Data is the new oil as it has gradually evolved as a valuable commodity that can be bought and sold, and serves as a strategic resource for nations. Indeed, digital assets now matter far more than physical ones. The Internet, it has become clear, is not so free, after all as users are paying in the form of personal information, which is collected by “data brokers” and sold to third parties.

In 2018, news broke out that the political consulting firm Cambridge Analytica had harvested personal data from tens of millions of Facebook users and sold it to political campaigns. The scandal showed how malicious actors could wield data to threaten the democratic process, and it led to a congressional hearing featuring an apologetic Mark Zuckerberg, the CEO of Facebook, and prompted broader soul-searching about the power of massive technology companies. Growing concerns about the power of the companies that collect and sell personal data have led to calls for governments to fundamentally rethink their approach to regulating the Internet.

Different governments have approached the question of Internet regulation in very different ways. The United States has taken a market-centric approach, with light or no regulations, allowing innovators room to grow rapidly. Europe has taken a more activist approach to Internet regulation, especially when it comes to privacy. For instance, the EU’s General Data Protection Regulation, or GDPR, went into effect. Before the law, citizens signing up for an online service were required to educate themselves about their rights and what they were consenting to. In a major improvement, the GDPR shifts the burden for privacy and security onto to the service providers. It establishes strict rules governing how firms collect and handle personal data and sets forth steep fines for violations. But it’s important to recognize that the GDPR is primarily a legal solution; it can only seek to deter, not prevent, malicious actors from putting their business needs over the interests of the user.

It is in Asia, however, where the future of the Internet is most likely to be written. China and India are the two largest markets for the Internet in the world, with 772 million and 481 million users, respectively. They are also the top two smartphone markets, and together they constitute 39 percent of the world’s 830 million youth on the Internet. As developing countries, both are free of the baggage of legacy systems that the Internet had to disrupt.

China sees the Internet as something to be controlled and censored. Under the banner of “cyber-sovereignty,” the government has attempted to keep Chinese cyberspace cordoned off from the larger Web and to control the information available to its citizens. Famously, it has built “the Great Firewall,” which blocks access to foreign websites and platforms. Chinese officials claim that their objective isn’t simply to protect personal information but to protect national security, too. Compared with the GDPR, it cover more types of data and require more stringent security precautions. The rules also mandate that certain data must remain inside China’s borders at all times, so that the government has jurisdiction over its use. China is the only country to create rivals that match the size of the U.S. tech giants, with the homegrown companies Alibaba, Baidu and Tencent.

In August 2017, the requirement for a law on the protection of personal data was first recognized by the Supreme Court of India in Justice KS Puttaswamy vs Union of India. It explicitly recognized an individual’s fundamental right to privacy and paved the path for a foundational legislation on the protection of personal data. It was closely followed by the release draft law by the Committee of Experts, chaired by Justice B N Srikrishna. On 27 July 2018, the committee submitted the draft Personal Data Protection Bill, 2018, along with its report titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians” to the central Government.

India believes the solution lies in a different approach. Instead of seeking to exert tighter control over the Internet within its borders, the country has created open digital platforms from scratch and tailored them to the Indian context.

The draft bill imposes restrictions on the cross-border transfer of personal data. This is achieved by a non-exclusive localization mandate where a data fiduciary is to ensure the storage of one serving copy of all personal data. Additionally, an exclusive localization mandate requires that critical personal data shall only be processed in a server or data centre located in India. What constitutes critical personal data shall be notified by the central government. Much of industry worries that localization will lead to multiple jurisdictions with different legal frameworks, adding to the complexity of data protection in the digital age.

Localization is not the only issue. The new Indian law is expected to address, as well, the question of who owns data – the user or the technical platform. Meanwhile the proposed legislation controversially so far fails to address how new technologies such as IOT (Internet of Things) devices like ‘Alexa’, create new challenges by collecting ambient data. Most technology companies like Google, Facebook and others now thrive on data generated by their users to earn billions of dollars worldwide.

The reason for foreign companies to oppose data localization is mainly that the cost involved would be significant as they would have to set up servers and the entire required infrastructure including hiring of personnel to store data in India. RBI made data localization for payments system mandatory in 2018.

The data protection law embodied the principle that the state must be a model data controller and prescribed a higher standard of observance for the state. The law also recognised and proscribed the practice of making access to essential services contingent on the citizen parting with irrelevant personal information. This law established an effective privacy commission that is tasked with enforcing, protecting and fulfilling the fundamental right to privacy implemented through the specific rights under the legislation.

Digital data and the pervasive intelligence that it provides about people, and about artefactual and natural phenomena, is the very basis of a digital economy. An important digital policy requirement is to enable people to retain control over their personal information. They should be able to entirely deny access to some kinds of it, and share others only with trusted parties. They should further be able to know and control any subsequent uses of their personal information, abuse of which can cause serious harm. Based on these guiding principles, data need to be used as the fuel of the modern economy.