Governance of Converging and Dual-Use Technologies

protection provisions such as a right to consent to all treatment of personal data, a data minimization policy, a limitation on the uses of collected data, and a right to require correction of information. The provisions of the bill in India also include protections for children, gender, and caste.

Although the South Asia region has through its acts, bills, and high court decisions made progress on data protection, critical trust-building provisions remain unaddressed, including on data misuse and misappropriation. Furthermore, many of the laws contain exceptions for government surveillance and so-called emergencies, enabling the executive to wiretap communications with a relatively low threshold. For example, in certain jurisdictions, or for certain crimes, only a low “burden of proof” standard is needed. Simple suspicion of a connection with legal wrongdoing is usually enough.

Government and private bodies in South Asian countries continue to lack the institutional preparedness needed to address and enforce data policies systematically, consistently, or fairly. Data protection authorities, where they exist, tend to have a limited mandate and capacity. India, for example, currently has no national data protection authority, and concerns have been raised that the body proposed in the Personal Data Protection Bill may struggle to build internal capacity, leading to either under-regulation or overregulation. Under-regulation would defeat the intent of the bill, whereas overregulation would add unnecessary burdens for compliant businesses. The bill also does not provide adequate checks and balances to ensure that the central government and the data protection authority exercise their vast supervisory powers in a reasonable manner (Burman 2020).

Collectively, the specific needs of and protections required by vulnerable populations, including women, children, marginalized communities, and minorities, must be addressed. Limited government awareness of the role of data and related policies in digital transformation, as well as the government’s limited capacity to develop such policies, mean that vulnerable populations are at risk, and the data illiteracy of those groups hinders their participation in demanding and designing such policies.

Converging technologies pose special governance challenges posed by (1) their dualuse properties, whereby they may have been designed for beneficial purposes but could also cause harm to populations; (2) their heavy reliance on large combined datasets; and (3) the frequent use of AI analytics in support of delegated decision-making. The extension of these technologies and the use of the data collected ostensibly for other purposes to carry out state surveillance or discrimination against minorities pose a serious risk. Responses to the COVID-19 crisis have accelerated large-scale behavioral surveillance, collection of personal and medical data that could be used subsequently for other purposes, monitoring of movements of the population, and screening of activity