To share data or not?
encrypted messaging apps, to part with data of suspected terrorists, if the request is backed by a court order in these three countries. How such a request and court order will play out in the US and what role if any the American government will have remains an imponderable.
In Germany concerns about consumer privacy and data being “exported” are growing. New regulations make “opting out” the default, and this is relevant if a user does not want his search history shared or mined by a search engine for collateral purposes. It is worth noting the US Congress has just permitted Internet service providers in that country to sell subscriber data, including websites visited and products bought online.
Consumers have to specifically opt out if they want their data not to be sold. Of course, in turn ISPs may end up offering differential tariffs to those who opt in and those who opt out.
How does India respond? End-to-end encryption in messaging apps is welcomed by users but has law enforcement agencies paranoid. Seeking information from an American company currently requires approval from the department of justice in Washington, DC, federal courts in the US and the Federal Bureau of Investigation. Only then can the home ministry in India get the user data it wants. This may seem fair if you don’t trust the government as an entity — but it does amount to trusting US government agencies more than Indian government agencies. That is obviously illogical.
Indian companies, however, have different compliance protocols, answerable as they are to the Indian state. They cannot take recourse to privacy and encryption policies that their international competitors do.
It is not feasible to have data centres in several countries — that would not be cost effective — but India, with a large Internet user base, could make a strong case...
This creates an unfair advantage for the latter and is not sustainable for a healthy, home-grown Internet start-up space.
Related to data access and data privacy is the phenomenon of data security. To protect sensitive personal data, such as medical histories, financial records and biometric information of citizens, should such data be stored in servers located in India — free from the physical jurisdiction of a foreign government? Today, most of the Internet economy’s giant data centres (encompassing many thousands of individual data servers) are located in the US.
It is not feasible to have data centres in several countries — that would not be cost effective — but India, with a large Internet user base, could make a strong case. Locating data centres in India would also be a magnet for investment and make India a backbone of the global Internet. Social media and e-commerce companies with substantial Indian users could be incentivised to use these data centres. This would apply equally for Indian and American owned companies.
Having said that, such an approach requires policy clarity and recognition of a degree of encryption and user privacy as a general norm for the Internet — across domestic and international companies. It requires a privacy law that is fair and contemporary, given our data-rich age. It requires legal and policy assurance from the Indian government that Internet companies, irrespective of ownership, will not be answerable to casual and informal requests, or even bullying, by police and government officials. The example with telecom companies is there for all to see.
Without that certainty, the Indian data debate will not make much progress. Without that certainty, large-scale investment in and relocation of data centres to India will not happen. Without that certainty, Indian Internet and tech start-ups will not have a level-playing field.