has afforded “anytime-anywhere-anyhow” data
access and information availability over secure networks and
heterogeneous computing resources. It has enabled the real-time
access, sharing and processing of data even across borders and over
mobile platforms. Data-driven insights can be generated
'on-the-cloud'
with greater flexibility and scalability than with 'exclusively
on-premises'
computing environments.
Thus,
several business needs, computing trends and emerging technologies
have brought the concept of 'data sovereignty' into sharp focus.
Data
Sovereignty in
contra-distinction
to
Data Colonialisation
In
on-premises computing,
data hosting in centralised repositories is the norm; so, data
gravity ensures residency (of data). It suffices to protect the
perimeter in
situ—
through the imposition of physical and virtual access controls,
restrictions and privileges to maintain secrecy, privacy and
confidentiality of data and information.
Per
contra
in cloud-based, network computing, data is stored in different places
and accessed globally; it navigates seamlessly across national
borders and geo-political boundaries and created border-less
workflows.
Territorial
sovereignty plays a dominant role in the conceptualization of data
sovereignty. The underlying assumption is that data, like tangible
assets and intangible properties, has a local or national 'home'.
Hence,
data sovereignty has evolved to mean the laws and governance
structures that apply to data collected and stored within; or, owned
and transferred by a country's citizens, regardless of where the data
resides, either within national borders or on servers elsewhere
around the world.
Overseas
Data Sovereignty Regulations
Several
countries and regions have data regulatory mechanisms in place―
examples include USA's
Patriot Act; EU's General Data Protection Regulation (GDPR); China's
Cyber-security Law; Brazil's General Data Privacy Law; Japan's
Personal Information Protection Act; Chile's Law for the Protection
of Private Life; and, so on.
Data
sovereignty laws are often difficult to interpret. For instance,
Chinese laws require localization of 'important data', which is
defined nebulously and often interpreted loosely. Other
countries, such as Germany, France and Russia, too have 'safe
harbour' provisions that mandatorily require data to be housed in
servers within their borders.
Many
nations, including the USA, have expanded the scope of evidence
discovery methods―
writ summons; subpoena processes; surveillance procedures; etc.
Despite concerns over 'ex
parte
orders' and 'gag
restrictions'
prohibiting public announcement of official demand for disclosure of
private data, these enactments are vital for intelligence
acquisition, criminal investigations, anti-terror operations and
counter-insurgency action.
Nevertheless,
such provisions
affect the legislative landscape of data sovereignty significantly.
They introduce new legal complications, business challenges and
compliance constraints for those wanting to share content across
locations and borders.
Regulatory
Regimes and Data Compliance Requirements
Privacy
and data-hosting laws and stringency thereof vary by country. The
need for adherence to ever-evolving compliance rules and real-world
regulations on the way data
is stored, shared and managed across
geographically dispersed data centers is mandatory.
Anyone infringing rules,
wittingly or unwittingly, faces penal action in most jurisdictions.
Therefore,
navigation through the “international legal maze” is daunting and
time-consuming. Further, benefits
are often tempered by the fear, uncertainty and doubt (FUD) of
complex and changing nature of data sovereignty. National data
protection laws act as roadblocks to adoption of cloud computing and
cross-border data storage.
Several
challenges are posed to managing the potpourri of data sovereignty
requirements for: (a) protecting data; (b) providing regulatory
access; (c) certifying data residency; (d) securing and safeguarding
data assets; (e) blocking malicious attacks; and, (f) complying with
current and emerging data privacy needs.
Compliance
frameworks must enable verification of how and where data is: (a)
stored, located and protected; and, (b) used, shared, accessed,
processed and consumed at any point. Law enforcement measures must
encompass data creators, custodians and consumers for employing good
governance to control data loss, erosion and corruption.
Data
Protection Laws in India
No
express,
comprehensive legislation exists in India to deal with data
privacy and protection.
Further, policy
mandates do not cover all stages in the data lifecycle— data at
rest; in use and transit; during creation, transport and processing;
and, on delivery. To prove compliance and meet evolving regulatory
demands, ability to demonstrate control over data at all points in
the content lifecycle is a sine
qua non.
Legal
concepts and normative constructs are entangled with the vision
treating data as a resource. Notions of data ownership and its
visualisation as property dominates public discourse. Data privacy
and autonomy of citizens too find mention in policy documents. The
government vision, as enshrined in policy drafts, imagines the State
as the sentinel of data sovereignty within India.
Industry
observers and watchdogs though allege that individual rights are not
fleshed out effectively in law and are often envisaged as subservient
to larger collective agendas like economic enrichment from data
mining and user profiling. Further, activists
are also apprehensive
of laws that afford authorities with unfettered data access.
Thus,
the myth of data sovereignty curtailing freedoms of people in India
is perpetuated. On top, it is fallaciously believed that people must
control the data they generate, if personal liberties, autonomy and
empowerment are to be genuinely facilitated.
No
doubt “red herrings” that must be assailed resoundingly.
Concluding
Remarks
Hostile
and inimical forces are eagerly conspiring to weaken and destabilize
the Indian Republic through covert means. Risk exists of political
exploitation of insights gained from data, specifically to manipulate
the outcome of elections. The monolithic, perhaps archaic Information
Technology Act, 2000 needs urgent revamping to deal with risks posed
by social data, viral media and transnational content.
Therefore,
India is well-advised to enact elaborate laws and adopting
comprehensive procedures to regulate the digital world and ubiquitous
data therein. Territorial integrity and national interests must serve
as guiding beacons for legislation on the subject, pretty much like
what the USA, Russia and China have done.
It
behooves legal activists and judicial luminaries among us to
remember that in the seesaw constituent-versus-community battle,
personal
privacy and individual liberties cannot transcend above or
subordinate public good,
societal
needs and
national interests.
Article
21 of the Constitution surely has a flip side. It casts a duty on the
State―
that of protecting and securing the rights to life and liberty
conferred on all constituents.
That
duty entails restricting mala
fide
acts and restraining malicious forces within and without!
Providing
homeland security and preserving our nationhood...are indeed
paramount!
***
x ***
