This essay is part of a series that highlights the main takeaways from discussions that took place at Carnegie India’s eighth Global Technology Summit, co-hosted with the Ministry of External Affairs, Government of India.
Introduction
Data regulation has remained an important topic of discussion globally. In the past decade or so, many countries, especially in the Global South, have enacted data protection legislation. In August last year, the Indian Parliament also passed the Digital Personal Data Protection Act, 2023, after more than five years of deliberations. Data protection regulation was also a prominent topic of discussion at the 2023 edition of the Global Technology Summit (GTS) held in New Delhi.
The perspectives of developing countries on data protection regulation, especially its design and implementation, took center stage at the summit. The discussions proposed regionally harmonized governance frameworks as the way forward for these countries and suggested a techno-legal approach as the way to achieve harmonization. This essay encapsulates these deliberations and offers insights based on them.
Challenges in the Global South
Countries in the Global South face some unique challenges as they work toward building regulatory frameworks for privacy and data protection.
First, the lack of awareness regarding privacy issues, coupled with the perception of regulatory authorities as pro-government bodies, creates a trust deficit. Second, economic growth in a digital world requires greater data flows across jurisdictions. This complicates data regulation by pitting economic imperatives against national security concerns. Third, even when data protection legislations are in place, data protection authorities (DPAs) face hurdles in enforcement because laws often have extraterritorial implications, while DPAs operate with limited resources and capabilities. Therefore, these countries must adopt a distinct approach to data protection regulation compared to that of the Global North.
To begin with, the objective of data protection legislation in the Global South is not limited to regulation; it also involves building a culture of awareness around privacy and data protection. Doing so will ensure better compliance with international regulations. The process adopted by the Brazilian DPA provides a good example. While its national data protection legislation came into effect in August 2020, Brazil’s DPA provided for a grace period of twelve months before enforcement began to allow familiarization with the legislation.
Second, policymakers in the Global South must consider a mix of different regulatory strategies, ranging from stringent regulations like high penalties to light-touch regulation. This will encourage cooperative behavior between regulators and businesses and encourage innovation. A point of concern that emerges from the variations in data protection legislations in developing countries is the high cost of compliance for businesses across different jurisdictions. The difference in regulations may discourage businesses from expanding their operations and services in these countries, which otherwise offer large digital markets. The harmonization of regulatory frameworks between the countries of the Global South can be useful in this context.
However, the proposal faces significant headwinds:
- It is necessary to establish a common and consensual understanding of underlying concepts and definitions. This is hard to build, as countries often seek to balance national imperatives with standard data regulation protections in their domestic legislation. It is also important to encourage cooperative relationships between DPAs while implementing regulations.
- Due attention must also be given to building domestic interagency cooperation to avoid fragmentation of the regulatory landscape. This is a prerequisite for cross-border harmonization.
- For any benefits from the reduced costs of compliance that harmonization may bring, governments and DPAs will have to be mindful of national security concerns.
How then can such harmonization be achieved?
The “Techno-Legal” Approach
Experts at the GTS argued that India’s digital public infrastructure (DPI) journey offers an alternative way of conceptualizing data governance and offers the Global South an opportunity to harmonize legal friction points. In this “techno-legal” approach, as some experts call it, every innovation cycle will already have regulatory guardrails in place by design of the system. This will facilitate cross-border flows by creating a simple and efficient pathway for personal data sharing that is secured by encoded regulation.
In contrast to existing models of data governance that struggle to promote innovation, the techno-legal approach fosters innovation by embedding regulation into the code of an application. This eliminates the need for regulation to play catch up with technological innovation. Further, given that this architecture embeds normative principles within the applications, citizens would find it easier to place their trust in it, as in the case of India’s DPIs.
The replication of this approach across the globe would require creating multi-stakeholder alliances. Such alliances would need to focus on three issues:
- Building trust in the digital solution as well as the regulations coded within it. This trust can be built through the creation of international technical standards that ensure the minimization of data breaches. It can also be done organically—as more countries adopt this approach, it will engender increasing levels of confidence.
- Devising a common lexicon to explain and understand the techno-legal approach.
- Aligning the language and the actual digital architecture to a set of normative values that all stakeholders are in agreement with.
It should also be noted that the United States and the European Union have approached data regulation with different normative considerations. These include essential differences in the role of the state, the role of markets in innovation, and variations in seeking a balance between privacy and innovation. To that extent, any approach that attempts to build a techno-legal framework will have to account for basic normative considerations in different countries in the Global South.
Policy Takeaways
As countries in the Global South seek to build alternative approaches to data governance, these policy takeaways must inform further deliberations. First, data protection regulation is as much a question of harmonizing normative and legal frameworks as it is of building national capabilities within and outside of institutions like the DPA. Associations, academics, and practitioners must develop and disseminate information about the benefits and costs of data privacy and help regulatory agencies balance privacy protection with innovation.
Second, India’s development of DPIs and the accompanying techno-legal approach is a useful model for consideration. However, the governance frameworks and the space given for market competition will be critical for the long-term sustainability of any digital infrastructure.
Third, any techno-legal framework must be sensitive to changes not just in technology but also in norms and regulations. This may be a challenge especially when building infrastructure at scale, where changes in law will require changes in code, and the scope and scale of the infrastructure may make this difficult to implement. While there are no clear answers to these issues yet, multi-stakeholder discussions must continue in order to help frame important questions for the consideration of policymakers and practitioners.