The 2019 G20 Summit held in Osaka marked a watershed moment for India’s posture on cross-border flows of digital data. Resisting a US- and Japan-led proposal on the free flow of data across borders, India presented itself as a distinct voice in global tech governance — one with its own interests to advance.
Along with Indonesia and South Africa, the South Asian giant opposed the Japan-led “Osaka Track” proposal, introduced by Prime Minister Shinzo Abe. “The Osaka Track” is an overarching digital economy cooperation framework that promotes the free flow of data across borders and seeks to remove the prohibitions on data localization. Data localization is the idea that data generated by a country has to be stored (and in some cases, processed) within the borders of the country. By storing data locally, digital companies cannot transfer data generated from a particular jurisdiction to somewhere else for further data mining, therefore putting in place a limit on the further commercial value that can be derived from the data. India’s apparent resistance to the Data Free Flow with Trust principle underlying the Osaka Track signalled a greater interest in data localization as a means of reaping the benefits of datafication and supporting the growth of domestic tech. As one of the fastest-growing digital economies with a rich pool of raw data to work with, India recognizes the untapped potential of its wealth of data and that protecting local data from non-Indian tech giants is also protecting the interest of indigenous tech companies.
We recently examined the evolution of Indian digital governance in a chapter for the Stanford Cyber Policy Center’s book project exploring how digital technologies and digital regulations uniquely affect emerging countries. Focusing on India and Brazil, we set out to identify forms of techno-nationalism and techno-authoritarianism that have emerged in the background of the modern rush for digital governance. As India and other emerging technology powers introduce techno-nationalist policies, including those introduced in the name of protecting access to digital data, a troubling trend emerges: policies nominally intended to regulate digital life and trade are being co-opted for techno-authoritarian aims.
In the case of India, where the central government has not shied away from tactics such as digital surveillance, internet shutdowns and mass collection of biometric data, a data protection regime that exempts the government from compliance further expands the digital power of the state and minimizes checks and balances.
Indian support for data localization, signalled in Osaka, has also emerged in the country’s attempts at domestic digital governance. Prior to 2018, India’s digital economy was primarily governed by the Information Technology Act of 2000. In 2018, the Indian Personal Data Protection Bill (PDPB) was introduced as an equivalent to the well-known EU General Data Protection Regulation (GDPR). The initial 2018 draft of the PDPB included strong provisions for data localization, requiring that at least a copy of all personal data be stored in India, and that “critical personal data” be stored and processed in data centres located in India. This signals that data localization has been a central pillar of considerations in India’s data regulation debate.
Government exemptions from data protection rules and far-reaching access to data have been ushered in rapidly, under the umbrella of data protection, and codified in the name of data governance.
The law underwent four different drafts over five years thanks to electoral cycles and inconclusive public and legal debates. India finally passed the Digital Personal Data Protection (DPDP) Act in August 2023. And the approach to localization appears more liberal than in its previous drafts. For example, there is no blanket requirement for the central government to approve data transfers to other countries; instead, the law imposes government guidance on transfers of personal data outside India, allowing most data to be transferred out of India unless specifically prohibited by the government. However, while the law is less stringent than anticipated, other elements of the act warrant concern.
For example, as it stands today, the DPDP Act lacks specific timelines for the issuance of rules and notifications. Instead, the central government has the power to bring into force different provisions on different dates. This allows substantial aspects of the law to be set out in subordinate legislation controlled by Prime Minister Narendra Modi’s government and the Parliament. Other elements of the act, including exemptions from provisions intended to protect data, further grant unfettered government access to digital data.
In addition, the DPDP Act grants the state and government agencies broad exemptions from complying with the law, including a blanket exemption on grounds of national security and public order.
The central government can also direct the Data Protection Board of India — the adjudicatory body with the power to investigate complaints based on the act and to issue penalties — to request access to any information from entities that process personal data.
Further, the act allows the Indian government to access the information obtained by the board. That raises questions about the board’s independent ability to enforce the act without politicizing it. Furthermore, the central government can issue blocking orders to a government agency or intermediary to prevent a data fiduciary (an entity that determines how personal data is processed) from offering goods or services to data principals (a natural person to whom the personal data belongs) within India (that is, citizens).
While the localization provisions of India’s domestic data rules have drawn the greatest interest, less attention has been paid to other risks inherent in this legislation. Government exemptions from data protection rules and far-reaching access to data have been ushered in rapidly, under the umbrella of data protection, and codified in the name of data governance. The need for urgent domestic rules on data has, in turn, been framed as a means of preventing data exploitation and keeping India competitive. The argument has been framed in distinctly techno-nationalist rhetoric.
This pairing of the techno-nationalist push for new digital data regulations with the expansion of government control and access to data is cause for serious concern: it grants the Indian government tools for exercising increasingly techno-authoritarian behaviour. This reality is especially concerning in a context of democratic backsliding and increased authoritarian tendencies. From targeted internet shutdowns during the 2020–2021 farmers’ protests and the order to remove dissenting voices from X (formerly Twitter), to the proposing of rules that would require the WhatsApp messaging service to forgo its end-to-end encryption and share user data with the government, and the possible use of Pegasus spyware against political rivals, the Modi administration is no stranger to techno-authoritarian moves.
Whether inadvertent or intentional, the creation of techno-authoritarian tools is a serious threat to democracy. As we have argued, civil society should be wary of digital tools that reinforce state power, can be manipulated for authoritarian ends, and are institutionally embedded and hard to remove, once in place.