If Poorna Swaraj meant complete freedom from foreign rule during the struggle for independence, its tropes and vocabularies have again become relevant today. The digital age is dominated by five US-based singularities – Apple, Microsoft, Google, Facebook and Amazon – without which everyday existence seems unimaginable. Close on their heels are a clutch of ever-growing Chinese counterparts.
Much like foreign rule, albeit without the associated physical conquest that preceded it, they promise efficiency, ease of living and good governance. But as Mahatma Gandhi said, “good government is no substitute for self-government.” Asserting our digital sovereignty is essential in the digital age if India wants to remain free and Indian companies want to remain competitive globally while keeping our citizens secure.
The critical element of digital sovereignty is data localisation. Localisation entails the mandatory physical storage of personal, organisational and strategic data of India and Indians in India alone, mirrored in neutral countries approved by the Indian government. This may appear like a protectionist mandate – however, it is far more fundamental. Local data storage is central to ensuring the sanctity of the Indian Constitution and safeguarding our critical assets.
Data localisation protects India and Indians against three distinct threats. Owing to India’s unique geography, internet traffic into India predominantly flows through a limited set of lines in shallow international waters. An effective way to attack India – our financial, health systems and smart infrastructure – is to sever these lines physically, simultaneously. Storing data locally averts this possibility.
The second threat is network security. Inside India, the network infrastructure – the routers and switches that regulate internet traffic can be secured and audited as per Indian security standards. Not only are international networks outside our control, backdoors through which one can access our internet traffic will be opened at the behest of governments whose corporations run these networks.
The most serious threat is systematic compromise of Indian government, corporate, civic and citizen data at national scale. The Snowden leaks revealed large-scale gathering of personal data of foreigners by US intelligence agencies, directly from American corporations through the PRISM programme.
This is not a conspiracy of US corporations, it is their legal duty. Section 702 of the Foreign Intelligence Surveillance Act allows all non-US national information to be collected or read and processed without individual consent. All US based companies, such as Facebook, Amazon, etc are under legal obligation to share data of Indian nationals when required for intelligence purposes. Chinese surveillance processes are even more extensive and opaque. This is illegal as per the Indian Constitution.
Localisation is not just a bulwark against these threats, it is equally key to assert our national sovereignty. This is critical for two reasons. First, to enforce our Constitution and laws. The WhatsApp-Facebook merger case in the Supreme Court shows the futility of legal recourse in Indian courts against foreign companies with data outside national jurisdiction. Mandating data storage in India is the first step towards a fairer deal – benefiting from Indian consumers will imply playing by Indian rules.
Second, localisation is needed to boost India’s economic sovereignty. Though this topic is entirely distinct, one example would suffice. Over the last decade each of the three majors – Microsoft, Google, Amazon – have invested more in R&D than India itself. Alphabet (Google) spent $20 billion last year, while India’s overall R&D expenditure was $14 billion. Without ring fencing large Indian enterprises, let alone startups, cannot hope to compete with such behemoths.
Intrinsic in its advantages are the risks of localisation that must be guarded against. The first is viability – will we have enough data centres? If it were not viable, we would not have Amazon, Google, Microsoft and others setting up data centres in India today of their own volition. Rapid growth of local data centres to match our demand is simply a matter of will and policy.
Second is the oft-articulated fear of creating a surveillance state. If localisation safeguards citizens against foreign powers, it could equally be used for nefarious domestic intelligence gathering. This is true, but not an intractable problem. Philosophically, the precursor to a surveillance state is a surveillance society. Each one of us with a smartphone contributes to creating such a society, trading our privacy for digital convenience and efficiency. So to not expect the state to employ mass digital intelligence gathering is naive.
This does not in any way imply that the state should have unrestricted access to data outside the boundaries of law. The right to privacy is a fundamental right of every individual and it demands that any surveillance, even for purposes of national security, is demonstrated to be necessary and proportionate.
Simply having the data in India should not mean that our security agencies have a free pass. It means that appropriate laws to protect such data, including from security agencies, need to be enacted as a constitutional mandate. Failure to do so imperils any localisation policy, replacing foreign surveillance with equally harmful domestic surveillance.
With appropriate safeguards, localisation of data is both necessary and doable. All it takes is courage from leaders to remain steadfast in their conviction, repelling domestic critics and standing up to dominant foreign powers. Gandhiji did both on his epoch making Dandi March paving the way for Poorna Swaraj. It is now time for a digital Dandi.
Lalitesh Katragadda is an internet pioneer. Arghya Sengupta is Research Director, Vidhi Centre for Legal Policy. Views are personal.
Originally published – https://timesofindia.indiatimes.com/blogs/toi-edit-page/a-digital-dandi-march-push-data-localisation-to-preserve-indias-sovereignty-and-enable-fair-competition/