A report prepared by cyber security company, Innefu Labs, reveals that around 1,079 Twitter accounts were created in Pakistan to spread hate and propagate violence in India over the Citizenship Amendment Act, 2019. The report showed that Pakistan is the hotspot for disseminating fake content and anti-national sentiment aimed at creating internal conflict, disrupting social harmony and destabilising government.
So, questions that beg answers:
A) Can inherent fault-lines and vulnerabilities in our socio-political edifice be permitted to be easily leveraged for hijacking the narrative; and, waging a proxy war against India using social media?
B) Should bots, handles, hashtags and influencers overseas be recklessly allowed to derail the destiny of our nation founded after centuries of trials and tribulations?
This sets the context for examining the need for ‘data sovereignty’ laws in India.
Enduring Concept of Sovereignty
‘Sovereignty’ refers to the exercise by any State of its supreme power and authority over a distinct polity and territory. The legal tenets governing sovereignty owe their origin to the Peace of Westphalia treaties signed in the 17th century and are applied when a new political order emerges in some parts of the world and an independent State is established. Thus, notion of ‘sovereignty’ of the State extends over people and property; agents and authorities within its territories.
The supreme authority that imbues ‘sovereignty’ is always derived from a widely acknowledged source of legitimacy ― be it divinity; conquest; hereditary succession; customary laws; act of the comity of nations; or, a drafted Constitution. Regardless, sovereignty is asserted as a legitimate claim to authority and the ideal exercise of power for affording opportunity to all people to achieve optimal good.
Sovereignty and Nation
In post-colonial India, sovereignty is robustly manifested in our Constitution, which has a potent framework for resisting hegemonic forms of colonialism and imperialism. Our visionary founding fathers were wary of diversity and divisiveness destroying the fabric of the nation. Hence, they strived to subtly coalesce a pluralistic society and unite its disparate populace without erasing the syncretic character therein.
Our nuanced Constitution vests sovereignty in the people, who have transferred some of their powers to the Republic created with the fervent hope and firm desire that a strong State would better protect their individual rights and safeguard national interests. Therefore, any legislative initiative, policy measure or regulatory formula has to be viewed from the prism of balancing societal needs with personal goals of citizenry.
Against the backdrop of national imperatives being accorded paramountcy over individual aspirations within our constitutional framework, the concept of ‘sovereignty’ is witnessing renewed relevance in today's information age.
What is Data Sovereignty?
There is no singular articulation of the emerging concept of ‘data sovereignty’, which refers to not only the right of natural persons and juristic entities to manage the creation, storage, ownership and application of their own data; but, also the power of sovereign nations to govern and regulate the residency, collection and transmission of such data.
The term broadly denotes forms of independence, control and autonomy over data creation, content sharing, information usage and electronic transactions in a connected, borderless world and with ubiquitous computing environments. Most crucially, it is about the jurisdiction where data resides; the legal, regulatory, and tax rules to be adhered therein for compliance purposes; and, the challenges thereof.
The internet revolution has afforded ‘anytime-anywhere-anyhow’ data access and information availability over secure networks and heterogenous computing resources. It has enabled real-time access, sharing and processing of data even across borders and over mobile platforms. Data-driven insights can be generated 'on-the-cloud' with greater flexibility and scalability than with 'exclusively on-premises' computing environments.
Thus, several business needs, computing trends and emerging technologies have brought the concept of 'data sovereignty' into sharp focus.
Data Sovereignty in contra-distinction to Data Colonialisation
In on-premises computing, data hosting in centralised repositories is the norm; so, data gravity ensures residency (of data). It suffices to protect the perimetre in situ— through the imposition of physical and virtual access controls, restrictions and privileges to maintain secrecy, privacy and confidentiality of data and information.
Per contra in cloud-based, network computing, data is stored in different places and accessed globally; it navigates seamlessly across national borders and geo-political boundaries and creates borderless workflows.
Territorial sovereignty plays a dominant role in the conceptualisation of data sovereignty. The underlying assumption is that data, like tangible assets and intangible properties, has a local or national 'home'. Hence, data sovereignty has evolved to mean the laws and governance structures that apply to data collected and stored within; or, owned and transferred by a country's citizens, regardless of where the data reside, either within national borders or on servers elsewhere around the world.
Overseas Data Sovereignty Regulations
Several countries and regions have data regulatory mechanisms in place―examples include USA's Patriot Act; EU's General Data Protection Regulation (GDPR); China's Cybersecurity Law; Brazil's General Data Privacy Law; Japan's Personal Information Protection Act; Chile's Law for the Protection of Private Life and so on.
Data sovereignty laws are often difficult to interpret. For instance, Chinese laws require localisation of 'important data', which is defined nebulously and often interpreted loosely. Other countries, such as Germany, France and Russia, too have 'safe harbour' provisions that mandatorily require data to be housed in servers within their borders.
Many nations, including the USA, have expanded the scope of evidence discovery methods― writ summons; subpeona processes; surveillance procedures; etc. Despite concerns over 'ex parte orders' and 'gag restrictions' prohibiting public announcement of official demand for disclosure of private data, these enactments are vital for intelligence acquisition, criminal investigations, anti-terror operations and counter-insurgency action.
Nevertheless, such provisions affect the legislative landscape of data sovereignty significantly. They introduce new legal complications, business challenges and compliance constraints for those wanting to share content across locations and borders.
Regulatory Regimes and Data Compliance Requirements
Privacy and data-hosting laws and stringency thereof vary by country. The need for adherence to ever-evolving compliance rules and real-world regulations to the way data is stored, shared and managed across geographically dispersed data centers is mandatory. Anyone infringing rules, wittingly or unwittingly, faces penal action in most jurisdictions.
Therefore, navigation through the ‘international legal maze’ is daunting and time-consuming. Further, benefits are often tempered by the fear, uncertainty and doubt (FUD) of complex and changing nature of data sovereignty. National data protection laws act as roadblocks to adoption of cloud computing and cross-border data storage.
Several challenges are posed to managing the potpourri of data sovereignty requirements for: (a) protecting data; (b) providing regulatory access; (c) certifying data residency; (d) securing and safeguarding data assets; (e) blocking malicious attacks; and, (f) complying with current and emerging data privacy needs.
Compliance frameworks must enable verification of how and where data is: (a) stored, located and protected; and, (b) used, shared, accessed, processed and consumed at any point. Law enforcement measures must encompass data creators, custodians and consumers for employing good governance to control data loss, erosion and corruption.
Data Protection Laws in India
No express, comprehensive legislation exists in India to deal with data privacy and protection. Further, policy mandates do not cover all stages in the data lifecycle— data at rest; in use and transit; during creation, transport and processing; and on delivery. To prove compliance and meet evolving regulatory demands, ability to demonstrate control over data at all points in the content lifecycle is a sine qua non.
Legal concepts and normative constructs are entangled with the vision treating data as a resource. Notions of data ownership and its visualisation as property dominates public discourse. Data privacy and autonomy of citizens too find mention in policy documents. The government vision, as enshrined in policy drafts, imagines the State as the sentinel of data sovereignty within India.
Industry observers and watchdogs though allege that individual rights are not fleshed out effectively in law and are often envisaged as subservient to larger collective agendas like economic enrichment from data mining and user profiling. Further, activists are also apprehensive of laws that afford authorities unfettered data access.
Thus, the myth of data sovereignty curtailing freedom of people in India is perpetuated. On top of it, it is fallaciously believed that people must control the data they generate, if personal liberties, autonomy and empowerment are to be genuinely facilitated.
No doubt ‘red herrings’ that must be assailed resoundingly.
Hostile and inimical forces are eagerly conspiring to weaken and destabilise the Indian Republic through covert means. Risk exists of political exploitation of insights gained from data, specifically to manipulate the outcome of elections. The monolithic, perhaps archaic Information Technology Act, 2000 needs urgent revamping to deal with risks posed by social data, viral media and transnational content. Therefore, India is well-advised to enact elaborate laws and adopting comprehensive procedures to regulate the digital world and ubiquitous data therein. Territorial integrity and national interests must serve as guiding beacons for legislation on the subject, pretty much like what USA, Russia & China have done.
It behooves legal activists and judicial luminaries among us to remember that in the seesaw constituent-versus-community battle, personal privacy and individual liberties cannot transcend above or subordinate public good, societal needs and national interests.
Article 21 of the Constitution surely has a flip side. It casts a duty on the State― that of protecting and securing the rights to life and liberty conferred on all constituents. That duty entails restricting mala fide acts and restraining malicious forces within and without! Providing homeland security and preserving our nationhood...are indeed paramount!
(The writer is a lawyer and columnist)