At the beginning of October, the Observer Research Foundation conducted the 5th CyFy Conference on technology, security and society in New Delhi. The composition of speakers invited to the panels signaled that India is more willing to hear from the western world than to promote its own agenda. However, this didn’t impede on extracting the Indian stance on the key issues of Internet governance.

During the opening panel the Indian representatives from ORF, Twitter and the Global Commission on the Stability of Cyberspace delineated the key problems that India will face during the nearest future: to balance freedom of expression while regulating social media platforms and combating the dissemination of fake information; to draw the red lines for data regulation for the government systems like Aadhaar which process the personal data of citizens; and to maintain the leading role of India among developing countries in building a good digital governance. The leading topics of discussions were privacy in the digital age and problems of data localization.

Toying with data nationalism

The Indian government realizes the value of data, but the right regulatory framework is yet to be found. “If data is a resource like a new oil, it may be protected within the boundaries of the country – localized so that nobody will use it except the people of this nation – but then you don’t completely realize the nature of the Internet and the way data is moving across it,” said Sunjoy Joshi, Chairman of the ORF. The Indian legal framework is inclined to see data as a natural resource. The state holds all natural resources in a fiduciary capacity and here flows the whole idea of fiduciary rights over the data: the resource actually belongs to the abstract sovereign people of the Republic of India. But depending on who is considered the fiduciary – the government or the private entity – their rights over data differ substantially. If the government is a fiduciary for managing personal data, it has absolute rights, as with the Aadhaar system for digital identification of Indian citizens.  A private company that collects its users’ data is a trustee of an individual who produces the data and the company should be held accountable for the data usage and responsible for its security. This means that it can’t use the data beyond the consent of users and signifies the different level of fiduciary in contrast to the government.

Last year India studied different models of data protection and eventually came up with the draft of the Personal Data Protection Bill which is mostly based on the GDPR legal framework, though with Indian adjustments like “data principals”  (the natural person to whom the personal data referred to) and “data fiduciaries” (any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data) instead of data subjects and controllers. Moreover, the bill has data localization provisions that requires to store the Indian personal data inside the country and produces constraints on transferring it outside Indian borders. Finally, the Bill establishes the Data Protection Authority with a wide range of powers: interpretation of regulations, investigation of data breaches, issue of fines and penalties, involvement in the rulemaking. The summary of main provisions of the Bill can be found here.

Participants of the panel devoted to the discussion on the draft bill were trying to reassure the audience that India doesn’t blindly copy the European framework, instead it’s working on its own way of  enforcement. GDPR will not be always relevant for emerging markets as the question of accessibility is still unresolved there. The ideal data regulation regime should include individual dignity and fundamental rights to privacy on the top while maintaining national security together with business motivation to comply with the law, keeping its ability to function without too many restrictions – said Megha Arora from Palantir Technologies. As for the data localization problem, participants of the panel voiced the concern that a strong protection regime and strict localization of personal data don’t necessarily ensure its protection and privacy. Instead, the government should work on the growth of trust between private companies and users.

The Indian government also looks in this direction, though with a reservation about its fight with crime and terrorism. Ravi Pasad, Minister of Electronics, IT, Law and Justice of India, emphasized in his address the exclusive role of the state in providing data protection and privacy: terrorism and corruption have no excuse to hide behind the privacy and state action is needed here. But again, there should be a balance between data availability, data utility, innovation, anonymity and privacy. Only such conditions will let India develop its digital governance to the high level.

India and Multi-stakeholder Cybersecurity

As for international cybersecurity, Gulshan Rai, National Cybersecurity Coordinator of India, claimed that India seeks to come to a uniform framework for cyber norms accepted by every country rather than a patchwork of cybersecurity agreements between like-minded states. But he admitted they don’t completely understand the implications of emerging technologies like 5G, IoT and AI for security, that’s why cybersecurity should be tackled by breaking it down to small issues. Sanjay Verma, Additional Secretary of Ministry of External Affairs of India added that India “have moved from the single vertical regarding cybersecurity to the multi-vertical security of cyberspace: we talk about legislation, innovations, startups, data, access; the most important for the developing countries like India is the inclusiveness of all these efforts and initiatives”. Interestingly, Indian government officials highlighted that India will adhere to the multistakeholder approach to cybersecurity, though no one specified the exact ways of doing so.

Microsoft brings “digital peace” to CyFy

Microsoft used the opportunity to present its latest initiative called Digital Peace – a new attempt to appeal to the global society and a change in the narrative of the company’s fight for cybersecurity. In its call it says: “We must come together as Digital Citizens and call upon our world leaders to create rules of the road that protect our digital society.”  Basically, Microsoft started a petition that is not actually directly addressed to a particular government or organization but claimed that by signing it you will join the global movement of digital citizens demanding the digital peace.  The “Digital Peace” shouldn’t be considered as a re-branding of its Digital Geneva Convention, which was first introduced in 2014. On the contrary, Microsoft reiterates its commitment to promote the idea further among governments. Thus, we can see that the company is trying to act strategically on multiple layers of decision-making.

Noteworthy, the “Digital Peace” was presented at the background of the panel on the future of the Tech Accord, which left the impression that the activity of the Tech Accord participants (where Microsoft is one of the most active) boiled down to desperate calls to governments and other private companies to take into consideration norms and principles of cybersecurity they had committed to. The panelists said it was necessary to do more joint activities by different stakeholders, and reported on their collaboration with the Global Forum on Cyber Expertise (GFCE). The GFCE is conducting webinars on best practices in cybersecurity for companies and a call for industry-wide adoption of transparent policies for coordinated vulnerability disclosure; it is also participating in the Internet Society’s Mutually Agreed Norms for Routing Security (MANRS) initiative. While there are some announcements of collaborations it is hard to measure the real impact of the Tech Accord on cybersecurity despite the fact that the number of signatories has almost doubled since its start in April 2018. Nevertheless, the Tech Accord promised to publicize a report on their progress in complying with its commitments – will see what comes this year.

CyFy showed that India is going through times of confusion in data regulation and security. On the one hand it tends to sympathize with ideas of sovereignty and exclusive role of government in providing security. In the meantime, India is actively learning from the EU experience, as well as advocating for the multistakeholder approach to cybersecurity.