By Charlotte Voelkel
The Indian Parliament is presently scrutinizing the Personal Data Protection Bill (PDP) which updates India’s existing data protection regime. Beyond refurbishing the outdated framework of the Information Technology Act, 2000, the bill is a bid to shape international norms of data governance. However, it stands to risk the future of digital trade with the United States by forcing companies to retract their business or make their operations newly compliant. To counteract this potential weakening of the nations’ digital relationship and ensure future regulation is mutually beneficial, the United States and India should work towards a bilateral data sharing agreement.
The PDP bill is a part of Prime Minister Modi’s “Digital India” mission to ensure India keeps pace with digital economies. Internally, the bill protects Indian data subjects by regulating access to personal data, broadening individual rights, establishing a central data protection regulator, and data localization requirements for sensitive data. However, the bill reaches beyond its borders to foreign organizations with business connections to India. This extraterritorial effort can be read as an attempt to shape and dominate the as-yet-uncertain future of data governance and cyber security.
The PDP, though structurally different than its European counterpart, can anticipate some risk from the ramifications caused by the extraterritorially reaching General Data Protection Regulation (GDPR). Since its adoption, U.S. companies have had to reorient their services to become compliant, or reconsider their partnerships with European services and customers (a task occupying 1600 Microsoft engineers and “hundreds of years of human time” at Google). India’s legislation would require companies to adapt to an additional regulatory infrastructure to access the Indian market. Given PDPs lack of alignment with GDPR, companies would be faced with a new set of logistic and economic opportunity costs, forcing an internal calculus as to whether the Indian market merits the effort of compliance.
Additionally, the structure of the PDP reflects protectionist anxiety regarding India’s economic future. Rising internet use and innovation connect increasing numbers of Indian "netizens” to foreign companies, products, and opportunities. Instead of pursuing regulations that take advantage of foreign developments, the policy debates have thus far focused on preserving the Indian market and home-grown value. This mindset may keep Indian entrepreneurs hoping to build global products from the expertise and resources available in the United States. To capitalize on its potential to become the world’s data receptacle and the growing international distrust of China, India should advocate for open data flows, reciprocity, and equitable market access across regulatory regimes. As a key investor in Indian ventures, the United States is already implicated in India’s digital future. A bilateral data sharing agreement can help navigate synergies and divisions between the two nations, such as their concerns regarding China as a commercial and security risk, and the proposal for a “digital tax” floated at the G20 summit at Osaka. Given the density of tech firms in Silicon Valley, the latter idea primarily targets U.S. companies. India championed the proposal as a means of allowing their own burgeoning digital commerce to compete.
Finding a bilateral future in the past
There are several precedents for constructing a bilateral data partnership around data as an economic commodity for goods and services. The United States has a slew of bilateral intellectual property agreements that cover manufactured goods and services which could reasonably be extended into digital products. For example, the U.S.-Korea Free Trade Agreement encourages the countries to “refrain from imposing or maintaining unnecessary barriers to electronic information flows across borders,” but is not binding. The now defunct U.S.-EU Safe Harbor Framework is a precedent for data guidelines with firm enforcement capacity. The United States also has the Clarifying Lawful Overseas Use of Data or CLOUD Act that allows sharing of crime-related data and could reasonably be reoriented into a trade agreement concerning commercial data. The U.S.-China Cyber Agreement signed in 2015, set cyber guidelines and attempted to delineate economic and governmental engagement. It failed due to China's unwillingness to restrain copyright infringement but can serve as a useful model. The structure of an agreement can also resemble a bilateral iteration of the Cross-Border Privacy Rules system laid out by the Asia-Pacific Economic Cooperation Privacy Framework. This agreement unifies compliant businesses which are then subjected to a single privacy regime for data transfers, provided each nation isolates an enforcement authority and a third-party to verify compliance.
Developing new data privacy frameworks is a gambled presumption that the cost of compliance is worth market access. Given existing infrastructural and lingual difficulties for technology companies to effectively reach the Indian market, asking for compliance with a bespoke data framework may be too high a cost for ongoing engagement. Instead, a bilateral data sharing agreement would engender market intimacy and encourage further development.
Charlotte Voelkel is an intern for the Wadhwani Chair in U.S.-India Policy Studies at CSIS.