This post examines a report issued in March 2022 by the Atlantic Council entitled, “Trading in U.S.-India Data Flows: Prospects for Cooperation in U.S.-India Data Policy.” Noting the opportunity created by the reconvening of the U.S.-India Trade Policy Forum (TPF), this report urges the Biden administration and the Modi government to pursue cooperation on cross-border data flows.
Specifically, the Atlantic Council report recommends the U.S. and India convene bilateral dialogues focused on three near-term objectives: 1) law enforcement access to data; 2) definitions of, and exceptions to, data processing and localization requirements; and 3) cybersecurity of data.
Overview of U.S.-India Challenges and Opportunities Relevant to Cross-Border Data Flows
The Atlantic Council report acknowledges that the U.S. and India face numerous challenges related to cross-border data flows. One of the main issues centers around the proposed data localization requirements in India’s Personal Data Protection Bill (PDPB).
The Modi government and members of Parliament drafting India’s PDPB have supported imposing data localization requirements for numerous reasons – including bolstering domestic technology growth; developing a model of data governance for Global South countries; embracing the concept of data sovereignty; and ensuring law enforcement access to data.
The U.S. administrations of both Biden and Trump, as well as tech companies, have advocated against these proposed data localization requirements in India which would subject data of Indian citizens to various local storage rules and place restrictions on transfers of data outside India.
Despite these challenges, the U.S. and India released a joint statement after the November 2021 TPF meeting stating that they would “deepen bilateral engagement to promote the digital economy, and to explore the adoption of joint principles that ensure that the internet remains open for free exchange of ideas, goods, and services.”
Recommendations for U.S.-India Dialogues Focused on Near-Term Objectives Related to Cross-Border Data Flows
The Atlantic Council report recommends that the U.S. and India convene bilateral dialogues where officials from both countries can focus their efforts on near-term objectives related to key challenges to cross-border data flows. According to the report, the topics for discussion should include:
- Law enforcement access to data. In the near term, the report suggests that the proposed bilateral dialogues address two of the main tensions in current Indian MLAT requests to the U.S.: the standardization of the requests themselves and the staff needed to process these requests. With regard to standardization, one approach would be for the Indian government to create a uniform method for authoring and filing requests. As to staffing, investing more resources for handling these MLAT requests – particularly on the part of the U.S. government – would help streamline the responses to these requests. The combined impact of these two improvements could potentially lessen Indian law enforcement’s support for data localization. The report also acknowledges that the establishment of an executive agreement between the U.S. and India under the U.S. CLOUD Act could be a long-term solution to help address concerns with MLAT data requests – allowing Indian law enforcement to make requests directly to U.S.-based tech companies. The report recognizes that India does not appear to be at the topic of the U.S. Department of Justice (DOJ) list for a CLOUD Act agreement and that drafting an executive agreement would likely take significant time to negotiation.
- Definitions of and exceptions to data processing and localization requirements. In the near term, the report suggests that specific areas of focus in the discussions between the U.S. and India should include advocating for the inclusion of definitions for key terms in the PDPB and recommending appropriate exceptions to the bill’s data processing and localization requirements. As an example, the bill does not define “critical personal data” but does place specific data localization requirements on this category of data. The bill also lacks specific exceptions to the requirements for data processing and localization, such as for healthcare data analysis and scientific research. According to the report, the PDPB’s current approach to data processing and localization requirements creates uncertainty for Indian regulators responsible for enforcing data protection requirements; for U.S. policymakers working on cross-border data issues with India; and for companies attempting to determine how to comply with the requirements contained in the bill.
- Cybersecurity of data. In the near term, the report suggests that bilateral discussions should examine the impacts of India’s proposed cross-border data policies, particularly data localization, on cybersecurity and explore what responses would be appropriate to address these cybersecurity issues. For example, one concern mentioned in the report is that data localization could prevent information sharing between India and other countries, such as the U.S., regarding cyber threats. Noting that both India and the U.S. want to ensure that data stored on Indian citizens and data stored in India are protected from bad actors such as cybercriminals and hackers, the report encourages bilateral discussions of approaches to ensure strong cybersecurity practices and to safeguard individuals’ privacy, competitiveness of businesses, and national security.
The Atlantic Council report concludes by urging both countries to renew their efforts to address the challenging issues in U.S.-India cross-border data flows.
These statements are attributable only to the authors, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.