BRICS is an international association made up of five countries – Brazil, Russia, India, China, and South Africa. Taken together, their population forms about 42% of the world's overall population. It's therefore little surprise that the five countries, albeit some more intensely than others, are becoming major economic and political influences. They are also becoming more focused on innovation, which was the subject of the last BRICS summit last month in Brazil: "BRICS: Economic Growth for an Innovative Future".
Indeed, the focus of the summit seemed to be strengthening the mutual co-operation in innovation, and the digital economy. The latter is particularly relevant because of the population statistic mentioned earlier – almost half of the world's population logically generates almost half of the world's data. This data is undoubtedly viewed as an asset – and it is. And like any assets, it needs protection from newly emerging threats like cybercrime. That is, at least, the point of view of some BRICS countries – we'll explore the examples below.
These governments are, of course, not alone in this approach – the adoption of the GDPR's strict rules on data protection, for example, shows that the European regulators see the value of, and the risks posed to, personal data circulating in the digital space.
To an extent, some provisions of the GDPR hint at personal data sovereignty – references to countries without adequate personal data protection in place as "third" countries, for instance. Some efforts taken by BRICS' are, however, much more significant, as we'll see in due course – in fact, the phenomenon is referred to as "digital sovereignty".
What is Digital Sovereignty?
The earliest definition of the concept was provided by the CEO of a French radio station Pierre Bellanger, who stated in 2011 that "Digital sovereignty is control of our present and destiny as manifested and guided by the use of technology and computer networks".
Whether this definition still applies today is another matter. GDPR is an example of an attempt to standardize digital sovereignty – arguably one of the first of its kind. However, it is hard to imagine the definition still being valid in the age of surveillance capitalism, data brokering and some states trying to regulate the internet to their gain rather to the gain of the people for whom it was intended in the first place.
We'll now take a look at whether the BRICS countries are doing exactly that.
The countries aren't opposed to innovation – far from it, in fact. Co-operation in the field of cybersecurity and combating threats has been discussed more than once. Brazil, for instance, is on its own cybersecurity strategy at present. It has also signed into law last year the LGPD – the country's GDPR counterpart. Its provisions related to the extra-territorial application are even wider than GDPR's – primarily aimed at protection of data of Brazilian citizens, whenever they may be located – but in other ways, the two laws are quite similar. It also imposes strict information security standard.
Set to apply from 2020 onwards, the LGPD is the only standard in the BRICS countries for data protection that could come close to the European Regulation. It remains to be seen whether it'll be the subject of discussion at the next BRICS summit in Russia.
This year, the Russian Federation has adopted a package of laws commonly referred to as the "sovereign internet" legislation. Many media outlets have been speculating about whether the country could really "create its own internet". In fact, the stated purpose of the law is to ensure the sovereignty of Russia's internet in the event of it being disconnected from the global network and counteract cyber threats. All traffic within the country must pass through checkpoints controlled by the communications watchdog, Roskomnadzor.
The law has been heavily criticized by activists for being aimed, in reality, at restrictions of civil liberties. At present, it's only a framework of federal-level laws, and secondary legislation is expected to follow. It's expected that these legal acts will follow the same top-down approach to Internet regulation so common for Russia.
For instance, in 2015, Russia has passed a law requiring personal data operators to store that data on a Russian server. Cross-border transfer is permitted, provided that the data was initially stored on a server inside Russia.
The case of LinkedIn blockage on Russian territory was probably the most famous example of the authorities exercising that law. Facebook and Twitter still haven't complied, and Roskomnadzor threatens them with blockage from time to time. Until last month, it wasn't an issue because the fines for non-compliance were only about $40. Today, they are over $200k high, so the Internet companies ought to perform a good risk assessment of working and localizing in the country.
Similarly to Russia, India has also recently been considering a data localization policy. Currently, it only affects payment systems. However, the draft Personal Data Protection Bill of 2018 requires storage of personal user data within Indian territory. It will most likely be considered by the Parliament soon.
Both the Personal Data Protection Bill and Russia's localization law have faced criticism from the tech industry players. That's to be expected, given how much a lot of them profit from surveillance capitalism. In addition, it is on the surface contradictory to the idea of the Internet as a "global" phenomenon. However, it's also a way to give the companies at home a competitive advantage – if they own the commodity that is the citizens' data on the country's territory, they can use it internally to develop their business.
Out of all BRICS countries, the People's Republic of China is arguably the biggest investor in 5G and other tech innovations. However, it currently also has the most restrictive Internet policies.
A few years ago, PRC has announced in a white paper that it will emphasize digital "sovereignty" over a global Internet. The justification for that was concern about cyber-attacks from outside. China has since become known as the pioneer of cyber sovereignty – government-controlled Internet and data streams. There's also a localization requirement for the data to be stored in China and made available at the authorities' request. So, unlike Brazil, which has implemented a data protection policy that seems to benefit the citizens, China is using the concept of sovereignty to focus more on control.
The Russian plan for the sovereign Internet and the general approach to digital sovereignty has been compared to China's more than once. At present, however, it's hard to say whether it'd work in the same way since it has only just entered into force, with no precedents to back it up.
The South African Republic's privacy is governed by the common law and the constitutional principles and the Protection of Personal Information Act (POPIA). Unlike its BRICS counterparts, this country doesn't place an emphasis on digital sovereignty as such. Indeed, the POPIA was the first codification of the common law principles related to data privacy, and not all of its provisions are in force yet.
The ones in force aren't as strict as the GDPR or the LGPD. For example, there's no data localization requirement, although there's an article about secure cross-border transfer of personal data. South Africa is generally less enthusiastic than Russia or China about the BRICS Internet idea.
Is digital sovereignty about data protection or control?
On the one hand, the protection of an important asset like personal data of its citizens is a must to foster a digital environment that is both strong and sustainable. GDPR's influence hasn't just been prevalent in Europe – people all over the world have gained more awareness of their rights related to personal data and are demanding better protection as a result. BRICS countries are no exception.
However, governments need to maintain the balance between the protection of citizens and their data and controlling it. For that reason, policy alone isn't sufficient – relying on it alone could lead to a phenomenon known as the internet Balkanization. It can only go so far if people don't actually know what's being done to their data. Educating the citizens of BRICS countries about the digital space at a wide scale is hard to do, given that they make up almost half the planet's population, but it's a big step towards ensuring proper sovereignty of their data.