Story Highlights

• Policymaking often happens in silos with different regulators and departments sometimes working at cross purposes. However, in this case, they seem to be speaking from a similar script.
• The broad trends visible across all of these initiatives and announcements are hard to ignore, and they could mark a major shift in policy and outlook.
• These signals emanate from multiple wings of the government, including the ministries of electronics & IT, communication, commerce, finance, RBI, and, of course, the security establishment.

The last three weeks have seen a surfeit of policy announcements and leaks, all of which point in the direction of a new, concerted strategy from the Indian government on data, cross-border information flows, and content control. Policymaking often happens in silos with different regulators and departments sometimes working at cross purposes. However, in this case, they seem to be speaking from a similar script, which raises some interesting questions. Is there high-level coordination? Is it instead, a meeting of minds – a shared realisation that these are ideas whose time has come? Is there a coherent policy objective?

Before reading the tea leaves, a quick listing of policy decisions of the last four months:

April 6: The Reserve Bank of India issued a notification requiring all payments-related data to be stored only in India. This hard data localisation requirement seemingly came out of the blue and has subsequently been the subject of intense lobbying. It appears a compromise will be reached after the ministry of finance’s intervention, which will require only a copy of such data to be stored in India – commonly known as mirroring. Mirroring will still come with significant costs and potential technical changes for some players but without some of the more serious disruption that would be caused if this data were completely prevented from flowing out of India. Mirroring would also fulfil the RBI’s requirement for access to payments data, the avowed policy objective behind the notification.

July 18: The ministry of communications wrote to all telcos in India asking for their inputs on how to “block certain mobile applications” such as “Instagram/Facebook/WhatsApp/Telegram”.

July 26: Ravi Shankar Prasad, the minister of IT told Parliament that the Information Technology Act needs to be “revised and reinforced” by “strengthening the implementation aspects of Section 79” (which deals with intermediary liability and safe harbour). He went on to call for social media companies to have a physical presence in India, be subject to Indian legal proceedings, and ensure better attributability of messages.

July 27: The Justice Srikrishna committee submitted its report and the draft Personal Data Protection Bill, 2018 to the government. The report (in pages 82-97) examines in some detail the arguments for and against various forms of data localisation and the draft Bill in Section 40 contains a comprehensive data localisation requirement, including mirroring of all personal data in India and a hard data localisation requirement in respect of “critical” personal data (left to be defined in the future), which can only be processed and stored in India. Needless to say, the mirroring of all personal data is a significant step that will affect companies of all sizes. What is also interesting is the inclusion of Section 40(3) in the draft Bill, which allows the government to exempt certain categories of personal data from the mirroring requirement in the interests of “necessity or strategic interests of the State”. Based on the report as well as the wording of this provision, it appears to exist to facilitate bilateral agreements between the Indian and foreign governments to ease the flow of data in certain cases.

July 30: Reports emerged based on a leaked copy of the draft national e-commerce policy, which indicated that the policy would have extensive provisions related to data localisation, data sharing, and data portability. A more detailed analysis reveals the following:

– Localisation of Indian user data: A hard data localisation requirement in respect of “data generated by users in India from various sources including e-commerce platforms, social media, search engines etc.”, possibly with a 2-year period for compliance.
– Incentivising data centres: Tied in with the data localisation requirement is the objective of promoting Indian data centres through tax breaks and better infrastructure.
– Government access: “The Government would have access to data stored in India for national security and public policy objectives subject to rules related to privacy, consent etc.”
Data sharing: “Data stored in India should be shared with startups meeting the stipulated criteria (turnover of Rs.50 crore etc.).”
– Data portability: “At the request of the consumer, data generated by her in India through various channels, including e-commerce platforms, social media, search engines etc. would be allowed to be portable amongst platforms in India.”
Encryption: “The creation of innovative digital products within India would be promoted, including by fast tracking work on the National Encryption Policy.”
– Intermediary liability: “Exemption from liability given to Intermediaries under Section 79 of the IT Act would be revisited and suitably modified.”
– International trade negotiations: “Policy space for granting preferential treatment to digital products created within India would be retained” and “policy space to impose Customs duties on electronic transmissions in the future would be retained”.
– Source code disclosure: “The grounds for seeking disclosure of source code to government would be expanded to include situations of unfair trade practice, fraud, and compliance with domestic regulatory requirements” and “policy space to seek disclosure of source code would be retained, by not taking any commitments on this issue in international trade negotiations”.

August 1: It was reported that WhatsApp had been asked to set up a presence in India and recruit a local team, prior to being given permission for a full launch of its payments service.

August 4: A report emerged that a panel headed by Infosys co-founder Kris Gopalakrishnan and tasked with framing a cloud policy, was planning to recommend “localisation of cloud data and any data that is stored about Indian entities or data generated in India”. It reportedly goes on to say that this data “must be available for investigative agencies and national security agencies” and “Indian legal and policy frameworks must focus on ensuring that data generated from India can be utilised for the benefit of Indian citizens, governments and private players”.

The game afoot in the world of data

The broad trends visible across all of these initiatives and announcements are hard to ignore, and they could mark a major shift in policy and outlook.

India has so far been a party to, and a beneficiary of, the loose global compact that keeps the internet largely open and borderless. Despite an ill-fated dalliance with the possibility of ‘UN control’ of the internet in 2011-12, a spell of playing hard-to-get during the US-backed ‘IANA transition’ in 2014-16, and periodic statements at BRICS summits that echo some of China’s and Russia’s views about the internet, India has largely refrained from enacting policies that detract from the original conception of what constitutes internet freedom. India has repeated in many forums its endorsement of a ‘multistakeholder’ model of internet governance, and the beneficial effects of an internet without barriers for the economy and civil rights. The Indian legal framework has largely allowed for permissionless innovation, guaranteed intermediaries ‘safe harbour’, and facilitated the free flow of data across borders.

These recent developments are remarkable for a number of reasons and could lead to unprecedented change. In the past, India has made threatening noises under many administrations with respect to cracking down on internet freedoms, without following through. But this time appears to be different.

First, these signals emanate from multiple wings of the government, including the ministries of electronics & IT, communication, commerce, finance, RBI, and, of course, the security establishment. The Indian government is not a monolith and is usually characterised by healthy internal disagreements – with controversial policies championed by one department or ministry being balanced by countervailing proposals from others. That does not appear to be the case here so far. It will also be interesting to see what the Telecom Regulatory Authority of India has to say on these issues, particularly in the context of its anticipated consultation on ‘over-the-top’ services that could potentially explore the possibility of licensing some online services.

Second, there is a section of ‘Indian’ industry which is clearly promoting its interests, as is evident from reports about the role played by Reliance in the context of the e-commerce policy and Paytm in the context of the RBI’s payments data localisation circular. Also, India now has an influential and determined indigenous voice in policy circles in the form of the Bengaluru-based think/do tank iSPIRT, which does not mince words when it says that India “runs the risk of either being a Digital Colony of the West or being overrun by the Digital Invasion of the Chinese”. It’s also interesting to note that the cloud policy is being steered by Kris Gopalakrishnan, a senior and experienced figure in Indian industry.

Third, the world in 2018 is showing strong signs of weariness with the gap between the avowedly optimistic and buccaneering spirit of the internet, and the current reality which includes heavy concentrations of market power and data, and the increasingly negative effects the online world is having on the offline world. It is also becoming harder to convince governments to view the internet as an enabler of fair trade and not to view cross-border data flows as a zero-sum game.

Fourth, while it is trite to point out, India currently has a nationalist party in power whose policies swing to the right on social and law enforcement issues and hard left on some economic issues, and which is not afraid to use its strong Parliamentary majority to intervene in the free market. That complex reality is reflected in the various motivations behind these current moves on data and internet regulation. At the same time, we have a relatively weak, and highly distracted, US administration which may struggle to execute its regular business-diplomacy tango and bring adequate firepower to bear on the problems posed to big US business.

Fifth, while it still remains to be seen if there is a high-level game plan on the issue of data localisation, between the various players involved they have thrown everything and the kitchen sink at it in terms of justifications – law enforcement access to data, effective enforcement of data protection laws, creating a level playing field for Indian startups, fixing vexed competition issues in the internet platform market, promoting Indian data centre growth, and limiting foreign surveillance. This means that no one argument will work as a rebuttal. But it also betrays the possibility that there hasn’t been a clear assessment internally of whether policies such as data localisation will actually achieve the intended effects. This is something that will require detailed economic, technical, and policy research, which don’t appear to have been conducted. It is also useful to remember that India is not China, even if some Indian policymakers have a grudging admiration for China’s ability to enforce the government’s writ online. China’s Great Firewall (combined with its disincentives against foreign internet businesses and system of licences and permits) was not built in a day. It is the result of clarity of thought and policy execution going back decades, combined with a profound lack of economic and personal freedoms that is thankfully quite distinct from India. Indian security hawks looking to emulate China’s iron grip over the internet will have to face this sobering reality.

There’s no denying, though, that this time things are different. The regular playbook of the beneficial economic effects of the open internet and its importance for personal freedom and human rights will likely see diminishing returns if used to push back against these efforts. Everyone involved will need to go back to first principles and take a cold, hard look at what works in whose favour and how to achieve a win-win. The dream of the open internet is far from dead, but it needs a reality check and an injection of new ideas in India if it is to evolve.

---