Interpreting India

The Geopolitics of Data with François Godement and Ralf Sauer

Episode Summary

In a special episode recorded at the Global Technology Summit 2019, guest host, Rudra Chaudhuri speaks to François Godement and Ralf Sauer about the global debates on issues of data privacy and data protection, EU's approach to data sovereignty, and the implications of India's personal data protection bill.

Episode Notes

In a special episode recorded at the Global Technology Summit 2019, guest host, Rudra Chaudhuri speaks to François Godement and Ralf Sauer about the global debates on issues of data privacy and data protection, EU's approach to data sovereignty, and the implications of India's personal data protection bill.



Rudra Chaudhuri is the director of Carnegie India. His primary research focuses on the diplomatic history of South Asia and contemporary security issues. He is currently writing a book on the global history of the Indian Emergency, 1975-1977. At present, he is also heading a major research project that involves mapping and analyzing violent incidents and infrastructural development on and across India’s borders.

François Godement, an expert on Chinese and East Asian strategic and international affairs, is a nonresident senior fellow in the Asia Program at the Carnegie Endowment for International Peace. He is also senior advisor for Asia to Institut Montaigne, Paris, and an external consultant for the Policy Planning Staff of the French Ministry of Foreign Affairs. Until December 2018, he was the director of ECFR’s Asia & China Program and a senior policy fellow at ECFR.

Ralf Sauer is the Deputy Head of Unit in DG Justice and Consumer's international data protection unit. As such he is co-responsible  for the entire work of this unit which covers data flows both for commercial purposes and in the area of law enforcement cooperation. The objective of the unit is to facilitate such data flows through multi- and bilateral arrangements at international level  while ensuring a high level of data protection.


Additional Reading:

  1. Digital Privacy: How Can We Win the Battle? by François Godement
  2. Will a GDPR-Style Data Protection Law Work for India? by Anirudh Burman
  3. The era of data globalism is over. Where does this leave India? by Rudra Chaudhuri


🎙️ Check out our podcast, Interpreting India available now on 

YouTube, Spotify, and iTunes! 

Home: https://interpreting-india.simplecast...





Carnegie India Socials:

 Instagram: (@CarnegieIndia)




Episode Transcription

(intro) Hello and welcome to Interpreting India! I'm Srinath Raghavan and this is a podcast presented by Carnegie India. Every two weeks we bring to you voices from India and around the world as we unpack the role of technology, the economy and foreign policy in shaping India’s relationship with the world. 

Srinath Raghavan: The special episode of Interpreting India was hosted by my colleague and director of Carnegie India, Rudra Chaudhuri. The episode was recorded at the Global Technology Summit 2019 in Bengaluru. 

Rudra Chaudhuri: The information age has brought with it unprecedented technological progress and development. At the same time, it has raised important philosophical questions pertaining to its effects on society. One such issue that various stakeholders are trying to grapple with today is the question of privacy. We live in a time where a mere existence generates unfathomable amounts of personal data. While States can leverage such information for social welfare, many have raised the concerns about States or large corporations being able to survey large amount of intimate personal data, thereby encroaching individual privacy. Can we find a balance between imperatives for protecting individual liberty while not having to compromise on leveraging data for innovation and economic growth? To unpack this conundrum, we're joined today by François Godement and Ralf Sauer. Francois is senior adviser for Asia at the Institute Montaigne in Paris and is also a nonresident senior scholar at the Carnegie Endowment for International Peace in Washington DC and an external consultant for the policy planning staff of the French Ministry of Foreign Affairs. Ralf Sauer is the deputy head of director general justice and consumers' unit for international data flows and protection at the European Commission, which covers data flows both for commercial purposes and in the area of law enforcement cooperation. 

Gentlemen, it's a privilege to be speaking with you today about this most important issue. François, while we were preparing for this podcast this morning, the first question I was going to ask you was about the paper that you've written. It's a landmark paper. It provides us with different structures and architectures about privacy, so whether it's China, whether it's the EU, whether it's the United States, and you've got a very thick case study on India. I'm going to hold that question for a second because between this morning and now we've learned that the personal data protection bill or the draft bill that was written up in 2018 in India will be tabled in parliament. Can you just give us some thoughts on the bill in itself, perhaps referring to your own paper, but even otherwise.

François Godement: I wish I knew the content of the bill. Of course, the final version that's going to be put in front of parliament. As we stand, we are working on what we read, over the last few years. Uh, two things strike me. Uh, the first that inform in many legal aspects. It's very close to GDPR, to the European regulation. And yet it has critical differences in two areas. One is of course, the accent of data localization, which has only grown because it's become literally an economic policy issue in India generally. And the other one perhaps less often emphasized by libertarians and protectors of constitutional rights have noted it, is that it's not great on what I could call legal arbitration, independent organizations, judging on what the Indian state can do or cannot do, the state leaves a lot of decisions to itself, but we don't know what will stay after all for the final draft.

Rudra: In your a monograph, in a sense you argue that India has an opportunity because it's a bit of the crack between the East and the West. Those models on privacy are pretty much determined. There's a top down model. The United States has a desegregated bottle. China has one of complete control. India has opportunities, space always creates some degree of opportunity in themselves, in your current reading of India, it's reading of its economic rise. What do you think is the pathway for India when it comes to privacy, when it comes to working with the rest of the world on global issues of privacy architectures? 

François: I think there are again, two issues there. Uh, one is really the economy opportunity for India. We heard today about, uh, India literally concurring the global South, uh, with its own modal and its own companies and by implication perhaps less binding rules, less demanding rules than the West. The other part of it is that either you're in or out of what I would call the global data circulation and people talk about fragmentation and the breaking up the internet, but really there is still one big Western internet that's fairly operative that's got agreements, let's say for the sake of simplicity Europe, the US and Japan critically and the question is, is India going to be part of it or is it going its own way because he thinks it has such a possibility. I think that's a huge question.

Rudra: On that question. If I can turn to Ralf Sauer, Ralf, a good part of the GDPR as Françoise made clear, has been used to create the draft bill. It's been used a bit of a philosophical context, if you like, in what will be our privacy bill in parliament, probably GDPR perspective. What's the next step with India? Once the bill gets tabled in parliament, we will of course have a clear sense of what the bill actually looks like. From your perspective sitting in the EU commission. What's the next move? 

Ralf Sauer: This is a law for India. It's for India's own interest. India is not doing this for the sake of, of any other country. And that includes, uh, the economic block that the European Union is. Um, of course we have a strong interest in that, because especially the closer, uh, that that law is to, to our own, rules, and I think it is an indigenous, it's an, it's an own, uh, development by, by India that nevertheless shares a lot of uh, commonalities with Ross. And the closer we are, the, the easier it is of course to, to have data flows between our two countries or blocks. Um, and, and I think we can further work on that. Uh, once, uh, India has such rules in place, uh, on the one hand, um, it's easier to, to work on, on maybe your contractual tools that that can be used. That can maybe also specifically adapted. I mean contractual tools that, that that includes a certain data protection standards, which will be easier for companies now to, to, uh, fulfill, uh, if they have already in their background law, very similar rules. And that can be a transfer tool. Uh, we can also be more ambitious, uh, and, and see, uh, we have in our law. We would see what the Indian law has a tool, uh, which, uh, is a decision, um, which basically, uh, finding, uh, that, uh, the other country, um, has a similar standard of data protection on that basis. We from the EU side can basically, uh, completely lift any barrier or any requirements, uh, for, for example, contractual tools, uh, for transfers between the EU and India. So, uh, that's called a an adequacy finding because it's about finding that the desert country law is adequate and our courts have interpretered as is, uh, very similar to, to our, uh, rules, uh, because then we can have, uh, the confidence that that data can travel, uh, and will be protected in the same way. So it doesn't lose the protection when it goes across borders and, and that's a very beneficial tool which we have used with a number of, of of countries in the past. Uh, the latest one was Japan. Um, well there was even a mutual, uh, recognition if you wish because Japan has the same tool in, in its rules. Uh, and it created the, the largest, uh, area of safe and uh, I mean free and safe, uh, data flows. And that's of course in today's world, highly, highly beneficial. 

Rudra: Just sticking with Japan for a second, the EU is one of India's largest trading books alongside the United States. Logically one could imagine that once the privacy bill is stable, it becomes law. The next step will be to try and figure it out and assess who do we want in our club. That would be the Indian argument. Fact of matter is large amounts of create means the large need to continue to move data between two different jurisdictions. From your experience in India, from your experience sitting in Brussels, do you feel that there is an appetite to mimic or ape, something like the EU Japan agreement? 

Ralf: We should be clear that what the EU Japan agreement is about, uh, that is a, a free trade agreement that has a different name, an economic partnership agreement, but it's a free trade agreement, which, which of course covers a whole range of issues that a, I would say second generation, uh, type off of FTA, uh, contains today. Um, it's, it actually does not contain rules on cross border data flows because, uh, there was an understanding with Japan that we would deal with that question under our respective data protection, uh, laws, um, GDPR in the European Union and what's called the APPI in Japan, we used a separate track, uh, based on the understanding that in both countries, uh, or economic blocks, uh, data protection is a fundamental right, uh, which, which should not be subject to trade negotiations. It's not something that, uh, you can haggle over or compromise on easily. Um, unlike maybe whether the tariff, for milk should be 10% or 15%, uh, or for cars, it's a different thing. So that's why we use the separate thing and the instruments that are available for, for, for that particular error. So with India, I think it could certainly, uh, uh, talk about, for example, adequacy, uh, or other tours. Uh, we have had conversations with the Indian government for, for, for quite some time, also on maybe developing specific, as I said, model clauses, data protection model clauses for contracts, which could also be used, um, for data transfers. And they can be taken off the shelf if you wish, if you wish, because there would be model clauses that are agreed, uh, they don't have to be renegotiated in between partners on each occasion. Um, and one could tailor them also to the specific needs of Indian companies. And we have reached out to NASSCOM for example, uh, and have asked them to, to, to provide us with input what could be those needs. So, so, so those are that many options to, to, to, to do that. Um, the free trade agreement negotiations will I think remain on, on, on, on other issues. Um, with the promises and difficulties, let's say that that, that we faced. Um, we very much hope from the EU side that we can also conclude those negotiations, but there's some ways to, go to, to get there faster. 

Rudra: If I could change track a little bit and bring it back to your paper. The part about your paper that struck me the most was your chapter on China, which had, and this is of course terrain that is more comfortable to you then many others in this world you had a very complicated matrices of how Chinese companies or national champions have managed to survive and profit while being in a particular Chinese model in itself. Can you talk a little bit more about that? 

François: Well, of course you could call it, uh, the second, uh, industrial cocoon. The first industrial cocoon was a practice by China and other Asian countries after world war two and China has created without us fully realizing it, a virtual cocoon around its digital industries and market. There are huge differences with India by the way. Uh, you have enormous data flows with the outside world. China doesn't, that's of course the price to pay for having a cocoon. Uh, but China has been able to nurture, uh, its own companies informally, I would say to kick out many foreign companies that were active, uh, on the market. Uh, and because of WTO it did, does interfere with, so even though services are not included in WTO, but under WTO, we basically accepted and there’s an asymmetry where China accesses what we have and we can't access what China has. So as an example, uh, China has gone big, uh, w w w w with its eCommerce and, and it's, and increasingly it's apps has a huge share of the Indian market. 

You couldn't have a huge share of the China market. That's something that they have got, that they've got a way with second, there is no end to the authority of the state. Uh, which means of course, uh, that we're seeing the worst possible implementation of the digital era in China. The really frightening scenarios, uh, are there almost everyday for us to see. So it is tempting from the point of view of efficiency for a country like India to say, Hey, if the Chinese did it, we could do it. It should be frightening as well to look at the consequences of the policies enacted in China. 

Rudra: The current US China trade war seems more like a symptom of a geo-strategic shift. It doesn't seem to be trade seems to be now a proxy or something, a lot more geopolitical where there seems to be a degree of consensus within the United States that China is a competitor. In this scenario, at this point of time, do you see China wanting to open up, opening up their digital doors to other parts of Asia? Here I'm talking about RCEP for instance. It's an agreement that India of course stayed out of China, took the kind of leading position in RCEP. In a sense, do you see a beginning of a new shift, which I know may open up some of their data drawbridges to their partners and allies in Asia? 

François: RCEP is a very superficial trade agreement that doesn't cover much. It's useful for a lot of primary goods or good is not so useful in this area. Fundamentally, I don't see China surrendering. It's main advantage, which is East has free trade with a very good deal for itself. And if it's not surrendering this to the US I don't see why it was surrendering to anyone else, including the EU, by the way, which is our problem in dealing with China. In terms of data, you have to understand that the US uh, big data firms, the big companies, the platforms have also used a symmetry. For example, Facebook, Google, Twitter, all collect massive amount of ad revenue from Chinese companies that access us, the customers of these companies in the West. While of course our companies cannot access, uh, Chinese customers in the same way. So there are people who benefit from the asymetry on both sides of the fence. And that is something that the current US administration, uh, is up against. Uh, it's sup, it's something that's not yet decided because there are different interests in the U S 

Rudra: Ralf from your vantage point and the chair that you hold in the EU, how do you deal with China? 

Ralf: Broad question. We of course, I'm also trying, um, I mean we, we see, uh, indeed growing imbalance. I think, uh, that's, that's, uh, needs to be, uh, addressed. Uh, that's, that's data goes to China. Um, uh, and in the other direction, uh, it's, it's more and more limited. Um, I, I just think we disagree a bit on the means that should be used to address the issues. I think we, uh, as EU believe and continue to believe in multi-lateralism, uh, in the rules based rule-based, a trade order. So we'll try to push, for example, through the WTO or through the discussions on eCommerce, uh, chapter, uh, in a, in a certain direction and do this together with other partners, uh, like minded partners and step-by-step, uh, create a momentum which, which will, uh, increase the, uh, the pressure to open up the data markets also in China. 

So it's maybe more a question of approach. Uh, maybe also off time frame that that's also true. Uh, uh, some countries like the US try now to leverage their strengths that they have in terms of the U S market to obtain quicker results. Um, but of course it puts at risk some extent. The, uh, the rule based order, um, uh, and trade wars I think are never beneficial for anyone. And, and, and, and the trade war between, uh, uh, the U S and China is also affecting the EU. So, so also because China might, might redirect some of its trade in, in other directions and that might also affect the EU. So we worried about this, but we hope that can address this through the existing mechanisms, uh, that, that, that we have 

Rudra: some in India argue that the EU disguises a certain form of hypocrisy. On the one hand, you talk about multi-lateralism, you talk about China and you talk about trade drawbridges. But on the other hand, your member States, such as France and Germany have increasingly started talking about data sovereignty. France has a digital tax on big tech firms inside of France in itself. How do you square that circle? Or is that just a necessary tension? 

Ralf: So I would say that when it comes to what's called now, sometimes data sovereignty. I think when we're talking about strengthening the, um, the competitiveness of, of, of the EU and its companies and being able to compete and still have access also to, to data. And we're trying to address this, uh, on the one hand of course, through, uh, the digital single market. Um, so, so to already strengths in our companies by the fact that at least within the EU, we should be an integration organization to facilitate data flows, data exchanges, uh, and, and, and therefore, uh, create a better environment for companies. And to do this also through, uh, infrastructure, uh, in terms of cloud connectivity, uh, broadband, talking about creating a super computer, uh, that become a, I mean, that infrastructure which is necessary for, for artificial intelligence. So, so all of this to create an environment where, where, uh, European companies that are in need and in some respects in some areas have fallen behind, maybe a can can, can regain a bit, uh, competitiveness, uh, but it's not about, uh, shutting off our markets against other markets. 

So, so, so this will still go hand in hand with openness, uh, to trade and trade flows and data flows. Uh, and, and, and when it comes to, to, uh, digital texts, um, I don't see the conflict at all. I mean, uh, uh, whether it's good or not that that a individual member States do this is, that's maybe another question. Uh, and, and, and the European commission certainly has tried to find a European solution to that. Uh, although this was always meant as a temporary solution until we have found a solution that OECD and G20 level. Ah, so that's also to be said, um, because we, we, again, we believe in multi-lateralism and that we should find a solution to digital taxation, um, which is very different from taxation of, of, of traditional goods and services, uh, at, at a, at a global level. Um, but, but more generally, I think this is about capturing a certain revenue that comes from digital services and, and there might be a certain imbalance now where, uh, that's, uh, revenue is created and where the profits from that state, and I think it's a legitimate interest of States to, to have, uh, to preserve their tech spaces, uh, at an age where more and more, uh, commerce is done digitally. Uh, we have to be worried about or concerned about this and we have to address it. Uh, ultimately we should address it at global level. 

Rudra: François?

François: I'll answer it a bit differently as I won't contradict, uh, Ralf, but, uh, are the Indian union. Uh, you have sovereignty, you have a history, you have arrived. The European union is still under construction. Only a few years ago, the S  word for sovereignty was taboo and it was taboo not for protection, not because we want to avoid protections. It's because member States want to keep full sovereignty or to pretend that they do. In fact, it's shared, it's called competencies, but it's shared sovereignty. What we're seeing, and it has a lot to do with the way the world is going, uncertainties about how the US will move. There are issues as we know. Uh, they're, they're, they're competing with China, but they seem also to compete with everybody else, uh, including in the area of international organizations. Uh, so Europe is sort of gearing up and politicians are getting the public used to use the S word for Europe doesn't always mean what you would put into it. 

I agree with Ralf that a lot of it is just like India for the digital market. Knowing that in fact, where weak, where a huge market where we don't have big actors of platforms. Yes, the, the, the American firms came first and they have venture capital. They have a lot of advantages. They sometimes use a tax shelters elsewhere. The Chinese do too by the way. Alibaba and others are hosted in the Virgin islands. Uh, and strangely, uh, the Chinese communist party apparently accepted. So we are starting to react against that. There is a logic to have some of the tax revenue going to where the money is actually made. That's the semi European and now French, but also the discussion and there will OECD, there is discussion about policy innovation, there is discussion about financing. How come our best start-ups usually get both over, uh, sometimes with massive amount it's very satisfying to the founders but essentially they leave the EU in terms of capital. So there is a reaction against that but it's a positive action. Think of it as tooling and there are critical differences that exist, I'm sorry to say with the Indian position, particularly on data localization, uh, we really, I mean the, the existence of the EU is literally tied to the idea of free exchange within the EU and with the rest of the world and to resolution by low of our disputes. 

Rudra: So to come back and to pick on that point about localization. The argument in India at least amongst many is that there are four drivers of localization. One is the need to access data that is law enforcement argument is that it is extremely frustrating not to be able to access the data of Indian citizens and Indian residents from foreign or large, multi, multi multinational tech firms. The second argument is economic. There's a very strong sense that if we were able to bring the data home, we were able to create better AI, which ultimately will lead to better economic growth. The third argument is about geopolitical uncertainty. I want to pick on this for a second. The Indian position has been is the world today is a lot more than it was five years ago. The United States, which was the harbinger of multi-lateralism, has unplugged itself from a system that it created. Hence the view is if we're able to bring data home, if we are able to better regulate the data, which is what the privacy bill will do, we can hedge against these geopolitical risks. And the largest of the question of tax in itself, given these frameworks, given the fact that capital remains largely in the West capital remains in Japan scale remains in India. Just the way in which India is designed, its data design is structured, it will continue to work with the world. It is, doesn't seem to be going down the China model. Is there an opportunity for a new multilateral architecture which considers data privacy, data, trade, data access, something like a data 20, if you like, rather than the G20? François and then Ralf.

François: Unlike you, I tend to take a very simple engineering view when we talk about data sovereignty where men mainly talking about clouds, which means servers. Uh, if we think, if you think first in India that you are going to match the amount of investment, done buy those big companies. Uh, and in hot and polluted weather, I might, I might add, which adds to the difficulties. If I was to, to build, you know, a, a coalition of countries that would have a universal cloud and cloud servers, I would, so I would choose the Arctic circle, uh, council members, they'd might be the best place, uh, to implant servers for the world. So just from the practical point of view, I'm a bit sceptical. So of course if we're talking about critical data, national security data, and I think that's also what Mrs. Merkel, either way in Germany had in mind because there is a story to that of course, uh, about trust or the lack of trust. And we have the Snowden case, uh, but it's a limited aspect. And even that, by the way, costs a lot. I tend to think that we have to preserve what exists. We do have a shaky direction in the United States right now, but we also have a huge legal process to take care of issues as they arrive and, and a history. Uh, I don't think that's going to be broken very soon. What I'm afraid of when I look at the Indian temptation is that this becomes a self-fulfilling prophecy. In fact, you create the fragmented or you are critical because you are the, the swing country, the huge market that could go either way. 

Rudra: So you would still argue that the older tried and tested the robust frameworks that exist today. So whether that's the G20, whether that's the WTO, when it comes to trade disagreements with regards to data are the bodies of the future. 

François: It's gonna be a rough road. It's clearly going to be difficult, this administration in the U S and it might still be with the next one, uh, but I think it's more realistic, uh, than, uh, creating out of the blue, uh, with a set of countries who on top of that and not really at the top of the pile in terms of technical and financial capacity.

Rudra: Ralf Sauer? 

Ralf: And I would agree with that. I don't think that just a renaming it, uh, giving it a different name, I will, will, will solve the issue. I think, uh, it, we still, um, there's still the need and they will be the needs to find a multilateral, uh, solutions. Uh, I think we have, uh, institutions that, that have, uh, have suited as well over the, over the years, uh, in, in many areas. Uh, I agree that they are in, in sometimes in, in rough waters these days. Uh, that that has to do with the general climate and we have to work on that. We have to rebuild trust. We have to maybe reform some of these, uh, institutions. Uh, I think there is, for example, in the WTO, actually a discussion on, on, on, on improving strengthening the, the European union has, has made proposals in, in, in, in that regard, uh, for example, on the WTO panels, which are, which are so criticized by, uh, by the, uh, U S. um, so, so there are certainly ways to improve, um, but that discarding them, um, uh, in the hope that we would find a, I don't know, and you, and, and, and different, uh, solution. 

I also would have my doubts, uh, but I think we should, we need to work on is multilateral solutions also, like for example, the cybercrime convention that are tested, that are applied. And that can maybe further expand that. So that would be on, on, on, for example, law enforcement access where this could greatly help. And, and I don't think we should open up a new way of doing that. If we have an instrument, we should strengthen a enforcement cooperation across borders. I think that's also important and will create trust that can be between data protection authorities. That's can be between regulatory authorities. I think when the enforcers talked to each other, uh, very often what follows is also a certain alignment of, of the rules because these, these bodies can shape standards. Uh, they, they can exchange best practices, um, and, and they can be politicized issues. 

And I think that's something between which people should probably also think about. And when it comes to, to data protection regulation, uh, I mean I think we as a European Union certainly take the position that we should acknowledge certain, uh, a space for, for regulatory autonomy of, of each country. Uh, and at the same time, we believe that you can protect data and yet be open to a transfers, uh, by, by putting in place certain, certain transfer towards, uh, and, and that should the way forward should find a way to, to adapt to your data protection rules to your legal system, your cultural background, your, your societal news. But that doesn't mean that you have to close doors and keep the data at home. So, and then one can, one can on that basis see whether we develop also, uh, regional transfer tools, maybe global transfer towards such as contractual clauses or certification that could also help to bridge differences that will exist between a data protection system. 

Rudra: François, one way to build trust is through certification to administrative procedures to government, to government. You follow the share longer than most in this changing world where there is a particular ecological shift when it comes to geopolitics, how do we build digital trust? 

François: I think we do by asserting three factors. One is accountability of what States or governments do within each system. Uh, second, uh, we have an, an independent regulatory authorities, which are demonstratively independence and as Ralf suggests, they may not have the same rules in each case, but there is the factor of independence. That's what's missing in the one authoritarian model that we all have in front of our eyes, which is China; and three, there is a need to be open to data flows and to exchange, uh, and to redress in each other system if this is, uh, acquired. If this is given, I think we should have absolutely nothing. You know, I would, I would love engine platforms to create games for our kids, uh, and, and, and, and to be active in eCommerce and elsewhere. Uh, I would love Indian telcos to be more active outside India, uh, that they are, there's absolutely no problem with that. The problem is rules and accountability and the division, by the way, it goes inside Asia. I don't think you can think of Asia as a block in that sense. 

Rudra: François, Godement and Ralf Sauer, thank you so very much for being with us on Interpreting India. 


(outro) Thank you for listening to this episode of Interpreting India. A podcast presented every two weeks by Carnegie, India. I'm Srinath Raghavan. For more information about the podcast and the production team, you can follow us on social media and visit our webpage.