We have often heard of sovereignty in the context of nation state, as the authority of a State to govern itself. If we dwell more on the concept, in terms of International law and the relation between States, it lends States with the freedom to handle their own internal affairs and restricts them from controlling those of another.
Before the inception of Constitutional democracies, International law construed sovereignty as an absolute concept wherein the State had the absolute freedom to adjudicate and unlimited power to decide upon any issue. However, with the advent of Constitutionalism and the framing of the United Nations Charter, the concept of absolute sovereignty diluted and gave way to the theory of relative sovereignty. However, with the rise of technology, a new concept called ‘data sovereignty’ has emerged in India’s technology policy discourse.
The way governments apply this notion is to mention that since the State has sovereign rights, it should decide where the data is stored and processed. The logic applied here states that since India has sovereignty over its data, data must be stored within its territorial boundaries.
‘Data Sovereignty’ Must Flow Through The Constitution
As per the Lockean Social Contract, which is considered the foundation of the modern State, people have vested limited rights in the Sovereign to build a civil society and to punish those who violate the norms of this society. In India, the Constitution is the guiding document, the social contract, which reads that ‘We the people of India …. adopt, enact and give to ourselves this Constitution’. In S.R. Bommai v. Union of India the Supreme Court reiterated that the people are the ultimate sovereign in India and all power belongs primarily to the people.
As per the Apex Court, State institutions are sovereign in the ambit of the fields given to them. The powers of the State institutions are subject to Constitutional limitations and Constitutional amendments itself is subject to the Basic Structure doctrine. Both, the International law and the Supreme Court recognise people as sovereign entities.
The Puttaswamy judgement held that the citizens have a fundamental right to privacy and are the owners of their data. Not all rights were vested to the State, the fundamental rights were never given up. Citizens thus have a fundamental right over their data. Now, this fundamental right can be reasonably restricted by the State but only in exceptional circumstances envisaged in the Constitution and not as a norm. The ‘right’ is the ‘norm’, and people are the owners of the data, the ‘restriction’ is just an ‘exception’.
As sovereignty in modern democracies came to mean that the power truly lies with the people as opposed to the authority, then, wouldn’t the ideal interpretation of data sovereignty imply the enhancing an individual’s control and privacy over their data and access to data? The true realisation of data sovereignty would be when individuals’ privacy is protected.
The Constitution of India is the governing document of defining India as a republic which has sovereignty over its territory and people, and therefore the right to govern the state of India flows from the Constitution. Just like territorial sovereignty flows from the Constitution of India, so should data sovereignty, which is, the right of ownership of data vested in the individual.
How Recent Policy Proposals Stifle Individual’s Ownership Of Data
Today, data sovereignty has largely come to mean achieving the objective of data being treated as a sovereign asset. In a bid to retain control over data, governments often turn to localisation or data residency mandates. However, the creation of data silos on the basis of national borders will only hamper the ability of local, Indian businesses and governments from tapping into the full potential of data. At present, globally such an approach is considered to be set back for economic growth.
India’s data governance laws over the last year have challenged the notion of a citizen’s fundamental right to data ownership, thereby restricting people’s rights over their data. The Personal Data Protection Bill, 2019 under Clause 35, exempts government from seeking consent of citizens for accessing their data for national security purpose, which erodes the rights guaranteed to the citizen under the Constitution and also weakens her ownership of the same, thereby reducing the fundamental right of the citizen, who is the ultimate sovereign, to control how her data should be processed.
Moreover, mandating broad localisation measures with an attempt to process and store locally also erodes the freedom of citizens of having a choice, that is, to take a call on how her data should be processed. If data sovereignty is about restricting data flows, then are we arguing that the state should restrict the flow of people across borders to protect national sovereignty?
The deployment of broad localisation norms through the personal data protection framework is rather misplaced, as it merely facilitates further the transfer of rights from foreign entities to Indian entities, rather than increasing protection available to citizens.
Data by its nature is fluid, it is constantly flowing, through various hands across borders. The nature of the internet is such that data must flow to generate the maximum commercial output for industry and startups based out of the home state.
Realising ‘Data Sovereignty’ In Light Of Privacy And Individual’s Right Of Ownership
It is time that the Government begins to view the concept of data sovereignty in a new light, as one of handing more control to individuals over their data and their data rights. By providing citizens with state of the art protections in terms of cybersecurity and a robust personal data protection framework, one could facilitate the flow of this ‘sovereignty’ through individuals. Wherein people are more empowered with respect to their data rights and are protected from exploitation, be it from private entities or state interests.
If India truly intends to protect itself from data colonisation, the first step in any revolution, would be to empower the people – in this context this may be achieved through empowering a citizen to have more control over their data. The first step in this direction, would ideally be for the proposed data protection framework to deliver upon the right to informational privacy as envisioned in the Puttaswamy judgement that truly seeks to empower an individual while addressing legitimate state interests with relevant checks and balances.
The Government must also acknowledge that an Indian citizen is as much a citizen of the world in today’s global economy. By employing restrictions on cross-border data flows these individuals are being deprived from the benefits that can be reaped from the free-flow of data, in terms of economic growth, competition and innovation.
India at present is at an opportune junction where it has the freedom to create a data protection framework from scratch. It has the privilege to learn from pre-existing models and work to create a framework that empowers and protects its citizens, while at the same time facilitates international cooperation and trade.
[The article was co-authored by Kazim Rizvi and Shefali Mehta, strategic coordinator and research management, The Dialogue]