India's Non-Personal Data (NPD) framework

India's Non-Personal Data (NPD) framework

Knowledge repo, archives and collaborations

Arindrajit Basu


Will the Non-Personal Data report enable India to shape and benefit from global data rules?

Submitted Jan 20, 2021

The Report of the Committee of Experts on Non Personal Data has rightly been touted as the first global attempt of its kind to create an overarching governance framework for non-personal data speared ahead by the principle of “sovereignty.” This talk attempts to unpack what role the recommendations in this (revised) report and India’s approach to non-personal data governance more broadly means for the global political landscape on data governance, and how it can burnish or diminish India’s ability to leverage rules for strategic benefit and the championing of citizen interest.

The Report of the Committee of Experts on Non Personal Data has been touted as the first global attempt of its kind to create an overarching governance framework for non-personal data speared ahead by the principle of “sovereignty.” The report and its revised version marked the culmination of several political processes and was shaped by the strategic interests of a variety of domestic stakeholders-looking to both shape and benefit from global data governance rules. This talk attempts to unpack what role the recommendations in this report and India’s approach to non-personal data governance more broadly means for the global political landscape on data governance. It first covers the rules presently being negotiated at international fora such as the World Trade Organisation, and how this report is likely to shape India’s negotiating stances at these fora. A key additional question is whether the recommendations of this report are in line with existing obligations India has signed upto under international law.It then considers the politics of the global ecosystem on data governance by looking at governance frameworks being emerging from other jurisdictions-specifically focussing on the role various industry stakeholders and civil society groups have played in shaping and engaging with international law. Are there lessons India can take from other actors in this global ecosystem? It then zeroes in on various aspects of the report that may specifically impact or inspire global approaches while also unpacking the implications it may have for the continued free-flow of cross border digital trade and commerce. Do the recommendations in the report augment or diminish India’s role as an aspiring shaper of global data rules ? Does it burnish India’s reputation as a responsible stakeholder that promotes both consumer welfare while also boosting the needs of domestic industry?

Several excellent discussions on NPD have focussed on the legal, economic, and technical viability of the recommendations provided by the CoE. A later presentation on Wednesday will cover in detail comparative approaches to governing NPD across the world. Fair bit of discussion and debate on the intricate details of V1 that undoubtedly shaped V2. And there will be more discussion on V2 that will likely shape the final draft.
The point of today’s discussion is to take a step back from the ‘what’ of the NPD report, which has been and will be covered, to the how, who and why. Given the prevailing contestations in the global landscape on data governance, the very idea of a report of this nature is a unique proposition and offers India some key opportunities as it helms the G20 later this year. If used appropriately, it could play a key role in India’s ‘digital sovereignty’ gambit a key pillar of its “ digital diplomacy,” provided that domestic regulators and the foreign policy establishment play their cards right.
Important to note at this stage that the NPD report did not emerge in a vacuum. It was a product of an upswell of discontent against the extractive practices of ‘Big Tech’ that garnered significant media attention as a variety of stakeholders, including Mukesh Ambani weighed in on the ‘data colonialism fate.’ This sentiment lead to a range of law and policies calling for data localisation that themselves garnered scrutiny and generated heated debate among a variety of actors,-industry,civil society and government officials alike which played out both in national and international media and across international fora. Since then, there have been number of policies put out by multiple government entities,looking to assert state control over the actions of large technology companies (supposedly in citizen/public interest) So, the origins of this Committee are important to note. Today’s foreign policy discussion is not a random by-product but one of the core reasons we are having this discussion in the first place.

Digital sovereignty, while used in several avatars can be boiled down to three simple points, which will serve as the levers for today’s talk:

  1. Regulatory assertiveness (ability to impose domestic regulation on non-state actors and shape global rules that may impact India’s digital sovereignty.)
  2. Strategic independence and
  3. Usage of 1 and 2 in a manner that benefits individuals, and champions fundamental rights while also fostering innovation,competitiveness

Finnemore and Sikkink, two respected scholars of International Relations came up with the theory of a norm lifecycle to describe how codes of conduct of global governance emerge for states over a period of time. It starts with norm emergence, when an actor or a set of actors propose a new norm. This is followed by norm cascade when the norm is debated across borders, finally leading to norm internalisation-the final step resulting in universal acceptance. The phase repeats whenever the internalised norm (status quo) is disrupted. This framework helps us understand where we are at in terms of the global landscape on data governance.
Broadly speaking, the debate on data governance till as recently as perhaps 5 years ago hinged on an ideological split between two coalitions. On the one hand, the US and the developed world wanted minimal government intervention, championing of individual rights, free flow of data while emerging economies were wary of a lack of regulatory assertion which would undermine their autonomy. Given the regulatory clout and muscle of the United States and the EU, most nations, with the notable exception of China were wary of taking steps that might make them lose out with respect to the global landscape.The trend began to change both with the data colonialism narrative that caused emerging economies like India to take a stronger regulatory stand Schrems I and the GDPR were watershed moments for the EU that spear-headed a more assertive stance not just on privacy but also on competition and regulation in general-culminating in the EU Data Strategy (and associated acts) unveiled late last year. The US continued its dogged laissez-fairre approach but that too may be changing with greater bipartisan willingness for stronger regulation. Therefore, it is clear that we are in a norm cascade with respect to sovereign assertiveness over data governance. Data sharing obligations, like those envisaged in the NPD report are not as disruptive to status quo as they would have been five years back, and that provides India with an unique opportunity to use their initiative strategically to exert appropriate sovereign control. As mentioned in the NPD report, several jurisdictions are coming up with similar regulations. (Japan,EU, NL etc)

The debate at the WTO started in 1998 with a Work Programme being set up at the Singapore Ministerial in the General Council ,that has largely been deadlocked till 2017 when some developed members set up a separate program culminating in the Osaka Declaration on Digital Economy,which India did not sign up to. Therefore, there are no clear international obligations which could govern India’s regulatory strategy, again leaving it open for India to shape the debate at the WTO and G20.

Both in terms of regulatory assertiveness and strategic independence having A policy of this kind is a good idea. Allows a nation to set the agenda early and drive rules rather than play catch-up. (Bit of discussion on previous regimes) Even though a legislation may be some way off, position papers are useful. The concern, however, both from a competitiveness and rule-shaping perspective is regulatory intent.
So, the policy has a few clear misses:
1.”Sovereign purpose”: While the report says it is not adding anything to what already exists ( essentially India’s draconian surveillance regime that will single-handedly deny the possibility of global data sharing arrangements) , it still adds quite a few lines and ‘normalizes’ the regime. GOI’s continued blind eye to both the civil liberties and strategic difficulties brought about by the state’s continued intent to snoop on private data is troubling.
2. Cross border data flows: The report doesn’t adequately address the the practicalities of the data storage question. For data that comes within the ambit of this policy and subsequent legislation, if it is stored abroad, we have a conflict of laws situation where the state whose territory it is stored on can continue to assert jurisdiction.
3. Heavy handed rather than responsive regulation: Unlike other countries like the Netherlands that have more successfully appreciated the nascent nature of this field and opted for responsive regulation mechanisms starting with voluntary sharing, the NPD report has been much more assertive. This, combined with an uncertainty in definitions not only diminishes competitiveness but also boxes regulatory intent into a corner.
Purely from a foreign policy perspective, the policy in its entirety is too complex and has far too many new theoretical innovations (like the EU DGA) to be an instrument of rule-shaping in its present form. There is a definite need to figure out the crux of the report and position it in a manner that would serve India’s interests.

Recommendations/take-aways for CoE

Work with the MEA/G20 Sherpa/MoC closely as it sets the agenda for international negotiations. History has shown that successful rule-shaping has happened when government institutions are aligned and have capacity on a key issue
Clarify a rights-respecting version of ‘sovereign purpose.’
Build coalitions before arriving at regulatory mandates that might hinder competitiveness.
Be very clear about the advantages of being a rule-shaper and the costs of being excluded from the high-table. The ‘Brussels effect’ that has resulted in the harmonisation of global rules and regulations in line with EU policy has benefitted EU businesses and citizens in several ways. While the EU is active in the data governance field as well,it is likely that emerging economies will look to India


{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Hosted by

Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by: more