Big Tech vs News Publishers: A Rights-Based Perspective

Angelina Dash

As news consumption shifts online, a codependent relationship has developed between news publishers and Big Tech giants like Google and Meta. This move is accompanied by many users relying on online platforms like Facebook for news. As a result, Big Tech acts as an intermediary to generate traffic for news websites, while taking a portion of ad revenue in exchange. The problem arises when Google allegedly takes on a higher percentage of ad revenue generated (the extent of which is uncertain due to an opaque adtech ecosystem). A common response to this has been to mandate ad revenue sharing between Big Tech giants and news publishers. The most recent instance is the Canadian Online News Act (“the law”), which requires Big Tech giants to pay news publishers for news content published on their platforms. Here’s why this may not be the best solution. 

The Canadian Tussle

Google has recently been in the news for pulling its Google News service from Canada in response to the law. Prior to this law, several news publishers had filed lawsuits against Google on multiple grounds. These grounds included Google’s monopoly in the adtech sector and the ad revenue gap arising out of this monopoly. Additionally, copyright concerns arose over the use of snippets of text from the linked article within the search results, due to which news publishers lost traffic to their websites. 

Consequently, the law was enacted in Canada. Off-late, this has been a common thread across countries, with similar iterations in Australia and France. It is currently being considered in India as well. 

What are the implications of this?

The primary issue that arises is free speech being hindered by the law itself. The Canadian law lays down a bargaining process for tech giants and news publishers to arrive at a fair revenue sharing model. However, such a negotiation would be riddled by power imbalance in a scenario where an unsatisfied tech giant may simply threaten to pull its services from the country. Such negotiations would result in smaller publishers with asymmetrical bargaining power scrambling to secure a deal regardless of how equitable it is. Additionally, tech giants may prefer deals with established publishing houses that have better funding or stronger political affiliations. Since such preferential treatment may lead to skewed news reporting, the law essentially makes tech giants the final arbiter not only of which news publisher, but also of what news is worthy of being heard. 

The Canadian law aims to bridge this gap through non-discrimination provisions, as well as mediation and arbitration as a backstop. However, a lack of transparency impedes the efficacy of these provisions. The law protects against disclosure of confidential information. This does not make the entire negotiation opaque by default. However, parties have the liberty to designate certain aspects of the negotiation as confidential information which would not be disclosed to the public, including other news publishers. This makes it virtually impossible for other news publishers to establish whether discrimination or preferential treatment has taken place when they themselves enter the bargaining process. 

Moreover, the informational diversity and free speech restricted through the provisions of such laws are further limited when tech giants retaliate and “pull their services” from the country. What this effectively means is that when a user looks for a news item through the search engine or within a platform, they will only be shown links from other countries’ news websites and not from Canada. The only way they can access Canadian news sites is if they type the URL directly, or access the pages through the news publisher’s website, app, or online subscriptions.

Tech giants pulling their services from a country not only impacts the users’ right to know but is also detrimental for news publishers themselves. This was the case in Germany, where a German publisher pulled its content from Google News services but had to rejoin due to a reduction in traffic generation. Moreover, fewer people today are willing to pay for online subscriptions, sounding the death knell for smaller news publishers who rely extensively on subscriptions for funding. 

What does this mean for India? 

A hot button issue like ad-revenue sharing is also being considered under the broader framework of the upcoming Digital India Bill. This is in the run up to the pleas filed with the Competition Commission of India (“CCI”) against Google by the Digital News Publishers Association and others, on grounds of ad market monopoly, inadequate remuneration, along with a failure to disclose ad revenue data and the basis for deciding the quantum of revenue distribution. This has resulted in the CCI ordering a probe into the matter. Additionally, the Australian MP, Paul Fletcher, recently lauded the Australian model, confident that such a model would be equally, if not more successful in the Indian market. This is because the size of the Indian population would give the Indian market better bargaining power while negotiating with tech giants. 

In the event of the enactment of such a law, and of Google then retaliating and pulling its services out of the country, what this means for India is that free speech would similarly be hindered, and curbing misinformation would be virtually impossible. Not only does this impede the accessibility of private, non-partisan fact-checkers, but also, even in a scenario where the Press Information Bureau remains the official fact-checker, people will simply have fewer avenues to explore the veracity of the news they receive. This is especially significant in the backdrop of the 2024 general elections in India. For a country dealing with voter misinformation challenges, access to local news which is equal parts trustworthy, linguistically accessible, and accurate, becomes imperative to uphold democracy. 

Even if the above scenario is avoided by ensuring that tech giants continue their services in India through bargaining and negotiating “equitable” deals, what will inevitably occur is what has already ensued elsewhere – the same backroom lobbying and smaller news publishers in jeopardy– unless adequate legislative and policy safeguards are put in place. 

A Way Forward

Google itself has come out with measures like the Google News Initiative grants and Google News Showcase partnerships that assist news publishers in growing ad revenue and fighting misinformation. However, these only perpetuate many of the pre-existing gaps, including confidentiality of terms of the agreement. 

At this juncture, in the absence of definitive solutions, there are certain standards that India must adhere to while resolving the tussle between Big Tech and news publishers. These standards include transparency, sustainability, free speech, equity in compensation, informational diversity, and upholding the interests of smaller publishers. These were some of the goals behind a law envisioned by New Zealand. Collective bargaining is also a viable option, with open communication allowing several news publishers to jointly leverage better deals with tech giants. 

Any such law, if enacted in India, must ensure transparency is embedded into the law in a manner similar to the Digital Services Act and the Digital Markets Act. Particularly, in terms of accountability for the adtech sector and revenue distribution data, as well as in terms of commercial negotiations between news publishers and tech giants. Such a disclosure mechanism could look like legislation mandating some form of transparency output which is made publicly available post the bargaining process. This could include agreed upon metrics comprising broader terms of the negotiation process and division of percentages of revenue sharing where possible. Timelines can also be mutually decided upon between regulators, news publishers and online platforms to ensure these outputs are disclosed on a regular basis, whether annually or semi-annually. Some of these aspects of transparency have been covered by the Canadian law. 

Undoubtedly, any such law will need to be contextualised to the Indian backdrop, with emphasis on the dual rights of the freedom of speech of news outlets and the readers’ right to know and receive information. It must also provide clarity on what encompasses the term “news publisher”, because the broad ambit of the term could result in individual content creators being negatively impacted. The law on fair and equitable compensation to news publishers in the digital ecosystem is still at a nascent stage globally. As India envisages its own variant of such a law, lessons in what to do and, more importantly, what not to do, must both be learnt from Canada and other jurisdictions.

Decoding the Karnataka High Court Ruling: Blocking Accounts vs Tweets

Archit Lohani

The Karnataka High Court recently dismissed Twitter’s challenge to several blocking orders issued by the Ministry of Electronics and Information Technology (MeitY). In its writ petition, Twitter raised two primary concerns: (i) Does MeitY have the power to block entire Twitter accounts rather than specific tweets; and (ii) Can MeitY bypass certain procedural safeguards to block illegal content? The court dismissed Twitter’s petition, imposing exemplary costs for wasting the court’s time and non-compliance with MeitY’s orders, considering it speculative litigation. This determination holds immense significance for the content blocking framework as it expands the government’s powers and limits users’ due process rights. This post will analyse the first aspect of the court’s order and outline the key developments in the blocking framework and its jurisprudence. Afterward, it will comment on the order’s implications for social media governance.

Expansion of Government’s Power to Block Entire Accounts

Throughout this case, Twitter argued that the blocking framework, under Section 69A of the Information Technology Act and the Rules, framed thereunder, only granted the government limited power to block existing information. Twitter contended that extending the government’s power to block entire accounts limited users’ ability to post information in the future, leading to prior restraint as even future innocuous tweets would be censored.

The court dismissed this argument using a three-pronged approach: it held that “the text, context and expanse of this provision give abundant scope for the argument that there is a lurking norm enacted to avert imminent harm to the societal interest at large” (page 61). This means that the public interest and MeitY’s power to block outweigh the right of certain users to express and access their accounts in the future.

• Text of Section 69A

Twitter and MeitY debated whether the court should employ literal or purposive interpretation while analysing the extent of powers outlined in the language of Section 69A. Twitter submitted that the power to block any ‘information’ is ex post facto, implying that the information is pre-existing. However, the court agreed with the government that there are no restrictive elements within the language of this provision, and purposive interpretation effectuates “the spirit and larger intent of the Parliament.”

• Context

The court also outlined various factors that must be considered when evaluating the government’s power to block accounts. These factors include: (a) the rise of new forms of crimes through electronic devices, which prompted an amendment to include Section 69A within the IT Act; (b) rapid developments in the technology sector; (c) the potential virality of tweets and their audiovisual impact; (d) emerging blocking frameworks in other countries such as the United States, England and Australia; and (e) the blocked content’s “propensity to incite anti-national feelings.”

• Expanse

Finally, the court outlined the nature of government blocking powers, suggesting that Section 69A aims to avert societal harm. Therefore, the blocking power is not only punitive and curative but also preventive. For this aspect of the judgement, the court relied on the severity of the punishment prescribed within the provision (up to 7 years of imprisonment and fine). The court concluded that blocking individual tweets might encourage the originator to adopt a ‘better luck next time’ approach. Instead, blocking the entire account can serve as “a deterrent effect and thus subserve the objective of the Statute.”

Gaps in the Court’s Analysis :

The court, for the reasons outlined above, decided that Twitter’s literal interpretation of Section 69A is incorrect. It stressed that the dynamic nature of the IT Act necessitates a purposive interpretation to capture the true intentions of the legislature.

With respect, the Court’s analysis suffers from the following gaps:

1. The court’s justification through the text, context and expanse of Section 69A does not satisfy the primary rule of construction, “the intention of the legislature must be found in the words used by the legislature itself.” Parliament failed to expressly state any intent to  block entire accounts. Therefore, the Court has incorrectly interpreted the intent behind Section 69A.
2. The court agreed  that some originators and their “highly objectionable tweets had a great propensity to incite anti-national feelings.” By accepting the respondent’s claim, the court establishes a new norm for blocking content that is neither a part of Section 69A or the mandate of the blocking rules.
3. ‘Essential legislative functions’ cannot be delegated to the executive branch. The legislature is empowered to determine the policy for blocking content. It did so through Section 69A which employs “restrictive language since free speech concerns are inherent to blocking.” (Page 37) The court recognised that the power vested with the government to block content is carefully circumscribed to reduce discretion. Nonetheless, it upheld the government’s expansive determination of legislative’s policy objectives beyond the confines of Section 69A to enable blocking of entire accounts. Therefore, the court incorrectly allowed the executive to expand its mandate to block accounts, which is a substantive policy function.
4. Blocking entire accounts restricts the ability of users to post in the future, which the court agrees is an ‘extreme measure’ as future tweets might be innocuous. Furthermore, Twitter accounts are repositories of information, and blocking them restricts other users’ ability to access legally permissible existing information. The order does not provide any guidelines on how the government’s should exercise the account blocking power in the future. For example, in a copyright infringement case, the Delhi High Court espoused certain factors to determine whether the blocking of entire websites is warranted, as opposed to specific web pages of the website. The guidelines included determination of dominant activity of the website, availability of less restrictive measures, efficacy of blocking etc. Additionally, account-level blocking orders have previously been issued against Members of Parliament, activists and journalists for criticising the government. Therefore, the court must balance the competing interests of the state and users by laying down factors to consider before issuing account level blocking orders.
5. The court’s purposive interpretation cannot place users at a disadvantage. The government’s account blocking power must be balanced against the user’s ability to exercise their procedural rights. Furthermore, the safeguards under the Blocking Rules are content specific and necessitate that the contested content is pre-existing. For example, under Rule 7, the examination of a blocking request must be done with a printed sample of the content in question.  Therefore, the court failed to place a higher threshold to exercise this power in the future and balance the procedural safeguards to protect users’ against its misuse.
6. As per Supreme Court precedent, prior restraint is only permitted in cases where exceptional circumstances exist, the restraint is temporary, the expression will lead to clear and imminent danger, and reasonable alternative methods have failed. However, the Court did not place any limitations on the government’s prior restraint power to block accounts.
7. National security concerns do not exempt the State from acting fairly and providing reasons for their actions. The proportionality standard established in the Puttaswamy case and subsequently reaffirmed by the Supreme Court must be satisfied in order to justify restrictions on user rights. Blocking entire user accounts is considered an “extreme measure” that undermines the principles of natural justice of affected users. In addition, the Supreme Court, in the MediaOne case, emphasised that the involvement of national security issues does not absolve the State from its duty to act fairly. If the State fails to fulfil its duty, it must provide justifications to the court based on the specific circumstances of the case. Therefore, the court should have evaluated the blocking of accounts against the four-pronged proportionality standard to demonstrate that such action is reasonable and necessary. However, the court fails to provide reasons for blocking individual accounts or to address the proportionality standard in detail. To uphold the legality of government’s orders, the court should have elaborated on the following aspects of the standard:

Firstly, the court does not delve into the reasons why the government’s action to stop incitement of anti-national feelings is a legitimate aim, especially, in a case where the contentious material is already in public domain (here and here), thereby diluting the claim that such information would prejudice national security. Secondly, the restriction of accounts does not limit the sharing of content already available in public domain and the ability of users to create more accounts for similar purposes. Thirdly, the court order fails to analyse- why blocking entire accounts is necessary and how this action meets the least restrictive standard. Additionally, the court fails to evaluate the efficacy of other technical measures that are less restrictive alternatives, such as takedown of specific tweets, issuing warning, flagging existing tweets or suspension of accounts. Finally, the court fails to balance the rights of the affected users and other citizens against the government’s power to block accounts, creating a wide avenue for the government to exercise discretion. The court does not offer a conclusive reasoning to demonstrate that the government’s action to block accounts balances the content’s ability to incite anti-national feelings, failing to establish a direct connection between the content and violations enshrined under Section 69A.

Significance and Conclusion

The court willingly accepts MeitY’s determination of the blatant illegality of content without providing reasons in its order to substantiate the illegal nature of the content. In this way, it expands the government’s power to block any information, including information that may already exist or is yet to be generated. Therefore, the government can now exercise its power to block entire social media accounts if it is satisfied that some of the account’s tweets violate Section 69A.

In this regard, the court enables the executive to decide the comparative importance of users’ rights or its determination of illegality, without making additional determinations regarding whether the account’s dominant activity is unlawful, the availability of less restrictive alternatives, or the existence of a rational nexus. This is further complicated by the procedural framework under the blocking rules, wherein the examination and review committees are composed  solely of members from the executive branch.

Overall, the order of the Karnataka High Court is contentious as it enables the restriction of users’ fundamental freedoms without justifying the denial of such freedoms based on the proportionality principle. The order also accepts the State’s defence of “threat to national security” to justify prior restraint on users’ ability to freely express and access information. The order does not elaborate on its reasoning and, consequently, allows the government to misuse its blocking power to impose arbitrary restrictions on user rights in the future.

The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from Week I of the Fifth Substantive Session.

By Sukanya Thapliyal

Introduction

Last month from April 11-21, 2023, the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies (ICTs) for Criminal Purpose held its Fifth Session in Vienna. As we reported earlier, the negotiating process has reached a pivotal stage, wherein the Member Countries are negotiating on the basis of a Consolidated Negotiating Document (CND).

The Fifth session of the Ad Hoc Committee was aimed at conducting the second reading of the provisions of the CND which are as follows – 1] international cooperation, 2] technical assistance, 3] preventative measures 4] mechanism of implementation 5] the final provisions, and 6] the preamble. Much like previous sessions, Member States, and non-member observer States were supported and facilitated by the Chair, the Secretariat and multistakeholder group consisting of global and regional intergovernmental organisations, civil society organisations, academic institutions and the private sector.

Over the two-part blog series, we aim to provide our readers with a brief overview and our observations from the discussions during the Fifth substantive session of the Ad-hoc Committee. Part I of the blog captures the consultations and developments concerning the draft chapter on International Cooperation. In addition, we also attempt to familiarise readers with the emerging points of convergence and divergence of opinions among different Member States, non-member observer States and implications for the future negotiation process.

In part II of the blog series, we will be laying out the discussions and exchanges on (i) preventive measures, (ii) technical assistance, (iii) the final provisions; and (iv) the preamble.

Provisions on International Cooperation (Agenda Item 4)
The Chapter on International Cooperation provided under the CND lists 28 provisions subdivided into seven clusters that include a range of provisions such as – 1] general principles on international cooperation and personal data 2] provisions relating to extradition, transfer of sentenced persons and transfer of criminal proceeding 3] general principles and procedure relating to mutual legal assistance 4] provisions relating to expedited preservation and sharing of data and 5] provisions on law enforcement cooperation

Some of our key observations from Week 1 on different draft provisions listed under Chapter on International Cooperation are as follows:

Cluster 1: General principles of international cooperation and protection of personal data

Cluster 1 provisions provided under the chapter on international cooperation listed two provisions namely: (i) General principles of international cooperation and (ii) Protection of personal data.

(i) The general principles of international cooperation: This is an overarching provision applicable to the chapter on international cooperation. The said provision mandates the State Parties to cooperate in matters relating to preventing, detecting, investigating, prosecuting and adjudicating cybercrime. The scope of international cooperation also includes collecting, obtaining, preserving and sharing evidence and is based on the principle of reciprocity and in accordance with the domestic laws of the State parties.

The Member States were broadly in consensus on inclusion of general principles on international cooperation. However there was some disagreement. Some states including European Union, Canada, New Zealand, Australia proposed for narrow application of the chapter extending only to the offences criminalised under the proposed Convention. On the other hand, member Countries including India, and Colombia, were in favour of broader application of the Convention extending to range of cybercrime.

Further, several State Parties including the European Union, United Kingdom, Australia and New Zealand also proposed for the mentioning of personal data protection, grounds for refusal of request for extradition or providing assistance within the provision on general principles.

(ii) Protection of Personal Data: The provision on protection of personal data obligates the State Parties to ensure that personal data transmitted on the basis of a request made in accordance with the Convention should only be used for stated purposes such as investigations or proceedings concerning criminal offences and should adhere to data minimisation and purpose limitation. The provision also mandates the State Parties to ensure that such data is protected against loss or accidental or unauthorised access, disclosure, alteration or destruction.

Majority of State Parties were in agreement on inclusion of provision on personal data protection. However, a few Member States including CARICOM, China, Iran, Singapore and the United States were not in agreement on inclusion of this provision stating lack of relevance of the provision to the Convention.

Non-member observer European Union proposed an alternate provision on protection of personal data. The said proposal included a more elaborate set of obligations for the State Parties relating to maintenance of accurate and complete personal data, periodic review of the need for the storage of personal data, requirement for publication of general notices to the persons whose personal data have been collected and provision for effective judicial and non-judicial remedies to provide redressal to affected person.

Cluster 2: Provisions relating to extradition, transfer of sentenced persons and transfer of criminal proceedings

The provision relating to extradition under Cluster 2 under the chapter on international cooperation deals in extradition of a person who is the subject of the request for extradition is present in the territory of the requested State Party. The provision requires that extradition is permissible where extradition sought is punishable under the domestic law of both the requesting State Party and the requested State Party.

A large number of Member States were in agreement on inclusion of the said provision. Additionally, Member States including Nicaragua proposed the addition of political offence and offences punishable with death penalty under domestic laws as grounds of refusal for request of extradition. Beside this, several new proposals regarding expedited extradition, temporary surrender, surrender of property were also placed by Member Countries including Armenia.

Cluster 4- General principles and procedures relating to mutual legal assistance

Cluster 4 of the chapter on international cooperation included provision relating to general principles and procedures relating to mutual legal assistance, establishment of electronic databases on mutual legal assistance requests, spontaneous information, emergency mutual legal assistance, and 24/7 network. The provision outlining general principles laid down the scope, general rules and grounds for refusal of mutual legal assistance. The provision relating to maintaining electronic databases aimed to facilitate access to statistics relating to incoming and outgoing requests for mutual legal assistance involving electronic evidence. Besides this, the provisions relating to spontaneous information, emergency mutual legal assistance, and 24/7 network were also included within the text of CND to set up an effective and efficient system in place.

The Member States were broadly in agreement on inclusion of these provisions within the text of the prospective Convention. In addition, Member States including the European Union, United Kingdom, New Zealand and others proposed some additional grounds for refusal of mutual legal assistance, namely: refusal of request wherein the person affected is in danger being subjected to the death penalty, a life sentence without possibility of parole, torture, inhuman or degrading treatment or where the offence is political in nature.

Cluster 5: Provision relating to mutual legal assistance in expedited preservation of data, stored computer data, expedited disclosure of preserved traffic data and others

The cluster 5 provision placed under chapter on international cooperation listed provisions relating to mutual legal assistance in expedited preservation of data, stored computer data, expedited disclosure of preserved traffic data, accessing stored computer data, and cross-border access to stored data.

A large number of Member States were in agreement on inclusion of these provisions. In addition, there were new proposals relating to Mutual legal assistance in the expedited disclosure of preserved traffic data and expedited production of subscriber information and traffic data by Pakistan and India respectively. The said inclusion was opposed by the United States of America, the European Union, New Zealand, Canada and others.

Cluster 6- Provisions related to law enforcement cooperation, public-private partnership to enhance investigation of cybercrime, joint investigations and special investigative techniques

The provisions listed under Cluster 6 of the Chapter on international cooperation include obligations relating law enforcement cooperation, public-private partnership to enhance investigation of cybercrime, joint investigations and special investigative techniques, among others. The provision on law enforcement cooperation laid the obligation on the State Parties to cooperate closely to enhance the effectiveness of law enforcement action to combat cybercrime. The provision on public-private partnership assists their respective law enforcement agencies in developing appropriate guidelines and cooperating directly with relevant service providers to streamlining cooperation with industry. Further the CND also featured provisions on joint investigations, cooperation through special investigative techniques such as electronic or other forms of surveillance and undercover operations by its competent authorities to provide a lawful basis for collection of such evidence for use in investigations and prosecutions.

The provisions listed under cluster 6 enjoy support by multiple State Parties. However, some of the Member States including the European Union, the United States of America, Japan, Singapore, Canada, Norway, China and others have opposed the inclusion of provision Public-private partnerships to enhance the investigation of cybercrime.

Conclusion

Since the First Session of the Ad-Hoc Committee, the Member Countries have come a long way in arriving at a CND wherein the negotiations are now taking place in a more concrete and cohesive manner. Although Member Countries are still exhibiting diverse views on several provisions, the discussions have arrived at a crucial stage. The sixth session of the Ad-hoc committee is likely to be a watershed moment for the cybercrime convention in defining the finalised text of the convention that will be placed before the 78th session of the United Nation General Assembly in September 2023.

Analysing India’s Bilateral MOUs In the Field of Information and Communication Technologies (ICTs)

Sukanya Thapliyal

Introduction

As per the latest figures released by the International Telecommunication Union (ITU), post-COVID-19, the world witnessed a sharp rise in the number of internet users from 4.1 billion people (54% of the world population) in 2019 to 4.9 billion people (63% of the world population) in 2021. However, the same report states that some 2.9 billion people remain offline, 96%  of whom live in developing countries. These stark differences emanate from several barriers faced by the residents of the developing countries and include lack of access because of unaffordability of ICT services, lack of strong technological and industrial bases, inadequate R&D facilities, and deficient ICT operating skills. 

Countries are increasingly exploring different ways to partner with other countries through multilateral, bilateral, and other legal arrangements. The countries often forge bilateral cooperation with other countries through signing Memorandum of Understanding(MOUs), Memorandum of Cooperation (MOCs) and creating Joint Working Groups, and Joint Declarations of Intent, among others. These are informal legal instruments as compared to typical treaties or international agreements, and promote international cooperation in strategic interest areas. India has a detailed Standard Operating Procedure (SOP) with respect to MOUs/agreements with foreign countries. The SOP lays down the Indian legal practice on treaty formation and detailed guidelines in respect to the different international agreements that may be signed by the countries. 

India has executed several MOUs, MOCs, Joint Declaration of Intent, and Working Groups to identify common interests, priorities, policy dialogue, and the necessary tools for ICT collaboration. These include a broad range of areas,  including the development of IT software,  telecom software, IT-enabled services, E-commerce services & information security, electronic governance, IT and electronics hardware, Human Resource Development for IT education, IT-enabled education, Research and Development, strengthening the cooperation between private and public sector, collaboration in the field of emerging technologies, capacity building and technical assistance in the ICT sector. 

Aims and Objectives

This mapping exercise lists the numerous bilateral MOUs, Joint Declarations and other agreements signed between India and partner countries to locate the nature and extent of international collaborative efforts in the ICT sector. Furthermore, this mapping exercise aims to understand India’s strategic interests and priority areas in the sector and evaluate India’s unique positioning in South-South Cooperation. The said mapping exercise remains a work in progress and shall be updated at periodic intervals. 

Methodology

The mapping exercise includes an assessment of 36 MOUs and 5 other agreements subdivided into four categories: Fixed Term/ Renewed ICT MOUs (13), Open-Ended ICT MOUs (4), ICT MOUs with Pending Renewal/ Extension and Expired MOUs (19), and Joint Declaration and Proposals concerning ICT Sector (5). The relevant details of  such MOUs are derived from publicly available information provided by the Ministry of Electronics and Information Society (MeitY), Department of Telecommunication (DoT), Ministry of Communications (MOC) and the Indian Treaties Database by Ministry of External Affairs (MEA). The current analysis attempts to bring out the different MOUs, MOCs, and Joint Declarations of Intent executed by Indian authorities (MeitY, MOC and MEA), their duration of operation and the areas covered under the scope of such collaboration.   

Conclusion/Observations/Remarks:

Some of our key observations from the mapping exercise are as follows: 

• India has entered into MOUs/ Joint Declaration of Intent and other agreements with both developed and developing countries. These include Bangladesh, Bulgaria, Estonia, Israel, Japan, South Korea, Singapore, United Kingdom, among others. 
• Within India’s ICT cooperation and collaboration landscape, we have identified the following as priority areas: 

Building capacity of CERTs and law enforcement agencies	1. Cybersecurity technology cooperation relevant to CERT activities. 2. Exchange of information on prevalent cybersecurity policies and best practices. 3. CERT-to-CERT Cooperation. 4. Exchange of experiences regarding technical infrastructure of CERT.
Technical assistance and capacity building	1. Human resource development including  training of Govt. officials in e-governance. 2. Institutional cooperation among the academic and training institutions. 3. Strengthening collaboration in areas such as e-government, m-governance, smart infrastructure, e-health, among others.
Sharing of technology, standardization and certification	1. Cooperation in software development, rural telecommunication, manufacturing of telecom manufacturing and sharing of know-how technologies. 2. Cooperation in exchanging and developing technology. 3. Standardisation, testing and certification.
B2B cooperation and economic advancement	1. Enhancing B2B cooperation in cyber security. 2.Enable and strengthen industrial, technological and commercial cooperation between industry and research establishments. 3.Exploring third country markets. 4. Favourable environment for the business entities through various measures to facilitate trade and investment.

Key Priority Areas for India in ICT Sector

Mapping MOUs signed by India in the field of Information and Communication Technologies (ICT), created using https://www.mapchart.net/world.html

list-bilateral-agreements-in-the-field-of-ictDownload

Second Substantive Session of UN OEWG on International Cybersecurity (Part 1): Analysing Developments on Stakeholder Participation

Ananya Moncourt & Sidharth Deb

“Cyber Attacks” by Christian Colen Attribution-ShareAlike 2.0 Generic (CC BY-SA 2.0)

Introduction

On April 1st 2022, the United Nations General Assembly’s (UNGA’s) First Committee on Disarmament and International Security concluded the week-long second substantive session of the second Open-Ended Working Group (OEWG) on the security of and in the use of information and communication technologies (ICTs). This process is the UN’s second OEWG involving all 193 UN Member States on matters relating to international cybersecurity. There have also been six prior UN Group of Government Experts (GGEs) on similar issues.

This post is the first of a three-part series which analyses key developments at the OEWG’s second substantive session in the period between March 28 and April 01, 2022. This piece outlines discussions on a key issue – multistakeholder engagement within the OEWG process.

Readers can view it as a follow up to CCG’s two-part blog series from December 2021 which analysed major international cybersecurity discussions (including the international normative framework) at the UN and India’s participation in these processes. Part 1 begins by providing an overview of the scope of the OEWG’s institutional mandate, the geopolitical background in which the second substantive session was held, and analyses key organisational developments relating to the modalities of multistakeholder participation at the OEWG. It reveals geopolitical differences and where appropriate, spotlights India’s interventions on such issues.

Institutional Mandate

The second OEWG was established by UNGA Resolution 75/240 adopted on December 31, 2020. The resolution describes ICTs as “dual-use technologies” which can be used for both “… legitimate and malicious purposes”. This language within the resolution is curious since this would mean that dual-use technologies are capable of being used in lawful and unlawful scenarios. This is a departure from how “dual-use technologies” are traditionally defined as technologies which have both civilian and military applications and use cases.

Keeping this in mind, the resolution presciently expresses concern that some States are building up military ICT capabilities and that they could play active roles in future conflicts between States. Given their potential threat to national security, Resolution 75/240 establishes a new OEWG for the period between 2021 and 2025 which must act on a consensus basis. The second OEWG is expected to build on the aforementioned prior work of the GGEs and the first OEWG. The OEWG has been assigned a broad substantive mandate which includes:

1. Identifying existing and potential threats in the sphere of information security;
2. further developing the internationally agreed voluntary rules, norms and principles of responsible State behaviour in cyberspace. This entails identifying mechanisms for implementation and, if necessary, introducing and/or elaborating additional cyber norms;
3. developing an understanding of the manner in which international law applies to States’ use of ICTs;
4. capacity building and confidence-building measures on matters relating to international cybersecurity;
5. establishing mechanisms of regular institutional dialogue under the UN.

Resolution 75/240 specifies that aside from a final consensus report, the  OEWG must submit annual progress reports before the UNGA. Relevant to this post, the Resolution also grants the OEWG with the power to interact with non-governmental stakeholders. The OEWG’s Organisational Session in June 2021, States agreed to a total of eleven substantive sessions, the first of which was held in the period of December 13 to December 17, 2021.

Geopolitical Background to Second Substantive Session

At the second substantive session in the last week of March 2022 discussions were hindered by ongoing geopolitical tensions arising out of the international armed conflict owing to the Russian invasion of Ukraine. Cyberspace has played a strategic role within the conflict and has spanned several cyber incidents and operations. This includes strategic information campaigns and online influence operations. Moreover, the conflict has observed strategic incidents and operations which targeted government websites and extended to strategic measures critical information infrastructures across both public and private sectors. Key incidents prior to the session include a prominent attack on a satellite broadband network which affected internet availability for users across different parts of Europe.

The tensions have extended even to technical internet governance bodies like ICANN where for instance, Ukraine made unsuccessful requests to prevent Russian websites/domains from accessing the global internet. And as has been widely reported, the conflict has led to sanctions against Russian financial operators from executing cross-border transactions via globally interoperable ICT systems like the SWIFT network.

Such geopolitical realities mean that the OEWG’s progress which is rooted in consensus was adversely affected. Let us now consider a central organisational issue for the OEWG i.e. modalities of stakeholder participation.

Modalities of Stakeholder Participation

The value of rooting multistakeholderism into internet, ICT and cybersecurity governance is well documented. Most ICT systems are owned, controlled, used and/or managed by non-governmental stakeholders across the private sector and civil society. Field expertise is also largely situated outside of governments. However, under the UNGA First Committee, cybersecurity processes like the GGEs and the first OEWG have operated using state-centric, even exclusive, approaches.

UNGA Resolution 75/240 attempts to buck this trend and grants the OEWG the authority to interact with interested/relevant stakeholders from private sector, civil society and academia. For context, the first OEWG was the first cybersecurity discussion at the UN to involve some limited informal consultations between States and other stakeholders. The final substantive report, dated March 2021, even describes rich discussions and proposals from the multistakeholder community.

Despite this being an improvement upon the GGE model, experts contended that the first OEWG lacked direct or structured multistakeholder involvement. The first OEWG’s dialogue was described as ad-hoc, inconsistent and isolated. Similarly, consultation opportunities at the OEWG were largely limited to an exclusive class of accredited organisations at the UN’s Economic and Social Council (ECOSOC). Stakeholders expressed concern that a repeat of this approach would exclude discipline related field experts, private operators, and other relevant stakeholders. In lieu of this, certain States, regional organisations, non-governmental stakeholders, and individual experts have shared written inputs to the OEWG’s Chair calling for the adoption of modalities which facilitate transparent, structured and formal stakeholder involvement. The proposal put forth the additional option for non-accredited organisations to indirectly engage by sharing their views with the OEWG. To further inclusivity the proposal suggested that stakeholders be allowed to participate in both formal and informal consultations through a hybrid physical/virtual format.

Unfortunately, this issue was not resolved at either the OEWG’s Organisational Session in June 2021, nor its First Substantive Session in December 2021. At these discussions Member States like the EU, Canada, France, Australia, Brazil, Germany, the Netherlands, UK, USA and New Zealand advocated broader, structured, transparent and formal involvement of stakeholders. The transparency component was a point of emphasis for these jurisdictions. This proposal focused on making it widely known, the grounds on which certain States objected against the inclusion of stakeholders within the OEWG. In opposition, the Sino-Russian bloc including Cuba, Iran, Pakistan and Syria opposed extended multistakeholder participation since they believe the OEWG should preserve its government-led character. Russia has proposed formal multistakeholder involvement be restricted to granting consultative status to ECOSOC accredited institutions. These States insisted that informal consultations and written inputs are sufficient means of incorporating wider stakeholder views.

Although in favour of multistakeholder involvement, India’s interventions advocated that the OEWG follow the same modalities as the first OEWG which as described earlier has been criticised on grounds of inclusivity.

Developments on Modalities at Second Substantive Session

As the issue carried forward into the second substantive session, geopolitical tensions have escalated as a result of the Russia-Ukraine conflict. Statements by Australia, Canada, USA, UK, EU, France, Germany and others called upon Russia to stop using cyberattacks and disinformation campaigns. States from this bloc proposed that the OEWG’s programme of work not move forward without an agreement on stakeholder modalities. Iran contended that such a decision would undermine the legitimacy of the OEWG process. Other allies like China, Russia and Cuba argued that stakeholder participation should not come at the cost of substantial discussions. These countries cited Resolution 75/240 as not mandatorily requiring the OEWG to include stakeholders. However, the NATO and other allies of the US argued that delays to their inclusion would undercut stakeholders’ ability to meaningfully participate in the process.

Certain countries like France, Indonesia, Russia and Egypt supported an Indian proposal as a temporary workaround. India refined its earlier proposal and suggested that the OEWG continue the first OEWG’s system of informal consultations for the duration of one year while the issue of stakeholder participation was referred back to the UNGA for a final deliberation. No consensus was reached and consequently the Chair decided to suspend the issue of modalities and switched to issue-specific conversations via informal mode of discussion.

Conclusion: Final Modalities Yield Mixed Results

Three weeks after the conclusion of the second substantive session, the OEWG Chair shared a letter dated April 22, 2022 which declared consensus on the modalities of stakeholder participation at the second OEWG. These modalities will be formally adopted at the OEWG’s third substantive session in July 2022. They state that interested ECOSOC accredited NGOs can participate at the OEWG. Other interested stakeholders/organisations which are relevant to the OEWG’s mandate can apply for accreditation. They can formally participate provided Member States do not object. However, on the transparency front there appears to be a compromise. States must only share general reasons for their objection on a voluntary basis. The Chair will only share this received information with other Member States upon request. This prima facie means a stakeholder will not know why there was an objection against its participation in the OEWG process.

The actual stakeholder involvement will be carried out through two prongs. First, like the first OEWG the Chair will organise informal inter-sessional consultations between States and stakeholders. Second, accredited stakeholders can attend formal meetings of the OEWG, submit written inputs and make oral statements during a dedicated stakeholder session.

The modalities do not clarify if accredited stakeholders can participate virtually. This gap in communication is important since many stakeholders from developing/emerging countries often have limited resources and/or capacities to send contingents to these processes. While this development represents clear strides in terms of inclusivity from prior UN cybersecurity processes, as structured, the modalities could inadvertently exclude stakeholders from smaller countries who have an interest in maintaining a safe, secure and accessible cyberspace.

It remains to be seen if the international community will allocate resources in ensuring all interested stakeholders are present and active at these discussions. Moving forward, Parts 2 and 3 of this series focuses on key discussions which took place in informal mode at the Second Substantive Session of the OEWG. They describe how States (including India) view the substantial issues outlined in the OEWG’s institutional mandate. Part 3 concludes by charting out what to expect in the OEWG’s forthcoming draft of its first annual progress report for the UNGA.

Critiquing the Definition of Cyber Security under India’s Information Technology Act

Archit Lohani

“Security Measures” by Afsal CMK is licensed under CC BY 4.0

Introduction

As boundary-less cyberspace becomes increasingly pervasive, cyber threats continue to pose serious challenges to all nations’ economic security and digital development. For example, sophisticated attacks such as the WannaCry ransomware attack in 2017 rendered more than two million computers useless with estimated damages of up to four billion dollars. As cyber security threats continue to proliferate and evolve at an unprecedented rate, incidents of doxing, distributed denial of service (DDoS), and phishing attacks are on the rise and are being offered as services for hire. The task at hand is intensified due to the sheer number of cyber incidents in India. A closer look suggests that the challenge is exacerbated due to an outdated framework and lack of basic safeguards.

This post will examine one such framework, namely the definition of cybersecurity under the Information Technology Act, 2000 (IT Act).

Under Section 2(1)(nb) of the IT Act:

“cyber security” means protecting information, equipment, devices computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction;

This post contends that the Indian definitional approach adopts a predominantly technical view of cyber security and restricts effective measures to ensure cyber-resilience between governmental authorities, industry, non-governmental organisations, and academia. This piece also juxtaposes the definition against key elements from global standards under foreign legislations and industry practices.

What is Cyber security under the IT Act?

The current definition of cyber security was adopted under the Information Technology (Amendment) Act, 2009. This amendment act was hurriedly adopted in the aftermath of the Mumbai 26/11 terrorist attacks of 2008.  The definition was codified to facilitate protective functions under Sections 69B and 70B of the IT Act. Section 69B enables monitoring and collection of traffic data to enhance cyber security, prevent intrusion and spread of contaminants. Section 70B institutionalised Computer Emergency Response Team (CERT-In), to identify, forecast, issue alerts and guidelines, coordinate cyber incident response, etc. and further the state’s cyber security imperatives. Subsequently, the evolution of various institutions that perform key functions to detect, deter, protect and adapt cybersecurity measures has accelerated. However, this post argues that the current definition fails to incorporate elements necessary to contemporise and ensure effective implementation of cyber security policy.

Critique of the IT Act definition

It is clear that deterrence has failed as the volume of incidents does not appear to abate, making cyber-resilience a realistic objective that nations should strive for. The definition under the IT Act is an old articulation of protecting the referent objects of security- “information, equipment, devices computer, computer resource, communication device and information” against specific events that aim to cause harm these objects through “unauthorised access, use, disclosure, disruption, modification or destruction”.

There are a few issues with this dated articulation of cybersecurity. First, it suffers from the problem of restrictive listing as to what is being protected (aforementioned referent objects). Second, by limiting the referent objects and events within the definition it becomes prescriptive. Third, the definition does not capture the multiple, interwoven dimensions and inherent complexity of cybersecurity which includes interactions between humans and systems. Fourth, due to limited enlisting of events, similar protection is not afforded from accidental events and natural hazards to cyberspace-enabled systems (including cyber-physical systems and industrial control systems). Fifth, the definition is missing key elements – (1) It does not include technological solutions aspect of cyber security such as in the International Telecommunication Union (2009) definition that acknowledges “technologies that can be used to protect the cyber environment” and; (2) fails to incorporate the strategies, processes, and methods that will be undertaken. With key elements missing from the definition, it falls behind contemporary standards, which are addressed in the following section.

To put things in perspective, global conceptualisations of cybersecurity are undergoing a major overhaul to accommodate the increased complexity, pace, scale and interdependencies across the cyberspace and information and communication technologies (ICT) environments. In comparison, the definition under the IT Act has remained unchanged.

Although wider conceptualisations have been reflected through international and national engagements such as the National Cyber Security Policy (NCSP). For example, within the mission statement the policy document recognises technological solution elements; and interactions between humans and ICTs in cyberspace as one key rationale behind the cyber security policy.

However, differing conceptualisations across policy and legislative instruments can lead to confusion and introduce implementational challenges within cybersecurity regulation. For example, the 2013 CERT-In Rules rely on the IT Act’s definition of cyber security and define cyber security incidents and cyber security breaches. Further emphasising the narrow and technically dominant discourse which relate to the confidentiality, integrity, and availability triad.

The following section examines a few other definitions to illustrate the shortcomings highlighted above.

Key elements of Cyber security

Despite a plethora of definitions, there is no universal agreement on the conceptualisation of cybersecurity globally. This has manifested into the long-drawn deliberations at various international fora.

Cybersecurity aims to counter and tackle a constantly evolving threat landscape. Although it is difficult to build consensus on a singular definition, a few key features can be agreed upon. For example, the definition must address interdisciplinarity inherent to cyber security, its dynamic nature and the multi-level complex ecosystem cyber security exists in. A multidisciplinary definition can aid authorities and organizations in having visibility and insight as to how new technologies can affect their risk exposure. It will further ensure that such risks are suitably mitigated. To effectuate cyber-resilience, stakeholders have to navigate governance, policy, operational, technical and legal challenges.

An inclusive definition can ensure a better collective response and bring multiple stakeholders to the table. To institutionalise greater emphasis on resilience an inclusive definition can foster cooperation between various stakeholders rather than a punitive approach that focuses on liability and criminality. An inclusive definition can enable a bottom-up approach in countering cyber security threats and systemic incidents across sectors. It can also further CERT-In’s information-sharing objectives through collaboration between stakeholders under section 70B of the IT Act.

When it comes to the regulation of technologies that embody socio-political values, contrary to popular belief that technical deliberations are objective and value-neutral, such discourse (in this case, the definition) suffers from the dominance of technical perspectives. For example, the definition of cybersecurity under the National Institute of Standards and Technology (NIST) framework is, “the ability to protect or defend the use of cyberspace from cyber-attacks” directs the reader to the definitions of cyberspace and cyberattack to extensively cover its various elements. However, the said definitions also has a predominantly technical lens.

Alternatively, definitions of cyber security would benefit from inclusive conceptions that factor in human engagements with systems, acknowledge interrelated dimensions and inherent complexities of cybersecurity, which involves dynamic interactions between all inter-connected stakeholders. An effective cybersecurity strategy entails a judicious mix of people, policies and technology, as well as a robust public-private partnership.

Cybersecurity is a broad term and often has highly variable subjective definitions. This hinders the formulation of appropriately responsive policy and legislative actions. As a benchmark, we borrow the Dan Purse et al. definition of cybersecurity– “the organisation and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights.” The benefit of this articulation is that it necessitates a deeper understanding of the harms and consequences of cyber security threats and their impact. However, this definition cannot be adopted within the Indian legal framework as (a) property rights are not recognised as fundamental rights and (b) this narrows its application to a harms and consequences standard.

Most importantly, the authors identify five common elements to form a holistic and effective approach towards defining cybersecurity. The following elements are from a literature review of 9 cybersecurity definitions are:

• technological solutions
• events
• strategies, processes, and methods
• human engagement; and
• referent objects.

These elements highlight the complexity of the process and involve interaction between humans and systems for protecting the digital assets and themselves from various known and unknown risks. Simply put, any unauthorized access, use, disclosure, disruption, modification or destruction results in at least, a loss of functional control over the affected computer device or resource to the detriment of the person and/or legal entity in whom lawful ownership of the computer device or resource is vested. The definition codified under the IT Act only partly captures the complexity of ‘cyber security’ and its implications.

Conclusion

Economic interest is a core objective that necessitates cyber-resilience. Recognising the economic consequences of such attacks rather than protecting limited resources such as computer systems acknowledges the complex approaches to cybersecurity. Currently, the definition of cybersecurity is dominated by technical perspectives, and disregards other disciplines that should be ideally acting in concert to address complex challenges. Cyber-resilience can be operationalised through a renewed definition; divergent approaches within India to tackle cybersecurity challenges will act as a strategic barrier to economic growth, data flow, investments, and most importantly effective security. It will also divert resources away from more effective strategies and capacity investments. Finally, the Indian approach should evolve and stem from the threat perception, the socio-technical character of the term, and aim to bring cybersecurity stakeholders together.

Technology & National Security Reflection Series Paper 13: Flipping the Narrative on Data Localisation and National Security

Romit Kohli*

About the Author: The author is a fifth year student of the B.A. LL.B. (Hons.) programme at the National Law University, Delhi.

Editor’s Note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. This post was written in Summer, 2021. Therefore, it does not reflect recent policy developments in the field of data governance and data protection such as the December 2021 publication of the Joint Parliamentary Committee Report and its proposed Data Protection Bill, 2021.

I. Introduction

Countries all over the world are seeking to preserve and strengthen their cyber-sovereignty in various ways. One popular mechanism for the same is labelled with the nebulous phrase ‘data localisation’. Data localisation refers to requirements imposed by countries which necessitate the physical storage of data within their own national boundaries. However, the degree of data localisation varies across jurisdictions. At one end of the spectrum, we have ‘controlled localisation’ that favours the free-flow of data across borders, subject to only mild restrictions.  A prominent example of controlled localisation is the European Union’s (“EU”) General Data Protection Regulation (GDPR). At the other end of the spectrum, we have jurisdictions like China which impose much stricter localisation requirements on businesses operating within their national boundaries.

In India data localisation has become a significant policy issue over the last few years. Various government documents have urged lawmakers to introduce a robust framework for data localisation in India. The seminal policy document in this regard is the Justice BN Srikrishna Committee report, which provided the basis for the Personal Data Protection Bill of 2019.This bill proposed a framework which would result in a significant economy-wide shift in India’s data localisation practices. At the same time, various government departments have sought to implement sector-specific data localisation requirements with different levels of success.

This blog post argues that far from being a facilitator of national security, data localisation measures may present newer threats to national security in their implementation. We seek to establish this in three steps. First, we analyse the link between India’s national security concerns and the associated objectives of data localisation. This analysis demonstrates that the mainstream narrative regarding the link between national security and data localisation is inherently flawed. Thereafter, we discuss the impact of data localisation on the economic growth objective, arguing that India’s localisation mandate fails to consider certain unintended consequences of data localisation which restrict the growth of the Indian economy. Lastly, the article argues how this adverse impact on economic growth poses a threat to India’s national security, which requires us to adopt a  more holistic outlook of what constitutes national security. 

Image by World Bank Photo Collection’s Photostream. Copyrighted under CC BY 2.0.

II. The Mainstream Narrative

The Srikrishna Committee report underscores national security concerns as a basis for two distinct policy objectives supporting the introduction of data localisation measures. First, the report refers to the need for law enforcement agencies to have access to data which is held and controlled by data fiduciaries, stating that such access is essential for ‘… effectively [securing] national security and public safety…’ since it facilitates the detection of crime and the process of evidence gathering in general (Emphasis Added). However, experts argue that such an approach is ‘… unlikely to help India achieve objectives that actually require access to data’. Instead, the government’s objectives would be better-served by resorting to light-touch localisation requirements, such as mandating the storage of local copies of data in India while still allowing the data to be processed globally. They propose complementing these domestic measures with negotiations towards bilateral and multilateral frameworks for cross-border access to data.

Second, the report states that the prevention of foreign surveillance is ‘critical to India’s national security interests’ due to the lack of democratic oversight that can be exercised over such a process (Emphasis Added). However, we believe that data localisation fails as an effective policy measure to address this problem because notwithstanding the requirements imposed by data localisation policies, foreign governments can access locally stored data through extra-territorial means, including the use of malware and gaining the assistance of domestic entities. What is required,, is a more nuanced and well-thought-out solution which leverages the power of sophisticated data security tools. 

The above analysis demonstrates that the objectives linked to national security in India’s data localisation policy can be better served through other means. Accordingly, the mainstream narrative which seeks to paint data localisation as a method of preserving national security in the sense of cyber or data security is flawed. 

III. The (Unintended) Impact on the Indian Economy

The Srikrishna Committee Report ostensibly refers to the ‘… positive impact of server localisation on creation of digital infrastructure and digital industry’. Although there is no disputing the impact of the digital economy on the growth of various industries generally, the report ignores the fact that such growth has been fuelled by the free flow of cross-border data. Further, the Srikrishna Committee Report fails to consider the costs imposed by mandatory data localisation requirements on businesses which will be forced to forgo the liberty of storing their data in the most cost-effective way possible. These costs will be shifted onto unsuspecting Indian consumers. 

The results of three seminal studies help illustrate the potential impact of data localisation on the Indian economy. The first study, which aimed at quantifying the loss that data localisation might cause to the economy, found that mandatory localisation requirements would reduce India’s GDP by almost 1% and that ‘… any gains stemming from data localisation are too small to outweigh losses in terms of welfare and output in the general economy’. A second study examined the impact of data localisation on individual businesses and found that due to a lack of data centres in India, such requirements would impose a 30-60% increase in operating costs on such businesses, who would be forced to store their data on local servers. The last study analysed the sector-specific impact of localisation, quantifying the loss in total factor productivity at approximately 1.35% for the communications sector, 0.5% for the business services sector, and 0.2% for the financial sector. More recent articles have also examined the prejudicial impact of data localisation on Indian start-ups, the Indian IT sector, the cyber vulnerability of small and medium enterprises, and India’s Ease of Doing Business ranking. 

At this point, it also becomes important to address a common argument relied upon by proponents of data localisation, which is the fact that localisation boosts local employment, particularly for the computer hardware and software industries. Although attractive on a prima facie level, this argument has been rebutted by researchers on two grounds. First, while localisation might lead to the creation of more data centres in India, the majority of the capital goods needed for such creation will nonetheless be imported from foreign suppliers. Second, while the construction of these centres might generate employment for construction workers at a preliminary stage, their actual functioning will fail to generate substantial employment due to the nature of skilled work involved. 

The primary lesson to be drawn from this analysis is that data localisation will adversely impact the growth of the Indian economy—a lesson that seems to have been ignored by the Srikrishna Committee report. Further, when discussing the impact of data localisation on economic growth in India, the report makes no reference to national security. We believe that this compartmentalisation of economic growth and national security as unrelated notions reflects an inherently myopic view of the latter. 

IV. Towards a Novel Narrative

National security is a relative concept—it means different things to different people in different jurisdictions and socio-economic contexts. At the same time, a noticeable trend vis-à-vis this relative concept is that various countries have started incorporating the non-traditional factor of economic growth in their conceptions of national security. This is because the economy and national security are inextricably linked, with several interconnections and feedback loops. 

Although the Indian government has made no explicit declaration in this regard, academic commentary has sought to characterise India’s economic slowdown as a national security concern in the past. We believe that this characterisation is accurate since India is a relatively low-income country and therefore, its national security strategy will necessarily depend upon the state of its economy. Further, although there have been objections surrounding a dismal defence-to-GDP ratio in India, it is believed that these objections are based on ‘trivial arithmetic’. This is because the more appropriate way of remedying the current situation is by concentrating policy efforts on increasing India’s GDP and accelerating economic growth, rather than lamenting low spends on defence. 

This goal, however, requires an upgradation of India’s national security architecture. While the nuances of this reform fall outside the precise scope of this blog post, any comprehensive reform will necessarily require a change in how Indian policymakers view the notion of national security. These policymakers must realise that economic growth underpins our national security concerns and consequently, it is a factor which must not be neglected.

This notion of national security must be used by Indian policymakers to examine the economic viability of introducing any new law, including the localisation mandate. When seen through this broader lens, it becomes clear that the adverse economic impact of data localisation policies will harm India’s national security by inter alia increasing the costs of doing business in India, reducing the GDP, and prejudicing the interests of Indian start-ups and the booming Indian IT sector. 

V. Conclusion

This blog post has attempted to present the link between data localisation and national security in a different light. This has been done by bringing the oft-ignored consequences of data localisation on the Indian economy to the forefront of academic debate. At the center of the article’s analysis lies an appeal to Indian policymakers to examine the notion of national security through a wider lens and consequently rethink their flawed approach of addressing national security concerns through a localisation mandate. This, in turn, will ensure sustained economic growth and provide India with the technological advantage it necessarily requires for preserving its national interests.  

---

*Views expressed in the blog are personal and should not be attributed to the institution.

Technology and National Security Law Reflection Series Paper 12 (B): Contours of Access to Internet as a Fundamental Right

Shreyasi Tripathi^*

About the Author: The author is a 2021 graduate of National Law University, Delhi. She is currently working as a Research Associate with the Digital Media Content Regulatory Council.

Editor’s Note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.  Along with a companion piece by Tejaswita Kharel, the two essays bring to a life a fascinating debate by offering competing responses to the following question:

Do you agree with the Supreme Court’s pronouncement in Anuradha Bhasin that access to the internet is an enabler of other rights, but not a fundamental right in and of itself? Why/why not? Assuming for the sake of argument, that access to the internet is a fundamental right (as held by the Kerala High Court in Faheema Shirin), would the test of reasonableness of restrictions be applied differently, i.e. would this reasoning lead to a different outcome on the constitutionality (or legality) of internet shutdowns?

Both pieces were developed in the spring semester, 2020 and do not reflect an updated knowledge of subsequent factual developments vis-a-vis COVID-19 or the ensuing pandemic.

1. INTRODUCTION 

Although it did little to hold the government accountable for its actions in Kashmir, it would be incorrect to say that the judgment of Anuradha Bhasin v. The Union of India is a complete failure. This reflection paper evaluates the lessons learnt from Anuradha Bhasin and argues in favour of access to the internet as a fundamental right, especially in light of the COVID-19 pandemic. 

Image by Khaase. Licensed under Pixabay License.

2. EXAMINING INDIA’S LEGAL POSITION ON RIGHT TO INTERNET 

Perhaps the greatest achievement of the Anuradha Bhasin judgement is the fact that the Government is no longer allowed to pass confidential orders to shut down the internet for a region. Moreover, the reasons behind internet shutdown orders must not only be available for public scrutiny but also be reviewed by a Committee. The Committee will need to scrutinise the reasons for the shutdown and must benchmark it against the proportionality test. This includes evaluating the pursuit of a legitimate aim, exploration of suitable alternatives, and adoption of the least restrictive measure while also making the order available for judicial review. The nature of the restriction,  its territorial and temporal scope will be relevant factors to determine whether it is proportionate to the aim sought to be achieved. The court also expanded fundamental rights to extend to the virtual space with the same protections. In this regard, the Court  made certain important pronouncements on the right to freedom of speech and expression. These elements will not be discussed here as they fall outside the scope of this paper. 

A few months prior in 2019, the Kerala High Court recognised access to the internet as a fundamental right. Its judgement in Faheema Sharin v. State of Kerala, the High Court addressed a host of possible issues that arise with a life online. Specifically, the High Court recognised how the internet extends individual liberty by giving people a choice to access the content of their choice, free from control of the government. The High Court relied on a United Nations General Assembly Resolution to note that the internet “… facilitates vast opportunities for affordable and inclusive education globally, thereby being an important tool to facilitate the promotion of the right to education…” – a fact that has only strengthened in value during the pandemic. The Kerala High Court held that since the Right to Education is an integral part of the right to life and liberty enshrined under Article 21 of the Constitution, access to the internet becomes an inalienable right in and of itself. The High Court also recognised the value of the internet to the freedom of speech and expression to say that the access to the internet is protected under Art. 19(1)(a) of the Constitution and can be restricted on grounds consistent with Art. 19(2).

3. ARGUING IN FAVOUR OF RIGHT TO INTERNET  

In the pandemic, a major reason why some of us have any semblance of freedom and normalcy in our lives is because of the internet. At a time when many aspects of our day to day lives have moved online, including education, healthcare, shopping for essential services, etc. – the fundamental importance of the internet should not even be up for debate. The Government also uses the internet to disseminate essential information. In 2020 it used a contact tracing app (Aarogya Setu) which relied on the internet for its functioning. There also exists a WhatsApp chatbot to give accurate information about the pandemic. The E-Vidya Programme was launched by the Government to allow schools to become digital. In times like this, the internet is not one of the means to access constitutionally guaranteed services, it is the only way (Emphasis Added). 

In  this context, the right of access to the internet should be read as part of the Right to Life and Liberty under Art. 21. Therefore, internet access should be subject to restrictions only based on procedures established by law. To better understand what shape such restrictions could take, lawmakers and practitioners can seek guidance from another recent addition to the list of rights promised under Art. 21- the right to privacy. The proportionality test was laid down in the Puttaswamy I judgment and reiterated in  Puttaswamy II (“Aadhaar Judgement”). In the Aadhar Judgement  when describing the proportionality for reasonable restrictions, the Supreme Court stated –

“…a measure restricting a right must, first, serve a legitimate goal (legitimate goal stage); it must, secondly, be a suitable means of furthering this goal (suitability or rational connection stage); thirdly, there must not be any less restrictive but equally effective alternative (necessity stage); and fourthly, the measure must not have a disproportionate impact on the right-holder (balancing stage).” –

This excerpt from Puttaswamy II provides as a defined view on the proportionality test upheld by the court in Anuradha Bhasin. This means that before passing an order to shut down the internet the appropriate authority must assess whether the order aims to meet a goal which is of sufficient importance to override a constitutionally protected right. More specifically, does the goal fall under the category of reasonable restrictions as provided for in the Constitution. Next, there must be a rational connection between this goal and the means of achieving it. The appropriate authority must ensure that an alternative method cannot achieve this goal with just as much effectiveness. The authority must ensure that the method being employed is the least restrictive. Lastly, the internet shutdown must not have a disproportionate impact on the right holder i.e. the citizen, whose right to freedom of expression or right to health is being affected by the shutdown. These reasons must be put down in writing and be subject to judicial review.

Based on the judgment in Faheema Sharin, an argument can be made how the pandemic has further highlighted the importance of access to the internet, not created it. The reliance of the Government on becoming digital with e-governance and digital payment platforms shows an intention to herald the country in a world that has more online presence than ever before. 

4. CONCLUSION 

People who are without access to the internet right now* – people in Kashmir, who have access to only 2G internet on mobile phones, or those who do not have the socio-economic and educational means to access the internet – are suffering. Not only are they being denied access to education, the lack of access to updated information about a disease about which we are still learning could prove fatal. Given the importance of the internet at this time of crisis, and for the approaching future, where people would want to avoid being in crowded classrooms, marketplaces, or hospitals- access to the internet should be regarded as a fundamental right.

This is not to say that the Court’s recognition of this right can herald India into a new world. The recognition of the right to access the internet will only be a welcome first step towards bringing the country into the digital era. The right to access the internet should also be made a socio-economic right. Which, if implemented robustly, will have far reaching consequences such as ease of social mobility, increased innovation, and fostering of greater creativity.

---

*Views expressed in the blog are personal and should not be attributed to the institution.

Technology and National Security Law Reflection Series Paper 12(A): Contours of Access to Internet as a Fundamental Right

Tejaswita Kharel^*

About the Author: The author is a 2021 graduate of National Law University, Delhi. She is currently working as a lawyer in Kathmandu, Nepal. Her interests lie in the area of digital rights, freedom of speech and expression and constitutional law.

Editor’s Note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. Along with a companion piece by Shreyasi Tripathi, the two essays bring to a life a fascinating debate by offering competing responses to the following question:

Do you agree with the Supreme Court’s pronouncement in Anuradha Bhasin that access to the internet is an enabler of other rights, but not a fundamental right in and of itself? Why/why not? Assuming for the sake of argument, that access to the internet is a fundamental right (as held by the Kerala High Court in Faheema Shirin), would the test of reasonableness of restrictions be applied differently, i.e. would this reasoning lead to a different outcome on the constitutionality (or legality) of internet shutdowns?

Both pieces were developed in the spring semester, 2020 and do not reflect an updated knowledge of subsequent factual developments vis-a-vis COVID-19 or the ensuing pandemic.

1. INTRODUCTION 

The term ‘internet shutdown’ can be defined as an “intentional disruption of internet or electronic communications, rendering them inaccessible or effectively unusable, for a specific population or within a location, often to exert control over the flow of information”.¹ It has become a tool used by States against residents of the country in question when they are faced with some imminent threat to law and order or a certain breakdown of law and order. It is used with the belief that a blanket shutdown of the Internet helps restrict misinformation, spreading of fake news,  incitement of violence, etc. that could take place. 

Image by Ben Dalton. Copyrighted under CC BY 2.0.

2. ANURADHA BHASIN JUDGEMENT: INTERNET AS ENABLER OF FUNDAMENTAL RIGHTS ENSHRINED UNDER THE CONSTITUTION OF INDIA 

Due to the suspension of mobile and broadband internet services in Jammu and Kashmir on August 4, 2019 before the repeal of Article 370 of the Constitution of India, a petition was filed at the Supreme Court by Anuradha Bhasin (a journalist at Kashmir Times). The petition challenged  the Government’s curb of media freedom in Jammu and Kashmir as a result of the blanket internet and communications shutdown. On 10th January 2020, the Supreme Court’s judgement in Anuradha Bhasin v. Union of India, held that the internet has been deemed as a means to realise fundamental rights under Article 19 of the Constitution. The Court’s decision specifically applied to the right to freedom of speech and expression and the right to carry on trade or businesses. 

The Court did not explore or answer the question of whether access to the internet by itself is a fundamental right since it was not a contention by the counsels. However, the Court did state that since fundamental rights could be affected by the measures applied by authorities (which in this case was an internet shutdown), a lawful measure which could restrict these fundamental rights must be proportionate to the goal. 

One reading of the Supreme Court’s decision in Anuradha Bhasin is that the case could act as an enabler which legitimises government-mandated internet shutdowns. Nevertheless, the Court does explicitly hold that the curtailment of fundamental rights affected by internet access restrictions must be proportionate. In pursuance of this restrictive measures need to be the least restrictive in nature. However, determining what constitutes the least restrictive measure is a subjective question and would vary on a case by case basis. There is no guarantee that internet shutdowns would not be the opted measure. . 

3. Critiquing the Rationale of the Anuradha Bhasin Judgement

It is important to investigate why the Court was hesitant to not deem internet access as a fundamental right. One major reason could be due to the fact that access to the internet is not possible for all the citizens of India in the current situation in any case. At the time of writing this paper, approximately half of India’s population has access to and uses the internet. Where such a visible ‘Digital Divide’ exists, i.e. when half of the Indian population cannot access the Internet and the government has not yet been able to provide such universal access to the internet, it would not be feasible for the Court to hold that the access to internet is in fact a fundamental right. 

If the Court were to hold that access to the internet is a fundamental right in the current situation, there would be a question of what internet access means ? Is access to the internet simply access to an internet connection? Or does  it also include the means required in order to access the internet in the first place? 

If it is just the first, then deeming access to the internet as a fundamental right would be futile since in order to access an internet connection, electronic devices (e.g. laptops, smartphones, etc.) are required. At a purely fiscal level, it would be improbable for the State to fulfil such a Constitutional mandate. Moreover, access to the internet would be a fundamental right only to those who have the privilege of obtaining the means to access the internet. The burden on the State would be too high since the State would be expected to not just provide internet connection but also the electronics which would be required in order to access the same. In either case, it does not seem feasible for access to the internet to be deemed as a fundamental right due to the practical constraint of India’s immense digital divide.  

4. RIGHT TO INTERNET FOR CURRENT AND FUTURE CHALLENGES 

At a future point where it is feasible for more people to access the internet in India (especially in rural/remote areas), it may be appropriate to deem access to the internet as a fundamental right. However, at this juncture to argue that the access to internet is a fundamental right (knowing that it is primarily accessible to more privileged segments) would be an assertion anchored on privilege.  Therefore, as important as the internet is for speech and expression, education, technology, etc. the fact that it is not accessible to a lot of people is something for policymakers and wider stakeholders to consider. 

This is especially important to look at in the context of COVID-19. Lockdowns and movement restrictions have increased remote work and accelerated online education. In order to work or study online, people must have access to both devices and  the internet. 

In this context a UNICEF Report (August 2020)observed that only 24% of Indian households had internet connection to access education and in November 2020 an undergraduate student died as a result of suicide since she was unable to afford a laptop. This provides macro and micro evidence of the blatant digital divide in India. Hence, it is not feasible to deem the right to access the internet as a fundamental right.  

In any case, if we were to assume that the right to access the internet was a fundamental right as what was held on 19 September 2019 by the Kerala High Court in Faheema Shirin R.K v. State of Kerala, the issue of whether internet shutdowns are legal or not would still be contended. Article 19(2) provides certain conditions under which the right to freedom of speech and expression under Article 19(1)(a) can be reasonably restricted. Similarly, Article 19(6) of the Constitution provides that  the right to carry on trade and business can be reasonably restricted in the interest of the general public. If access to the internet would be deemed as a fundamental right, it would be necessary to look at the scope of Articles 19(2) and 19(6) through a different lens. Nevertheless, such alteration would not yield a different application of the law. In essence, the Government’s restrictions on internet access would operate in the same way.

It is highly likely that Internet shutdowns would still be constitutional. However, there could be a change in the current stance to the legality of internet shutdowns. Situations wherein internet shutdowns would be legal may become narrower. There may even be a need for specific  legislation for clarity and for compliance with the constitutional obligations. 

5. CONCLUSION 

Due to COVID-19, many people are unable to access education or work in the same way that was done before. Even courts are functioning online and with that the necessity to access the internet has never been stronger. The court in Anuradha Bhasin held that the internet was an enabler to rights under Articles 19(1)(a) and 19(1)(g). However,  now with the added scope for the necessity to be able to use the internet as a medium of accessing education and as a medium to access justice (which has been recognised as a fundamental right under Article 21 and 14), lawmakers and Courts must evaluate whether the rising dependency on the access internet would in itself be a reason for internet access becomes crystallised as a fundamental right. 

---

*Views expressed in the blog are personal and should not be attributed to the institution.

References:

1. Access Now, in consultation with stakeholders from around the world, launched its #KeepItOn campaign against internet shutdowns and developed the first international consensus on the definition of an internet shutdown in RightsCon 2016, available at https://www.rightscon.org/cms/assets/uploads/2016/07/RC16OutcomesReport.pdf.

Introducing the Reflection Series on CCG’s Technology and National Security Law and Policy Seminar Course

In February 2022, CCG-NLUD will commence the latest edition of its Seminar Course on Technology and National Security Law and Policy (“the Seminar Course”). The Seminar Course is offered to interested 4th and 5th year students who are enrolled in the B.A. LL.B. (Hons.) programme at the National Law University, Delhi. The course is set against the backdrop of the rapidly evolving landscape of international security issues, and concomitant challenges and opportunities presented by emerging technologies.

National security law, viewed as a discrete discipline of study, emerges and evolves at the intersection of constitutional law; domestic criminal law and its implementation in surveillance; counter-terrorism and counter-insurgency operations; international law including the Law of Armed Conflict (LOAC) and international human rights law; and foreign policy within the ever-evolving contours of international politics.

Innovations and technological advancements in cyberspace and next generation technologies serve as a jumping off point for the course since they have opened up novel national security issues at the digital frontier. New technologies have posed new legal questions, introduced uncertainty within settled legal doctrines, and raised several legal and policy concerns. Understanding that law schools in India have limited engagement with cyber and national security issues, this Seminar Course attempts to fill this knowledge gap.

The Course was first designed and launched by CCGNLUD in 2018. In 2019, the Seminar Course was re-designed with the help of expert consultations to add new dimensions and debates surrounding national security and emerging technologies. The redesign was meant to ground the course in interdisciplinary paradigms in a manner which allows students to study the domain through practical considerations like military and geo-political strategy. The revised Seminar Course engages more  deeply with third world approaches which helps situate several issues within the rubric of international relations and geopolitics. This allows students to holistically critique conventional precepts of the international world order.  

The revamped Seminar Course was relaunched in the spring semester of 2020. Owing to the sudden countrywide lockdown in the wake of COVID-19, most sessions shifted online. However, we managed to navigate these exigencies with the support of our allies and the resolve of our students.

In adopting an interdisciplinary approach, the Seminar Course delves into debates at the intersection of national security law and policy, and emerging technologies, with an emphasis on cybersecurity and cyberwarfare. Further, the Course aims to:

1. Recognize and develop National Security Law as a discrete discipline of legal studies, and
2. Impart basic levels of cybersecurity awareness and inculcate good information security practices among tomorrow’s lawyers.

The Technology and National Security Seminar Reflection Paper Series (“The Reflection Series”) is meant to serve as a mirror of key takeaways and student learnings from the course. It will be presented as a showcase of exceptional student essays which were developed and informed by classroom discussions during the 2020 and 2021 editions of the Seminar Course. The Reflection Series also offers a flavour of the thematic and theoretical approaches the Course adopts in order to stimulate structured discussion and thought among the students. A positive learning from these two editions is that students demonstrated considerable intellectual curiosity and had the freedom to develop their own unique understanding and solutions to contemporary issues—especially in the context of cyberspace and the wider ICT environments. Students were prescribed atypical readings and this allowed them to consider typical issues in domains like international law through the lens of developing countries. Students were allowed to revisit the legitimacy of traditional sources of authority or preconceived notions and assumptions which underpin much of the orthodox thinking in geostrategic realms like national security.

CCG-NLUD presents the Reflection Series with a view to acknowledge and showcase some of the best student pieces we received and evaluated for academic credit. We thank our students for their unwavering support and fruitful engagement that makes this course better and more impactful.

Starting January 5, 2022, select reflection papers will be published three times a week. This curated series is meant to showcase different modules and themes of engagement which came up during previous iterations of the course. It will demonstrate that CCG-NLUD designs the course in a way which covers the broad spectrum of issues which cover topics at the intersection of national security and emerging technology. Specifically, this includes a showcase of (i) conceptual theory and strategic thinking, (ii) national security through an international and geostrategic lens, and (iii) national security through a domestic lens.

Here is a brief glimpse of what is to come in the coming weeks:

1. Reimagining Philosophical and Theoretical Underpinnings of National Security and Military Strategy (January 5-12, 2022)

Our first reflection paper is written by Kushagra Kumar Sahai (Class of ’20) in which he evaluates whether Hugo Grotius, commonly known as the father of international law owing to his seminal work on the law of war and peace, is better described as an international lawyer or a military strategist for Dutch colonial expansion.

Our second reflection paper is a piece written by Manaswini Singh (Class of ’20). Manaswini provides her take on Edward Luttwak’s critique of Sun Tzu’s Art of War as a book of ‘stratagems’ or clever tricks, rather than a book of strategy. In a separate paper (third entry), Manaswini also undertakes the task of explaining the relationship between technological developments and the conduct of war through the lens of the paradoxical logic of strategy.

Our fourth reflection paper is by Animesh Choudhary (Class of ’21) on Redefining National Security. Animesh, in his submission, points out several fallacies in the current understanding of national security and pushes for “Human Security” as an alternative and more appropriate lens for understanding security issues in the 21^st century.

2. International Law, Emerging Technologies and Cyberspace (January 14-24, 2022)

In our fifth reflection paper, Siddharth Gautam (Class of ’20) explores whether cyber weapons could be subjected to any regulation under contemporary rules of international law.

Our sixth reflection paper is written by Drishti Kaushik (Class of ’21) on The Legality of Lethal Autonomous Weapons Systems (“LAWS”). In this piece, she first presents an analysis of what constitutes LAWS. She then attempts to situate modern systems of warfare like LAWS and its compliance with traditional legal norms as prescribed under international humanitarian laws.

Our seventh reflection paper is written by Karan Vijay (Class of ’20) on ‘Use of Force in modern times: Sisyphus’ first world ‘boulder’. Karan examines whether under international law, a mere threat of use of force by a state against another state would give rise to a right of self-defence. In another piece (eighth entry), Karan writes on the authoritative value of interpretations of international law expressed in texts like the Tallinn Manual with reference to Article 38 of the Statute of the International Court of Justice i.e. traditional sources of international law.

Our ninth reflection paper is written by Neeraj Nainani (Class of ’20), who offers his insights on the Legality of Foreign Influence Operations (FIOs) under International law. Neeraj’s paper, queries the legality of the FIOs conducted by adversary states to influence elections in other states through the use of covert information campaigns (such as conspiracy theories, deep fake videos, “fake news”, etc.) under the established principles of international law.

Our tenth reflection paper is written by Anmol Dhawan (Class of ’21). His contribution addresses the International Responsibility for Hackers-for-Hire Operations. He introduces us to the current legal issues in assigning legal responsibility to states for hacker-for-hire operations under the due diligence obligation in international law.

3. Domestic Cyber Law and Policy (January 28- February 4, 2022)

Our eleventh and twelfth reflection papers are two independent pieces written by Bharti (Class of ’20)and Kumar Ritwik (Class of ’20). These pieces evaluate whether the Government of India’s ongoing response to the COVID-19 pandemic could have benefited if the Government had invoked emergency provisions under the Constitution. Since the two pieces take directly opposing views, they collectively product a fascinating debate on the tradeoffs of different approaches.

Our thirteenth and fourteenth reflection papers have been written by Tejaswita Kharel (Class of ’20) and Shreyasi (Class of ’20). Both Tejaswita and Shreyasi interrogate whether the internet (and therefore internet access) is an enabler of fundamental rights, or whether access to the internet is a fundamental right unto itself. Their analysis rely considerably on the Indian Supreme Court’s judgement in Anuradha Bhasin v. Union of India which related to prolonged government mandated internet restrictions in Kashmir.

We will close our symposium with a reflection paper by Romit Kohli (Class of ’21), on Data Localisation and National Security: Flipping the Narrative. He argues that the mainstream narrative around data localisation in India espouses a myopic view of national security. His contribution argues the need to go beyond this mainstream narrative and constructs a novel understanding of the link between national security and data localisation by taking into consideration the unintended and oft-ignored consequences of the latter on economic development.