First Principles | Cross-border data transfer needs a whitelist and a blacklist

So, what’s an AI model? Simply put, it is a mathematical equation that can recognise patterns and make predictions. But to do that, it must be trained. How? Imagine many pictures of dogs and cats. A model must be built that distinguishes between them. The model is trained by feeding it many examples of pictures of dogs and cats that are labelled as such. Once trained, it can predict dogs and cats based on the patterns it has learned. In a more complex way, this is how Netflix or Amazon make recommendations.

The outcomes of even more experiments in fintech and health care are being watched closely by diplomatic circles in Europe, Australia, and South America. This column has been tracking the developments and had first flagged it off on these pages in August last year when there was a hullaballoo around a claim that IRCTC planned to sell passenger data. One of the intents of that plan was to build AI models.

A source at the Ministry of Electronics and IT (MeitY) had then said that while he did not rule it out, it looked unlikely right away. This was mainly on account of the absence of a Personal Data Protection (PDP) Act. There were concerns that if the IRCTC sells passenger data, there will be blowback from civil society. Moreover, there was no reason for the IRCTC to become the “Training Data Providers” of AI models.

In the absence of a law, it is unlikely that “Training Data Consumers,” either from India or other parts of the world would be trusted. How would anyone know that the data shared is not compromised? For that matter, how will the data “Provider” know that data they share will not be misused? Clearly, much water has passed under the bridge since. The Personal Data Protection Bill that was introduced in November last year is now expected to be approved by Parliament in this monsoon session.

While this is good news, there was yet another headline, ‘Cross border data flows to be permitted soon’ which deserves scrutiny because there’s a backstory to it. While Indian companies may be comfortable with the current regime and a lack of adequate data protection laws, those outside the country need assurances over and above the fact that their data is safe. As a European diplomat put it, speaking off-the-record: “How can we be sure the Indian government will not use it as a tool to arm-twist us during trade negotiations going forward?”

While the Data Protection Bill commits to doing that, for cross-border data flow, a country must be on the government’s whitelist. This can be a capricious process. To do away with this, public policy professionals suggested all countries be whitelisted. And to create a blacklist only for those countries that India needs to be wary about. This is easier to create, takes the capriciousness out of the decision-making process, and handles the kind of concerns the European diplomat flagged.

Prasanto Roy, a New Delhi-based technology policy consultant who works as an advisor to the Indian government, explained this in greater detail over text: “Our problem (one of many) was that the ‘trusted nations’ would be notified by the government without any transparency or clear timeframe, and likely used as levers in trade talks or other negotiations.” But when a whitelist is a default, you can get down to business right away. “This would put the pressure on the government to come out more quickly with the blacklist, to ensure that data isn’t transferred to China, Pakistan, North Korea et al,” Roy explains.

It is the kind of assurance that puts diplomats and visiting heads of state at ease to do business with India.