Print This Post
31 March 2021, Gateway House

A model for global data regulation

Individuals now generate copious amounts of personal data everyday – both online and offline. Devices and infrastructure extract data, which can be shared instantly across borders with diverse entities - without consent. It is imperative that countries come together to create regulations to protect individuals who are unable to control how their data is shared and processed. A model already exists in the Paris Climate Agreement.

Researcher, International Law Studies Programme

post image

The Hiranandani Group’s recent Rs. 8,500 crore deal to set up a data centre in West Bengal,[1] the notification of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021,[2] and the adoption of the News Media Bargaining Code in Australia,[3] which will require Google and Facebook to pay local media houses for news they source from them, all have brought the issue of Big Tech and big data regulation back into focus.

Platforms like Facebook and Twitter were initially the bastions of free speech and responsible for quick mobilisation, allowing people to organise. However, as they have grown, three areas of concern have emerged: security, privacy and anti-trust issues.

In terms of security, these platforms have been accused of being negatively used – for example to influence elections, as in the case of the Russian bots in the U.S. elections in 2017,[4] or aid in the targeting of vulnerable groups in India.[5] There are privacy concerns, for example online harassment like doxing (where an individual’s sensitive, personal data is made public without their consent) and location-tracking. Anti-trust issues are also mounting. Companies from technologically-developed countries like the U.S. and China can adopt anti-competitive practices, rapidly acquire companies and penetrate developing markets at the cost of local players. For example, Free Basics[6],  Facebook’s initiative aimed at bringing people online with access to a limited number of websites that also sought monopolistic control of data in Africa.[7]

These concerns are worldwide and require regulation at an international level. Efforts to create global data regulation have been sporadic and disjointed, with efforts spread domestically, regionally and multilaterally, as seen in the chart below:

Table 1: Global Efforts to Regulate Data

Table 1: Global Efforts to Regulate Data Source: Gateway House Research
Source: Gateway House research

Experts at the Centre for International Governance Innovation in Waterloo, Canada, point out that the technology structure of the world is divided into three blocs or silos.[8]the ”authoritarian” approach by countries like China which call for “internet sovereignty”,[9] the consumer/individual-centric approach by Europe called GDPR (General Data Protection Regulation), and the “commercial/open internet”[10] outlook of the U.S., which has allowed Big Tech companies to set the rules regarding data use.[11] (See table) The rest of the world, including countries like India, Canada, Japan, Australia, the African continent have not yet found a pole position – nor may they want to.[12]

Table 2: Existing global data blocs

Table 2: Existing global data blocs Source: Gateway House research
Source: Gateway House research

As a result of these differing methods, international consensus on data regulation has been missing.[13] Data is being called the new electricity[14] and its centrality to modern existence needs an international treaty with binding rules for issues that transcend boundaries. Such a document will only be effective if countries which lead in the digital space are on board, and will address the critical issues of security, privacy, and anti-trust.

A model exists in the Paris Climate Agreement, continuing the principle of common but differentiated responsibilities, and in the International Covenant for Civil and Political Rights, which protects the right to privacy. With data, these principles mean creating a pathway toward a cooperative data framework that does not place onerous responsibilities on emerging nations, and protects democratic freedoms and privacy from state surveillance.

While drafting a data regulation treaty, the following principles from the Paris Climate Agreement can be emulated:

  • Capacity-building in areas like infrastructure development for local data centres and related skills, so countries that are still developing technologically can mitigate the undue influence of, and negotiate with, Big Tech players on an equal footing.
  • Collaborative financing mechanisms, like Development Impact Bonds and Social Impact Bonds to enable best practices on data storage.[15]
  • Establish a Transparency Framework, where countries provide information on steps taken to regulate and protect data.
  • Compensation for loss and damages for unauthorised use or leakage of data.

Getting to this point will be an arduous task. Most immediately, it can be addressed by the G20 which is already seized of the matter. Even there, the difference in outlooks on data and in technological development of member states has held up consensus as was the case with the Osaka Track,[16] which India, South Africa, Indonesia, and Egypt elected to stay out of.

An alternate data protection framework is offered by India Stack.[17]  The consent layer, which is the Data Empowerment and Protection Architecture,[18] seeks to give individual users control of their data; i.e. who has access to the data, for how long, and for what purpose. This is a ready way to bring developing countries on board.  It helps to create an equal relationship between corporations, government, and individuals, and will thus be better able to address the three prongs of data: security, privacy and anti-trust.

Figure 1 Source: India Stack
Source: India Stack

This article was written by Kartik Ashta, Researcher, International Law Studies Programme.

This article was exclusively written by Gateway House: Indian Council on Global Relations. You can read exclusive content here.

For interview requests with the author, please contact

© Copyright 2021 Gateway House: Indian Council on Global Relations. All rights reserved. Any unauthorized copying or reproduction is strictly prohibited.


[1] Hiranandani Group to Invest Rs 8,500 Crore For Industrial-Data Centre Park In West Bengal, Press Trust of India, Bloomberg Quint, February 15, 2021, available at:

[2] e Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, 25 February 2021, available at:

[3] Treasury Laws Amendment (News Media and Digital Platforms Mandatory Bargaining Code) Bill 2021 Available at:;fileType=application%2Fpdf

[4] Report on The Investigation Into Russian Interference In The 2016 Presidential Election, Special Counsel Robert S Mueller III, Vol. I, March 2019, available at:

[5] Violent Cow Protection in India, Human Rights Watch, February 18, 2019, available at:


[7] Daniel Coleman, Digital Colonialism: The 21st Century Scramble for Africa through the Extraction and Control of User Data and the Limitations of Data Protection Laws, 24 Michigan Journal of Race and Law, 417, (2019), available at:

[8] Kieran O’Hara and Wendy Hall, Four Internets: The Geopolitics of Digital Governance, Centre for International Governance Innovation, CIGI Papers No. 206 — December 2018, available at:

[9] Id

[10] Id

[11] Id

[12] Id

[13] Ambika Khanna, Decoding Data Localisation, Gateway House, 4 July 2019,

[14] Nandan Nilekani Interview with Shoma Chaudhury,

[15] Centre for Global Development, Rita Perakis, First Development Impact Bond is Launched,

On June 16, 2014 the UBS Optimus Foundation, Children’s Investment Fund Foundation, Educate Girls and Instiglio announced the launch of a Development Impact Bond (DIB) pilot to improve educational outcomes in Rajasthan, India. This DIB was the first of its kind in the world, and has now become a standard form to fund development projects.

[16] Osaka Declaration on the Digital Economy, 28 June 2019,

[17] India Stack, available at:

IndiaStack is a set of APIs that allows governments, businesses, startups and developers to utilise an unique digital Infrastructure to solve India’s hard problems towards presence-less, paperless, and cashless service delivery. The Open API team at iSPIRT has been a pro-bono partner in the development, evolution, and evangelisation of these APIs and systems.

[18] India Stack, Data Empowerment and Protection Architecture, available at: