India needs proactive data sovereignty amid global surveillance

By Dev Chandrasekhar

Given the surveillance practices of countries that have monopolized the hosting, ownership, operations and monitoring of of the world’s data infrastructure, it has become increasingly critical for India, and other countries as well, to speed up its drive towards digital sovereignty.

It’s crucial for India to reassess its stance on data ownership, protective measures, and control over its digital ecosystem, to establish a thorough system addressing ownership and control, enhancing citizen-level protections against international surveillance concerns predominantly posed by nations like the US and China.

US Surveillance has Data Access to ALL Cloud Providers

In April 2023. US President Joe Biden enacted the Reforming Intelligence and Securing America Act, which renewed Section 702 of the Foreign Intelligence Surveillance Act (FISA). This law permits US companies to relay foreign user data to the American government without a warrant for security reasons, affecting data across major cloud services such as AWS, Google Cloud, and Microsoft Azure, widely utilized by Indian entities. Consequently, Indian users—this includes businesses and government departments as well—are exposed to the danger of their data being accessed by the US government, unknowingly and without consent.

This highlights the urgent necessity for India to revamp its data governance structures. With its vast population and expanding digital infrastructure, India is a significant repository of data. Asserting data sovereignty becomes a key defense for privacy and a boost for both economic and national security.

Data Sovereignty is a Strategic Necessity

Data sovereignty implies that data within a country should comply with its laws and be stored domestically. This strategy is not only about legal compliance but signifies a strategic move towards establishing India as a technology leader and safeguarding democratic values in a globally connected ecosystem.

A strong data sovereignty framework ensures protection against breaches for Indian citizens, and safeguards sensitive government and military operations. Yet, authentic sovereignty requires more than mere data localization; stringent protectionary measures and clear ownership must be in place to prevent external surveillance threats and misuse within.

Global Models

India could look to models such as the European Union’s General Data Protection Regulation, which empowers citizens over their data control and mandates strict company regulations for data handling, prioritizing safety and privacy without compromising innovation.Another point of reference could be the UK-US Data Access Agreement, which, while not completely negating surveillance risks under FISA’s Section 702, offers a basis for balancing privacy concerns with law enforcement needs. It emphasizes judicial oversight, minimization of data collection, and protects human rights, setting a precedent against bulk data collection.

Nevertheless, due to India’s vast digital and data needs, a more comprehensive approach is necessary. India might explore forming bilateral or multilateral agreements similar to those within the BRICS nations, aligning with strict domestic data protection laws, anticipating future legislations that prioritize individual rights over their data.

Beyond Reactive Localization and Legislation

Achieving digital sovereignty for India demands beyond regulatory adjustments—it necessitates significant investments in domestic infrastructure, including data centers, cloud storage, and processing capacities. Owning this infrastructure not only fosters economic opportunities in tech industries but enhances control over data pipelines, particularly undersea cables critical for global internet traffic, dominated by US and G7 countries, with China rapidly increasing its stake. Allegations of espionage via such infrastructure underline the geopolitical risks, urging India toward securing its own undersea cables for national security.

India’s digital sovereignty path is intricate, requiring the development of infrastructure and nurturing domestic digital platforms to compete globally, thereby stimulating economic growth and innovation. Industry-specific data localization could ensure sovereignty without hampering global trade, and educating Indian citizens on data vulnerabilities empowers informed decisions. Transparency, judicial oversight, and accountability must underscore India’s data policies, ensuring privacy rights are safeguarded and citizens are informed of data access.

(The Author is a Senior Fellow at the Centre for Innovation in Public Policy. The views expressed are personal.)