Data without borders

Emily Taylor

Good morning, good afternoon, good evening, and welcome to this Chatham House session, Data Without Borders. I should say that this session is on the record and will be recorded. This session is really focusing on, as the name suggests, Data Without Borders. The internet is defined by its borderless nature, and, for the first 20 years or so of its operation, the international consensus appeared to be to let the data flow, and to avoid over-regulating, if possible. Well, I think we can all agree that that trend is well and truly over and has been replaced by a new one where national and regional laws are often incompatible and having a real effect on the way that data flows. Both India and the UK are poised to make changes to the way that data is regulated. India has a new bill proposing personal data protection regulation and, of course, the UK, with its exit from the European Union, will be redefining its position in the world of data processing and data protection, and potentially, there’s scope for disruption of those dataflows.

I’m very pleased to welcome our three wonderful panellists today to kick off the conversation. After some introductory questions and answers with the panel, I would also like to open up the floor to you to ask your questions. Please, can you use the ‘Q&A’ function, which you will see at the bottom right-hand side, if you hover over the bottom bar in your Zoom client, so we – please, use that, and I hope to call on people, if they’re willing to take the microphone, when the time comes.

But let me first introduce our wonderful panellists. Aditi Agrawal is a Senior Correspondent at Forbes India. She is focusing on that intersection between law, technology, and society. She’s also been focusing on big tech, internet shutdowns, all of which are highly relevant for our debates today. In the past, she’s worked on editorial positions at MediaNama, Qrius, the Press Trust of India, and Hard News Magazine, and has also worked at Pan Macmillan. Welcome to you, Aditi.

Raman Jit Singh is the Asia Policy Director and Senior International Counsel at Access Now. He is a Lawyer by training, and is very active in the field of protecting the open internet and the rights of users at risk across the region. He’s assisted the legal team, in a recent Supreme Court case of India in the Shreya Singhal and Union of India judgment on internet free speech. Previous roles include at Google, and he’s also studied internet regulation, and contributed to the Sarai programme of the Centre of the Study for Developing Societies. Welcome to you, Raman.

And Ria Thomas is the Managing Director of Polynia Advisory, which focuses on advice to boards on cyber resilience, and she has a great deal of experience in responding to rapid response to live cyber crises. Prior to founding Polynia, Ria was a Partner and Global Co-Lead for Cybersecurity at the Brunswick Group, and she spent many years, as an official in the US Government, on international security issues. So, welcome to the three of you.

We recently were all participating in a simulation, which looked at, you know, the impact of regulation on international dataflows, particularly in the context to a rapid response to a cybersecurity issue, and we’ll come onto some of the lessons we learnt from that in the beginning. But, first of all, maybe we could just do a bit of scene-setting together, and think about why international dataflows are important, why it’s important to have no borders when it comes to data. Maybe I could start with you, Raman, thinking about, you know, does the international flow of data really threaten privacy, in your view? Is it something that is better managed locally or, you know, from your view as a privacy practitioner, what would you say was your view on the international flow of data? Thank you.

Raman Jit Singh Chima

Thank you so much for that, Emily. I was going to say that the reality is that international dataflows happen, right? The nature of the global open internet means that you are going to see data and services work across borders, and that has significant advantages, including for human rights as well, and it does also raise concerns. The approach that most of the people, in the data protection community often take, is actually to recognise that dataflows will happen and, therefore, you need to ensure that people’s data protection rights can apply, no matter where their data goes across the world. But that also puts a little bit of accountability on their government’s data protection authorities, where those have been created or others, to actually look at that. So it’s not to just assume that, yes, data’s going to go to X or Z jurisdiction. It is to take actual tangible action legally, legislatively, politically through bilateral trade and other regulatory measures to ensure that people’s rights are respected, no matter where data goes.

If you’re a UK national, wherever your data goes, that – the rights to you as a British citizen and under the human rights frameworks that the United Kingdom has signed apply. Similarly, for Indians, that Indians’ fundamentals right – the fundamental right to privacy that all Indians have, the Supreme Court has categorically upheld, and are involving data protection rights, which might be codified in a law passed by Parliament any time this year or next year, is clear on that.

But the [inaudible – 09:42] is that it’s very therefore important when you’re looking at this to recognise that you want to ensure these rights apply, and actual measures are taken, so if a country’s legal framework is not up to snuff, that there are consequences for that, and I think that’s a reality you see today. You can’t, just because data goes to another country, not force that country to comply in the – whether it’s the United States, whether it’s other countries. I’ve seen that that the surveillance practices or other intrusive mechanisms that might be there in a particular country, have a bearing on that adequacy or dataflows there.

Emily Taylor

Thank you, so your perspective is that dataflows happen anyway, regardless, so you just need to make sure, as a privacy practitioner and advocate, that there are the protections that are needed, no matter where the data is flowing, in any particular point. Aditi, can I turn to you? You know, from your profession as a Journalist, can you just give me your perspective on why international dataflows are important, and why it’s important that those are not interrupted, whether by law or other issues?

Aditi Agrawal

Sure, thank you for having me here. I completely agree with Raman there that the nature of internet is such that you cannot damper the – tamp down on the flow of information that’s spread across borders. The borders that we have geographically are also made by humans, and it’s difficult to impose them on dataflows. Now, we are artificially trying to impose them because it’s a way for mainly authoritative regimes to control the flow of information. And, as a Journalist, that’s always going to be a bad idea because it does affect people’s free flow of information.

Right now, for instance, when it comes to the data localisation mandate in India, it extends only to financial data. But if the Personal Data Protection bill in its current form comes into effect, that will include 12 categories of sensitive personal data, plus any other category that the government deems fit to be localised, and then there’s also an undefined category of critical personal data. So it’s a slippery slope. Today, we could be talking about financial data, health data, biometric data. Tomorrow, it could be, oh, all news must be localised, or you cannot let a New York Times be – a New York Times website work in this country.

But I think it’s also necessary to understand where this argument around data sovereignty comes from. It comes from a real tangible fear that the data of people in the developing nations will be exploited by those in the West, primarily the United States, Western Europe, and, strangely enough, China as well, to capitalise – to derive profit, to derive monetary benefit and this is a reactionist measure against that. But this reaction is also overplayed because it doesn’t take into account how the internet actually works. So those are the things that we need to keep in mind.

And just as Raman said that we have adequacy requirements in practically every data protection law or bill across the world. The problem is who sets the standards for what is up to snuff? So, yes, any data protection regime must protect its citizens and citizens across the world from extrajudicial surveillance practices of any country. So, yes, Indian Government will be wary of, say, something like PRISM, which happened in the United States. The EU will be wary of that. But the question is what are the standards that need to be agreed to across the world? Because privacy is also not understood in the same manner across the world, and that’s where the problem arises. So we need…

Emily Taylor

Thank you.

Aditi Agrawal

…to acknowledge that.

Emily Taylor

Yeah, thank you, and I hope we will come on together to think about international standards, and how you would get to those, and how you would make them consistent. First of all, I would like to come to you, Ria Thomas of Polynia Advisory. I think the cybersecurity impact of, you know, blocks to dataflows is sometimes not so considered in these conversations, and, also, I’d like your perspective from business, in a way, because business tends to be very risk-averse. And so, if there are a set of regulations that impose the sort of restrictions that Aditi was describing on, you know, undefined categories of data that could be blocked, you know, business would tend to, kind of, recoil at that. So, could you just give me a few words about the importance for free flow of data, from your perspective, as a cybersecurity rapid response practitioner?

Ria Thomas

Sure, first of all, thank you very much, Emily, for this opportunity to join all of you in this discussion. I think we’re all in agreement that the international flow of data is critical, whether it’s to businesses or to the individuals that are relying on those services. The challenge of course is, in this race towards regulation that’s taking place, at least from my perspective, whether it’s at the national level or at the state level say, for example, in the US, or in even industry specific, it starts to create a very complex set of circumstances for which a company, whether it’s a multinational or even a much larger global firm, has to navigate. And that’s definitely apparent when you’re dealing with a large-scale cyber crisis that shuts down your operations in particular, because the reality is, there’s this threat that companies are facing is not just about data breaches and loss of data, but also, how they’re balancing that with a potential attack that disrupts their operations at the same time.

The reason I raise that is because, oftentimes, when policy is being created, at least this is my perspective on it, it tends to assume that the main concern that the company would have, in a moment of crisis, is with regards to compliance towards those regulations. The reality during a large-scale attack is that the company is being pulled in multiple different directions, because they have a lot of stakeholders. Yes, they have the national governments and the data protection authorities to whom they are responsible. At the same time, they are struggling to figure out what it is that they need to do in order to move forward with the obligations they have towards their customers, towards their partners, towards employees, and what it is that they need to be responding to, in terms of to the general public or to the media, and that becomes problematic.

And if I can just share one example, and perhaps that might highlight some of this, is in the case of one of my clients, you know, who was experiencing a situation wherein they were not only facing operational disruption, but a potential large-scale data loss at the same time, the challenge became that they were trying to figure out how they were going to make timely notifications to over 85 different jurisdictions. And that’s a small number compared to some of the large global corporations that operate.

Now, the challenge is, you are dealing with trying to figure out, if you haven’t done the mapping out fully, when it’s due, who it’s due to, what can you say, how do you say it, in what order, in what priority do you do it? At the same time, you are now delaying and appearing rather as if you’re obfuscating what’s going on with your other stakeholders because the reality was that Legal Counsel was not comfortable with a company coming out and saying more to other stakeholders like customers and partners and the media, until all of the relevant jurisdictions were notified. It takes time to do that, and that time is of the essence during a crisis.

So, sometimes I think it’s important, when we’re looking at the policy piece, to understand that reality is going to be a very different challenge than what may have been put into place. It’s compromise language ‘cause, oftentimes, in regulation it’s compromise language that’s being created, and it creates a level of burden that might not be expected when the language was actually being created initially.

Emily Taylor

Thank you very much, and there’s lots to explore from what all three of you have started with, and I do want to come back to that. I just wanted a quick stop by the concept of data sovereignty. I think, Aditi, you mentioned that countries – and you characterise, as it’s often authoritarian-ish or countries that would be going towards this sort of thing, but also where it comes from, this idea of fear of exploitation either of monetary value of the data or else for political purposes. But maybe, Raman, I could just come to you for a very quick snapshot of how you would define data sovereignty, so that we’re all, sort of, familiar with the same terms, thank you.

Raman Jit Singh Chima

It can mean many different things for many people, but I think, in particularly, in the context that we flag from states that are often are authoritarian or turning towards a certain more authoritarian vent. It’s been the argument that, look, we have [audio cuts out – 18:47] that exists, that comes from our country, and we want to ensure that it is primarily linked perhaps within the same geography or kept within the same geography, a term also referred to as data localisation, but also asserting that a country has a particular sovereign interest in regulating data. And that’s why I think it’s a challenging concept because, in part, it does seem to link to the idea of data protection, but it seems less on the idea of fundamental rights and the fact that the state is exercising its stewardship or regulatory power to protect fundamental rights, but more from a sovereignty realpolitik or economic argument.

And that’s why I think, for example, India’s particularly complicated and confusing on this because it’s linked often, yes, to a national security demand, but we want access to data within our country to also economic demands that it benefits for local companies and others to have it here and not just, writ large, multinationals take data out of India. But it also goes towards this argument that, oh, the state can better protect people’s rights, if data is something that they can more directly assert power on. So, you could argue that it’s a very strong link to the regulation of data as an act of state assertive power rather than a more regulatory or fundamental rights-focused approach.

Emily Taylor

Thank you very much, Raman, and it’s quite attractive, isn’t it, Aditi? And you referred to this just now. It seems, kind of, logical to me that people would feel more comforted with the idea of their data being onshore and, therefore, you know, that it’s almost like you could wrap your arms around it physically, and you would feel safer because of that, and it can be quite difficult to explain to people why that isn’t the case. But why isn’t it the case that it’s more secure onshore than if it’s flowing freely, would you say? And maybe, Ria, you can come in on this as well.

Aditi Agrawal

Right, well, just as Raman said, at least in India, the debate around data localisation on data sovereignty has centred around the state exerting a monopoly over resources, which is why a refrain that we often hear in India, and it’s been argued over, is that data has been [inaudible – 20:55]. I personally don’t agree with that characterisation, but that’s a debate for another day. But I think the reason – there was this very famous incident or infamous incident in India where one bureaucrat said that “Oh, you don’t have to worry about the Aadhaar data,” Aadhaar is basically our national ID card, “because it’s protected by 15-feet-thick steel walls.” And everybody thought, “That’s not how data works. That’s not how cybersecurity works. What are you talking about?” So that idea that you can potentially embrace your data, physically embrace it if it’s located within your own country…

Emily Taylor

Yeah, like, wrap it in a vault almost, isn’t it?

Aditi Agrawal

Yes, exactly.

Emily Taylor

It’s, like, that, sort of, vault picture in your mind.

Aditi Agrawal

That’s because people tend to think of data as this physical, tangible good, whereas at – whereas it isn’t that. The value of data isn’t derived from you knowing ten things about me. It’s derived from you knowing ten things about me, ten things about Raman, ten things about Ria, and then setting these in a relation with each other, coming to certain conclusions, making certain predictions, so – and that is not a physical good that can be protected. That’s going to happen whether you have 15-feet-thick steel walls, or you have concrete barriers, what you may. So, I think that’s where people cannot imagine this intangible resource, good, however you may want to call it.

Emily Taylor

Yeah, thank you. It’s a, sort of, the response to these very vivid, visual analogies is quite complicated and quite difficult to grasp, isn’t it? It’s often that the truth is quite complicated and not quite as simple as we would like it to be. But, Ria, one of the things about data localisation, you know, its advocates say, well, it’s better for cybersecurity if the data is onshore. What would you, as a cybersecurity practitioner, as an expert, what would you respond to that?

Ria Thomas

So, I think perhaps “it depends” might be not the best answer, but…

Emily Taylor

You’re not allowed to say, “It depends.”

Ria Thomas

I know, I was hoping you’d let me get away with that. But, in reality, I mean, there, to me, there is a tension, inherent tension between the growing demand that I’ve seen culturally, at least in, say, I think this is more global than it’s just the West and the US, for example, is the customer’s recognition and their desire and their demand for privacy, that countries protect it, and, sorry, that companies protect it. But, at the same time, that there’s a tension between that and the demand that services be provided without interruption. “I want to make sure you protect my privacy, but I want to make sure that the efficiency of what you do does not disrupt my life, in some way, shape, or form.” And therein lies to me some of the conundrum about the challenges that are faced with pure data localisation because you will need – the reason it’s often not localised is because of the need for redundancy, the need for backup, the need that if X happens in this region or in this country, your data is not going to be lost, in terms of access to it, that would prevent you from achieving the services that you need. So, I think we do need to recognise that it’s not purely privacy in its own shell. It’s rather, what does data actually do, and why is it needed, in order to provide the services that are being required?

Emily Taylor

Thank you. Now, I want to open up the floor for questions in about seven or eight minutes, so that’s really a cue for our participants to fire up your questions in the ‘Q&A’. We’d really be grateful for that. Meanwhile, there’s two things that I’d like to cover with our panel before we go to the audience. One is, you know, I described how we’d all met together recently to do a simulate – to participate in a simulation of the impact on dataflows internationally of a cyber incident. Could I just ask each of you to highlight one thing that really came through for you, one big realisation or learning about the impact of national laws on international flows of data? And then I’d like us all to come on together about how we would go about regulating or getting towards something that was internationally compatible on dataflow. So, Aditi, can I start with you this time on, you know, the impact that, sort of, or what the simulation taught you on that?

Aditi Agrawal

I think one of the things, because I’m a Journalist, so I usually come to the situation after something has happened, it struck me, as Ria pointed out, that there’s so many stakeholders involved. So when a company is grappling with a potential data breach or a ransomware attack, it has too many stakeholders to answer to. It’s not just Journalists like me, but it’s also shareholders. It’s also users. It’s also liaising with the local government and then potentially with the other government. It’s also getting in touch with the data processers, other third-party service providers, understanding everything that is going on at the same time. And what also stood out for me, during the simulation, was that a number of us, at least from India, were from the civil society, Journalists, or activists. And when we were within that simulation, we were thinking like that company. And most of us forgot to even think about what would happen if that data in question actually got leaked? What are the harms that would arise from it? We were all focused on protecting the company and its interests, and mitigating the harms. And that struck me as rather odd that in my day-to-day life, I’m all about protecting people from harms arising out of data leakage, improper usage of data and, that day, I completely forgot about it.

Emily Taylor

It is amazing how context, even if it’s a temporary game context, really changes one’s attitude to things. Ria, can I turn to you next? What was your main reflection on national laws and their impact on dataflows?

Ria Thomas

So, I have a slightly different perspective than Aditi normally does as well, which is that I’m usually in the side of the company, if you will, trying to figure out how you balance all of these various stakeholders, and also seeing the frustrations with the conflicts between national laws. One thing that struck me was the, sort of, the unintended consequence of some of these national laws, which perhaps governments may not be thinking about, and perhaps they are, but – and that is what are the business decisions that are going to have a negative impact on the local businesses? So, what I mean by that is if you are, for example, a large global firm that has partners in your supply chain that are in a third country that has passed new regulation, which puts even more onerous burdens on what you need to do and, in that moment of crisis, would you or would you not turn towards that third party vendor, when you have other options in other jurisdictions?

So, sometimes, the extra burden might actually have an impact, in terms of the local stakeholders that a nation is trying to protect because a global firm might say, “You know what? This is way too complicated, and, in this moment of a crisis, I really need my resources to be focused on what my business needs, and I don’t need this extra headache right now.” So that might be an unintended consequence that, you know, may also need to be taken into consideration. How complicated is your regulation, in comparison to what already exists? What are the added burdens, and what are the decisions that are going to be made, based on those additional burden?

Emily Taylor

Yeah, thank you very much, and before I come to you, Raman, I think I’ll just for the – those who weren’t involved in the simulation, what we were doing is, we had two groups, one in India, one in the UK, and we were pretending to be different supply chain partners. The Indian group were an outsourced complex data processing partner of a UK loans company. The UK loans company had suffered a cyberattack a bit like the Travelex attack that we saw at the beginning of last year. And one of the main objectives of the two teams was to work together to try to restore the business of the UK loans company, and partly that involved transferring data from the – from India to the UK, and that got us into all of the different complexities that Aditi talked about, that Raman’s talked about, about, you know, what are the different categories of data and so on? So, Raman, can I just come to you on what your main learning or what reflection, really, I think is probably more accurate about the impact of national laws on international dataflows that came out of the event, from your perspective?

Raman Jit Singh Chima

Thank you so much, Emily, and I had two reflections actually on the role of national laws. One is around the fact that you – there’s no getting around the existing data protection frameworks that are there in the embedded relationships, in which any state has to operate, even if it makes new laws, changes, or tries to even change its current relationship. And particularly for the UK, in the context of its exit from the European Union, it’s not exited the EU’s data protection framework by virtue of having to receive adequacy, being in the constant discussion and dialogue with data protection authorities. And that was the first piece that really struck me that, you know, you cannot, in a sense, not just Brexit on the intent, which is what I know some people sometimes say, but you can’t – it’s not a full Brexit from the data protection framework. You have to operate within that, not just with the EU’s institutions, but with the EU’s other trading partners and countries who are all invested in their adequacy relationships there. So that network of adequacy arrangements and an understanding of both previous judicial rulings, future regulatory judicial rulings is critical to any state. And that’s very important for UK policymakers to keep in mind, which I think is very much so, but for others also, interacting or transacting with UK-based companies, actors, or in a policy relationship with the United Kingdom.

The second thing that I took away was that this tension that sometimes exists between – I would name it is at that national security policymakers sometimes do things, which actually makes cybersecurity responses harder, and that was very telling to me, that the concern, for example, that entities might have in transacting with outsourced en – outsourcing firms or other cybersecurity providers in India, particularly around the Indian Government’s public statements about seeking access to encrypted dataflows, about surveillance powers to ensure interception of communications, introducing vulnerabilities in communication supply chains, actually has a cybersecurity impact, in that it makes it harder for the cybersecurity talent pool in India to quickly respond to global entities because they are generally worried. It’s not an academic concern. And I think particularly with the tearing up or, as you know, judicial striking down of the US/EU dataflows arrangement previously, people are aware that it’s not just a political conversation; it’s a judicial one that you can’t fully control. So, you try and avoid risk as much as possible, and what’s happened, therefore, is what some people in the Indian national security or cybersecurity environment have put in place, is actually undermining India’s ability to be a global cybersecurity provider or even to just quickly respond to cross-borders type of incidents.

Emily Taylor

Thank you very much, Raman, and I’m going to come back to the panel for the last ten minutes or so to really think about how we would improve on the current situation. What needs to be done? What positive actions need to be taken, in order to make sure that, you know, I’m very struck by Ria’s example of a real-life example where a client was having to consult about 85 different jurisdictions. How do you get, from where we are, to a much more unified and coherent form of governance of data? Is it even possible because there’s so much values wrapped up in this as well?

But before we go to that, I’ve got some great questions from participants. Vasuki Shastry has put something into the ‘Chat’, and I’d like to come to you if we can give Vasuki the microphone. We’ve also got Fernando Herrera, who has asked about some sources for data sovereignty. Maybe we can – and where are the main generators of this concept? We talked quite a bit about data sovereignty, so maybe we can just put something in the ‘Chat’ to respond to that. But, Vasuki, if you’ve got the microphone, maybe you could direct your question to the panel, thank you.

Vasuki Shastry

Yeah, thank you very much. I mean, my question really is, it’s a great conversation so far, but if you look at all of these issues, from a public perspective, you know, what serves the public interest best in countries, including India and the UK? And I think one can safely make the assumption that the public interest has not been served, in the last five years, when we’ve had this proliferation of social media platforms. You know, regulators have been asleep at the wheel, ceding too much power to technology companies, and the dynamic we are faced today really is, if governments have to act in the public interest, they have to be interventionists and regulation will be messy. There will be very little co-ordination, particularly if, you know, the global rules of the road are proving to be impossible on which to build some consensus. And so, you know, are we really trying to fix an unresolvable problem? And if we didn’t look at this from the public perspective, the solutions are quite clear. National sovereignty will trump everything else. And if you’ve got a group of countries who really are able to put together a sensible set of regulations, perhaps these could be scaled up on the global level.

Emily Taylor

Thank you very much.

Vasuki Shastry

So it’s a little bit of a challenge to the speakers.

Emily Taylor

Yeah, it’s a challenge well made, Vasuki, because, you know, it’s the – you’re bringing up the power of these global platforms, the fact that, in a way, the regulators have been on the backfoot, if you like, and are responding. Who would like to have the first go at this question? Ria, would you like to respond?

Raman Jit Singh Chima

I can try and do a quick response.

Emily Taylor

Oh, thank you, Raman, thank you.

Raman Jit Singh Chima

I’m sorry, I think I’m not so sure, but I’ll deliver this real quickly. I think it’s very important to recognise that you’re already seeing some of these international agreements happening, and that’s one thing that we often don’t notice, when we see the larger political conversations, which is very important, mind you. I’m not one of these policy people who say don’t ignore the politics on it because that’s significant. But if you see that, you already have international agreements, for example, around data protection and, to an extent, on comparative data frameworks. For example, you have Convention 108 of the Council of Europe, which is actually adopted by several non-Council of Europe states, and is actually often being looked at by several countries as something that is there that’s beyond the GDPR that can operate outside of Europe, and people are looking at that.

You see further agreement and discussion within the UN system on the right to privacy, as well as where data protection sometimes comes into that, again, evolving, but you have the right to privacy resolutions in the UN and elsewhere. And you’re also seeing separately in the cyber norms, although then, I won’t talk about too much there, increasing discussion around state cyber behaviour, as well as how can states co-operate with each other on exchange of vulnerabilities on cyber norms in that space. So you’re seeing that happen. I will agree that, ultimately, national legal frameworks will often take the lead, and that’s what’s happened, in a sense, with the GDPR and country implementations of that actually leading the world in a sense. But you are seeing those cross-border agreements, and multilateral, plurilateral settlements also happen.

Emily Taylor

Yeah, thank you very much, Raman and, you know, also mentioning the things like the Council of Europe instrument. But, I guess, at a higher level is the human – the international human rights framework itself, which, you know, the more one reflects on it, it almost could’ve been written to govern the internet in some ways, you know, whether it’s talking about the free – the importance of freedom of expression and the limitations on it, but also, the right to privacy. Aditi, and I want to weave in Howard Hudson’s question here, which is – it came up in your remarks, Raman, of it’s, sort of, the role that the UN could play in protecting our basic human data rights. So, in responding to Vasuki’s challenge about, well, doesn’t it fall to governments to stand up to the power of big data, and the exploitation that you alluded to, Aditi, but also, maybe reflect on whether the United Nations has a role to play in helping us get through, thank you.

Aditi Agrawal

So, I think, there has been some discussion about that already. I believe the Secretary-General came out with a UN roadmap to focus on the digital world. But the question is, how implementable are UN resolutions, and how many people are party to them? For instance, last year, during the G20, the then Japanese Prime Minister, Shinzo Abe, came out with this agreement called Data Free Flow with Trust, and three countries: India, South Africa, and Indonesia, did not sign that agreement, whereas the other 17 did. So, when it comes to formulating any kind of plurilateral, multilateral agreements, I think the so-called – I don’t agree with this characterization of the Global South, those interests have to be represented well. And when they aren’t then it, again, becomes the same old debate about whose interests are being served? So, even in the UN when we are talking about protecting basic human data rights, there has to be a conversation about rights from whose perspective and whom do they benefit because that’s where something, as Raman pointed out, the politics does matter. Politically, to gain brownie points with local populations, governments often go against plurilateral agreements just so that they can, as I said, gain brownie points with the local population in elections. So, how do we manage those interests?

Emily Taylor

Thank you very much. I’d like to call on Tangi Morgan, if I could, because you’ve asked a question directed at Ria about, you know, about communications, and maybe actually, Aditi can also come in on this as well, given your profession. Tangi, if you have the microphone, please, and sorry if I’ve pronounced your name wrong.

Tangy Morgan

Right, thank you, it’s Tangy, actually, no worries.

Emily Taylor

Sorry.

Tangy Morgan

But Ria – no worries. Ria brings up a really, really important point about the communication aspect, both, you know, internally and externally. And, you know, I would suggest that – I would say that this situation is further complicated by, you know, social media outlets and, you know, people wanting to try to get the information, you know, correctly. But, as you’ve indicated in your comment, you know, it’s very complicated, right, and there’s an expectation now, right, that you’re able to come out with all the facts and, you know, if you come out too early, and the facts prove to be slightly different, you’re criticised for that, or, if you wait too late – so you know where I’m going with this. I guess my basic question is, what guidance would you suggest for boards or governments, you know, given all of the other discussions that we’ve had? But, ultimately, there is a big piece for communication that I think many people forget about, and I was just wondering if you perhaps suggested scenarios and things of that nature, so, thank you.

Emily Taylor

Thank you very much, Tangy. Ria?

Ria Thomas

Thank you very much, Tangy, for that. Your words were speaking directly to my heart because this is something that I often see is that it takes a moment of crisis for companies to sit back and go, “What is it that we’re going to say?” And the reality is, in that moment, there’s very little that’s actually known that you can share. And people outside externally don’t necessarily understand that. But that doesn’t mean that your responsibility has somehow diminished, in terms of what is expected of you. And one of the key parts of this is something you actually alluded to as well, Tangy, which is how do you plan for some of it?

You can’t plan for the exact scenario that’s going to necessarily happen to you because, each time, it shifts a little bit. However, there are some core principles that, at the board level, it’s really important to consider, and I want to actually highlight what I mean by that. So, one can talk about what the board, and when I say ‘board’, I mean Board of Advisor – Board of Advisors or Board of Directors, and then the Executive Committee or the Executive Board. What they would really need to understand, even before an event, is not just what the cyber technical risks are that the company is facing, but what are the broader reputational, operational, legal implications to different types of cyber risks that they have, including the potential for a data loss? And then to be able to really plan out what is the perception that we want to have of us? And this depends on the industry. I found that when I worked with a tech company, for example, or technology-oriented companies, they tend to want to share more information as quickly as possible because the type of customers they have demand that as quickly as possible.

When you’re talking about, say, more traditional industries, perhaps, say, oil and gas or mining or certain other types of industries, they tend to be much more cautious about what it is that they want to say and when. So this will really depend on your corporate culture and the particular industry in which you operate. But it is important to have these discussions to say, “If we were to face a ransomware attack, if we were to face a significant data loss, if we were to face an insider, how does that actually playout across our organisation, in terms of what we need to say?” And, for me, that doesn’t come down to, for example, your Head of Communications having to have that responsibility. It comes down to an integrated response, as we’ve seen even in the simulation we did, with multiple stakeholders, from across the business, looking at the various issues, and coming up with a co-ordinated messaging, because each one puts you one step closer to a potential trust issue with your various stakeholders, and that is something that needs to be avoided to the extent one can.

Emily Taylor

Thank you very much, and to your point about, you know, tech companies being quite open, we saw that very vividly, didn’t we, towards the end of last year with the FireEye response on SolarWinds. A very, very detailed and immediate response, which arguably enabled a lot of other stakeholders to be more prepared or, at least, to make the right sort of investigations. I have a question from Robert Walters. I don’t know, Robert, if you can take the microphone, but you’ve asked a question about model laws. I don’t see you on this, so maybe I can ask the question on your behalf. Robert Walters asks, “Do we need a model law that goes beyond Convention 108? This would be a very good starting point.” Now, Raman, you mentioned Convention 108, so I’m going to pick on you for this one. But, Aditi, if you’d like to come onto that, please do as well. Raman, please go ahead.

Raman Jit Singh Chima

For sure, and I’m going to joke that I’m going to blame my colleagues, who work in data protection, who always emphasise that 108 exists and has been modernised, and I think that’s the important thing here. You can have other models, and I always welcome new initiatives and efforts. I think one challenge is that you can have as many model laws as you like, but having something that is there and that is incrementally built on is perhaps the best thing. So, I’ve actually been impressed a little bit by the Council of Europe’s approach to both the Budapest Convention, the Convention on Cybercrime, as well as 108 where they widened the pool of experts there. They’ve taken criticisms onboard and updated them.

One thing I will note, and I know that’s a very significant reality, is that for several states, they will ultimately never sign an agreement that says it’s a Council of Europe document or that this was born in Europe, and we should engage with that. For example, the Indian Government has repeatedly indicated this, as its foreign policy position from the Ministry of External Affairs. They’ve said, “We’ll even create it that might be compatible, but we won’t sign.” And that is something we need to engage with them. Perhaps it may benefit other fora or things coming into the UN system as well. The only thing I’d flag is you don’t want new model laws to be a laundering process, where things are watered down or altered, in order to serve other interests, which is a very, you know, very clear reality of a lot of these policy conversations. There’s been a lot of discussion around the APEC Privacy Framework for that reason around how the corporate sector very actively engaged in it as a counter to the GDPR. So, we should just be alive to that, and know that governments also know that threat.

Emily Taylor

Thank you very much, Raman, and you raise a really important point about the, sort of, if you like, a not invented here type of approach to instruments that might well be valuable, but perhaps we can reflect on the ongoing UN processes that you referred to, the Open-Ended Working Group, for example, where even though the agenda is almost identical to a different UN process, that Open-Ended Working Group is a much more inclusive group, and maybe this might offer a pathway through.

I’ve got a very nice question here from Amrit Swali, which is – which they’ve asked me to read out on their behalf. “Going back to the Indian bill,” which we’ve mentioned, and we talked about, “what is the utility or feasibility of a privacy consent model in a country like India where there’s perhaps a lack of data awareness? What level of buy-in and understanding from the public is necessary to implement comprehensive and effective data regulations?” So, I think it’s fair to say, Raman and Aditi, that the Indian data protection proposed law relies very heavily on consent. Whereas in the European equivalent, there’s other aspects that can, you know, like legitimate purpose or, you know, fulfilment of contract, and so on. That’s a really nice – it’s forcing us to think about the level of awareness and the role of the individual in giving that consent. Are they really able to give an informed consent? Aditi, could you speak to that? And maybe Ria, you might like to come in from the perspec – more of an international perspective on this? Thank you. Please go ahead, Aditi.

Aditi Agrawal

Thank you, Emily. Thank you, Amrit. So, it’s a very valid question, and that’s something that the committee that came up with the bill, originally in 2018, also grappled with. That how do you make consent, informed consent in a country like India where most people perhaps are illiterate or do not really understand the implications of giving up their data so easily? So, here, that’s where the committee had also recommended visual cues, that it would be the onus of the data fiduciary that’s seeking consent to communicate it to the Data Principal, which is the user, that this is what will happen to your data. This is what your consent means and as far as – so, that’s one part of it.

I think the second part that you mentioned that the Indian bill relies quite heavily on consent, whereas in the GDPR, for instance, there are certain exceptions to it. Actually, the Indian bill also has a lot of consents – exceptions for processing data without consent. The problem there is that those aren’t to enable the industry or to enable processing for legislative ease, but to enable data collection by the government. So, for in – or – but there’s a one interesting part of the bill, which allows the government to process data of users, without consent when it is to offer a government service, which is an interesting caveat, given our history with our national identification document and everything. So, I don’t think that’s a problem that has been resolved in India. How do you make – how do you operationalise consent? But there has been a lot of work that has been done, in terms of raising awareness by two organisations in particular: Internet Freedom Foundation, as well as DEF, the Digital Empowerment Foundation. But we’re dealing with a country of 1.3 billion people, so it will take time.

Emily Taylor

Yes, indeed. Now, I’ve got two other questions from the audience, which I will hope to get to. But I just wanted to give ourselves a bit of time on, you know, how we solve all these problems that we’ve identified. You know, how do we get from, you know, let’s imagine we’re in a place in the future where we’ve all sorted international inconsistencies in – and data is flowing beautifully. What happened? Who did what? How did it work out? Ria, could I come to you to kick off that, sort of, mini conversation? So, we’re really thinking now for the final part of this conversation on solutions, what needs to happen, which stakeholders need to be activated, and how you would approach it, if you were in charge?

Ria Thomas

Sure, I think some of these questions are not going to be solved in the short-term or any time soon. Primarily, I think, because of also of the inherent push-pull, if you will, between individual right to privacy and national sovereignty or national security or however one wants to define that – those two concepts. I think the challenge is that, you know, if that can’t be done until the longer-term, perhaps it’s a step-by-step process. And to the point that Raman had raised earlier as well, which is, you know, how can one work, whether it’s bilaterally or at the multilateral level, but it’s, say, at the regional level, to come up with certain concepts that could be potentially digestible, and would at least create some free flow of data, if you will, for certain regions, and even if you are a global firm, you have a sense of what that means. And I think some of it also is, you know, who bears the burden of deconflicting some of these laws in the meantime? So, what I mean by that is, as each new law comes into being, is there a responsibility on the part of that particular government to say – to protect the broader public interest and to protect the broader private sector interest which, in essence, is tied to the public interest because if there is great disruption on the private sector side, it’s ultimately going to disrupt the services that are being offered to the public.

In that case, you know, is there a need to review how it is at least at the allied level, the bilateral level, how, for example, the UK and the Indian laws could co-exist in a way that wouldn’t create additional burdens for UK or Indian companies? But I think these are concepts that are going to need to be thrashed out for a while to come. Just I just wanted to make a quick point on the last piece about consent, and I don’t think that’s a sol – an issue that’s solely a problem for India alone. To be frank, the fact that even with GDPR, even with all of these additional laws, the UK Data Protection bill, how much of it is actual consent? I mean, I think about every single one of us, who goes to every single website that might be, you know, rooted in Europe or even in the US, and clicking on all the “Yes, that I agree, I agree”. I don’t really know how many people are actually reading what they’re agreeing to. So, to my understanding, I’m not sure informed consent is actually being given, but there is a check-the-box mentality approach to how we give consent. So, I don’t think that’s unique to India itself.

Emily Taylor

Yeah, thanks for raising that and, you know, I think that many scholars would agree with you that the consent model which, unfortunately, is baked in at the highest level in, for example, the European Union’s foundational documents, that consent model might well be broken, and it might not be helping us. But can I come to you, Raman? How would you solve all of this? What needs to happen? If there was one thing that would just make things a bit better, what would it be?

Raman Jit Singh Chima

That’s an excellent question with a difficult answer to give in. What I’d probably note is, as I said, just recognise the realities of data pro – of certain frameworks existing, right, which is, for example, why at Access Now, we have focused a lot of our work on saying that there are dos and don’ts you can learn from the European Union’s GDPR process. So, you’re noting that the GDPR is not perfect by any stretch, but it exists. It’s also got great learnings on what to do and what not to do, and that countries could benefit from understanding that. And most like – more likely than not, any other future international data protection framework or conversation will be greatly influenced by that process, so that’s what we stress to people, and tell them to look at that.

But the other thing we often do, I would like to point out and emphasise, is to say the role of the public sector in this, both as creating these institutions, but also as data collectors, and being models themselves and, for example, in the Indian data protection conversation, that’s why even things like consent and others, if the government does it well, it’ll both be a model by itself, but it’ll also force the private sector to come and do that. And perhaps in countries where data protection frameworks are being created for the first time or being enacted for the first time, the role of the government and public sector more generally will be critical as being a model and influencing behaviour.

Emily Taylor

Thank you very much. Aditi, you know, Raman’s talked about the European data protection framework. You know, is the solution, and I know Raman didn’t say this, but one solution that maybe a European perspective would say is, like, well, why doesn’t everyone just adopt the GDPR? You know, why doesn’t Europe become the centre of policymaking and regulation of the internet, and everybody – and that’s the gold standard? So, at least, with all of its faults, to your point, Raman, at least we are all consistent in that. Why would or wouldn’t that work as a way forward, do you think?

Aditi Agrawal

I think for a lot of the issues that are raised, especially related to privacy, as I said, it’s quite contextual. So, having a one brush to paint every country with is going to be quite difficult. So, we will need specific approaches, for a number of the problems, for instance, access for law enforcement agencies. What works in Europe doesn’t work in India just because, culturally, the countries are very different. Historically, they’re different. I’m not saying one approach is better than the other. I’m not saying that.

So, what Raman has been saying all this while about having some kind of a federated approach to this, so you have some kind of a consensus at a regional level, then potentially, at a continent level, then at a global level. Then you, kind of, abstract those consensus – the level of consensus. For instance, at the Asia-Pacific level, you have the CBPR, Cross-Border Privacy Rules, and that’s something that practically every organisation that wrote into the committee that’s thinking about the Indian Data Protection bill said that “Well, why don’t we align ourselves with some semblance of consensus, some semblance of a consensus beyond India?” So, I think the idea would be to create smaller regions of consensus, and then maybe get to an aggregated form. So, I think I’ve basically said what Raman has been saying all this while, but in a different way.

Emily Taylor

And, Ria, in a way, so we have a quite a high-level of consensus is that, sort of, baby steps for – and also, to your point, taking – allowing for regional differences is, sort of, just working up from that bottom-up level regionally to see whether you can form consensus on key issues, key terminology, and start to build them up internationally. Just as a final thing on this, sort of, so what do we do, is where do you think the best regulatory thinking is occurring? I mean, it might not be with states. It might be in industry. It might be in civil society. So, where’s your go-to? I mean, Raman, you’ve mentioned Council of Europe is very useful and interesting. Does anybody else have any tips about, sort of, good examples of regulatory thinking in these difficult points?

Aditi Agrawal

So, whenever I’ve covered these things, I have actually found Ofcom and ICO’s comments on the issues quite useful, as well as the manner in which Ofcom and ICO conduct their public consultations. The transparent manner in which they happen, the deadlines, the manner in which they make everything public, I’ve found that very useful, from a reporting perspective, from just understanding these concepts.

Emily Taylor

Thank you. Ria, any places that are your go-to resources or where you always think, oh, yeah, they’re on it?

Ria Thomas

So, that is a bit difficult to answer, to be honest, because it’s dependent on the type of client, and what industry that they might be following, or what specific regionals – regions that they’re looking at. I think it is challenging. I’ve been speaking about global firms, but I’ve been thinking, in my head, about more medium to smaller-sized firms that are still operating internationally these days, and I’m thinking, for example, of, say, a tax accountancy firm that outsources to India. I’m not sure how those types of firms are actually paying closer attention to these types of bills that might be coming up, and I do wonder about where that level of awareness and engagement is taking place, because at the large global firm level, they have teams dedicated. They don’t need, say, me, for example, to help advise them on it. They have teams dedicated, with external Counsel, in all the regional markets. What about the smaller to mid-size firms, and perhaps that’s, you know, for civil society that comes in and helps inform it. But, practically speaking, I’m not sure this is being discussed very much at the next level down.

Emily Taylor

No, I think that’s an excellent point, Ria. Now, we’ve nearly run out of time and I’d just like to just cover off, at a very high level, some of the other issues that have been raised that we haven’t had the time to go to. Some speakers have suggested that trade agreements might be a good tool to fight data localisation and further fragmentation. Also, what role copyright has, and, you know, that you can’t copyright data but, you know, maybe there’s some, sort of, role for copyright. And another audience member has mentioned the importance of things like UNCITRAL as potential instruments that could help us in finding, you know, mechanisms that work across border.

But we’re nearly out of time now, and I would just like to thank our three wonderful speakers today for helping to guide us through the complexities of international dataflows, Raman Jit Singh of Access Now, Aditi Agrawal of Forbes India, and Ria Thomas of Polynia Advisory. The simulation on which we all collaborated will be written up in a paper that will be published shortly, so – and also, just thank you also in closing to the team at Chatham House, and to you as the audience for all of your questions and comments throughout this session. So, with that, I’m going to bring the session to a close, and thank you. I hope you have a good remainder of your day or evening, as the case may be. Thank you.

Ria Thomas

Thank you.