Quiz: Global South Perspectives on Data Governance

Test your understanding before moving to the next chapter. Target: 70% or higher to proceed.

Section 1: Multiple Choice (1 point each)

1. Data colonialism, as discussed in this chapter, is best defined as:

  • A) The practice of building data centers in former colonial territories to take advantage of lower labor costs
  • B) The extraction of data from populations in the Global South by corporations and governments in the Global North, replicating patterns of colonial-era resource extraction through digital infrastructure dependency, platform dominance, and unequal data flows
  • C) The use of colonial-era census data by modern governments
  • D) The requirement that Global South countries adopt GDPR-compliant data protection laws
Answer **B)** The extraction of data from populations in the Global South by corporations and governments in the Global North, replicating patterns of colonial-era resource extraction through digital infrastructure dependency, platform dominance, and unequal data flows. *Explanation:* Section 37.1 defines data colonialism as operating through multiple mechanisms: digital infrastructure controlled by Global North corporations, platform dominance that extracts data from Global South users, unequal terms in data sharing agreements, and the imposition of governance frameworks designed for different contexts. The parallel to historical colonialism is structural: raw materials (data) are extracted from the periphery, processed in the center (Silicon Valley, etc.), and the value accrues to those who control the processing infrastructure.

2. India's Aadhaar system is:

  • A) A social media platform
  • B) A biometric digital identity system that assigns a unique 12-digit number to residents, linked to fingerprints and iris scans
  • C) A data protection law modeled on the GDPR
  • D) An agricultural data cooperative
Answer **B)** A biometric digital identity system that assigns a unique 12-digit number to residents, linked to fingerprints and iris scans. *Explanation:* Section 37.3 describes Aadhaar as the world's largest biometric identity system, covering over 1.3 billion people. It links a unique number to biometric data (fingerprints, iris scans) and demographic information, and serves as the foundation for India's digital public infrastructure — enabling access to bank accounts, government subsidies, tax filing, and other services. The system is simultaneously praised as a tool for financial inclusion and criticized as a surveillance infrastructure with inadequate governance protections.

3. The African Union's Data Policy Framework differs from the GDPR primarily in:

  • A) The AU framework does not address privacy at all
  • B) The AU framework emphasizes collective rights, development goals, and data sovereignty alongside individual privacy protections
  • C) The AU framework requires all data to be stored within Africa
  • D) The AU framework applies only to government data, not private sector data
Answer **B)** The AU framework emphasizes collective rights, development goals, and data sovereignty alongside individual privacy protections. *Explanation:* Section 37.2 explains that while the AU Data Policy Framework shares some features with the GDPR (consent, purpose limitation, data subject rights), it places greater emphasis on Africa-specific priorities: harnessing data for development, ensuring data sovereignty, building continental data infrastructure, and recognizing collective (not just individual) rights to data. This reflects the AU's concern that Global North frameworks, designed for economies where data infrastructure already exists, may not address the specific challenges of data governance in contexts marked by infrastructure dependency and development imperatives.

4. "Digital extractivism" refers to:

  • A) The mining of cryptocurrency using renewable energy sources
  • B) The extraction of natural resources guided by digital mapping technology
  • C) The systematic extraction of data value from populations in ways that parallel resource extraction, where raw data is taken from communities and the economic value accrues elsewhere
  • D) The digitization of historical archives from the colonial period
Answer **C)** The systematic extraction of data value from populations in ways that parallel resource extraction, where raw data is taken from communities and the economic value accrues elsewhere. *Explanation:* Section 37.1 describes digital extractivism as a conceptual framework for understanding how data flows from the Global South replicate patterns of resource extraction. Just as colonial economies extracted raw materials from the periphery and processed them in metropolitan centers, the contemporary data economy extracts data from Global South users through platforms, processes it using algorithms and infrastructure controlled by Global North corporations, and returns the value primarily to shareholders and advertisers in the Global North.

5. The concept of "leapfrogging" in data governance refers to:

  • A) Global South countries copying GDPR regulations without adaptation
  • B) The possibility that Global South countries can skip problematic governance patterns that the Global North adopted historically and move directly to more progressive models
  • C) Technology companies expanding rapidly into new markets
  • D) The practice of adopting the latest technology without testing
Answer **B)** The possibility that Global South countries can skip problematic governance patterns that the Global North adopted historically and move directly to more progressive models. *Explanation:* Section 37.5 discusses leapfrogging by analogy to how many African countries skipped landline telephone infrastructure and moved directly to mobile networks. In data governance, leapfrogging might mean adopting community-based data governance models rather than passing through a phase of corporate-dominated data extraction, or building data cooperatives before plutocratic platform models become entrenched. The feasibility of leapfrogging depends on political will, institutional capacity, and the availability of viable alternatives.

6. Sofia Reyes's experience growing up near the US-Mexico border is relevant to this chapter because:

  • A) She is from the Global South
  • B) Border surveillance illustrates how data governance operates at the intersection of the Global North and Global South, and how surveillance technologies are deployed against populations that cross or live near that boundary
  • C) Her work at DataRights Alliance focuses exclusively on Latin American issues
  • D) She developed the GDPR
Answer **B)** Border surveillance illustrates how data governance operates at the intersection of the Global North and Global South, and how surveillance technologies are deployed against populations that cross or live near that boundary. *Explanation:* Section 37.6 connects Sofia's firsthand experience of border surveillance — biometric collection, facial recognition, drone monitoring, digital device searches — to the broader theme of data governance at the Global North-South boundary. Border spaces are where the power asymmetries between jurisdictions become physically manifest, and where surveillance technologies developed for national security purposes are deployed against some of the world's most vulnerable populations.

7. India's Digital Personal Data Protection (DPDP) Act is notable for:

  • A) Being identical to the GDPR in all respects
  • B) Banning all data collection by government agencies
  • C) Exempting government agencies from many data protection provisions, raising concerns about surveillance and accountability
  • D) Requiring all data to be processed using open-source software
Answer **C)** Exempting government agencies from many data protection provisions, raising concerns about surveillance and accountability. *Explanation:* Section 37.3 discusses the DPDP Act's government exemptions as one of the most contested features of the law. The exemptions allow government agencies to process personal data without obtaining consent and without some of the data minimization and purpose limitation requirements that apply to private sector entities. Civil society organizations have argued that these exemptions effectively create a two-tier system in which citizens are protected from corporate data practices but not from government surveillance.

8. Nigeria's NDPR (Nigeria Data Protection Regulation) is significant because:

  • A) It was the first data protection regulation in any African country
  • B) It demonstrates that African countries are developing their own data protection frameworks rather than simply adopting Global North models wholesale
  • C) It is identical to COPPA
  • D) It was developed by a US consulting firm
Answer **B)** It demonstrates that African countries are developing their own data protection frameworks rather than simply adopting Global North models wholesale. *Explanation:* Section 37.2 discusses the NDPR (and its successor framework, the Nigeria Data Protection Act) as an example of African data governance innovation. While influenced by the GDPR, the Nigerian framework reflects local priorities and institutional realities — including the relationship between data protection and Nigeria's growing digital economy, the capacity challenges of regulatory enforcement, and the specific risks of data extraction by international platform companies operating in Nigeria.

Section 2: True/False with Justification (1 point each)

9. "Data colonialism is merely a metaphor — it does not describe any real structural relationship between the Global North and Global South."

Answer **False.** *Explanation:* Section 37.1 argues that data colonialism describes real structural relationships, not merely metaphorical ones. The mechanisms are concrete: Global South populations generate data through platforms owned by Global North corporations; that data is stored on infrastructure located in or controlled by Global North jurisdictions; the economic value of data analysis accrues primarily to Global North shareholders; and the governance frameworks applied to this data are designed by Global North institutions. The colonial parallel is not merely rhetorical — it identifies actual patterns of extraction, dependency, and unequal value distribution.

10. "The GDPR's 'adequacy' mechanism — which restricts data transfers to countries deemed to have inadequate data protection — incentivizes Global South countries to adopt GDPR-like laws regardless of whether those laws suit their local contexts."

Answer **True.** *Explanation:* Section 37.4 discusses how the GDPR's adequacy mechanism creates pressure on Global South countries to adopt data protection frameworks that mirror the GDPR in order to maintain data flows with Europe. This pressure can lead to the adoption of laws that are formally GDPR-compliant but poorly adapted to local institutional capacity, enforcement resources, and governance priorities. The result is a form of regulatory imperialism: Global South countries adopt frameworks designed for a different context because the economic costs of non-adequacy are too high.

11. "India's digital public infrastructure model (Aadhaar, UPI, DigiLocker) has been adopted without modification by multiple African countries."

Answer **False.** *Explanation:* While several countries have studied India's DPI model, the chapter notes that direct adoption without modification is neither practical nor desirable. Each country's governance context, institutional capacity, and population needs differ. The interest in India's DPI model reflects a broader trend of South-South learning — Global South countries drawing lessons from each other rather than exclusively from the Global North — but responsible adaptation requires modifying the model to fit local contexts, not transplanting it wholesale.

12. "Data localization — requiring that data generated within a country be stored on servers within that country — is universally supported by Global South advocates as a solution to data colonialism."

Answer **False.** *Explanation:* Section 37.4 discusses data localization as a contested strategy. Some advocates support it as a means of asserting data sovereignty and ensuring that domestic governance frameworks apply to domestic data. But others note significant limitations: localization can be used by authoritarian governments to facilitate domestic surveillance; many Global South countries lack the infrastructure to host large-scale data processing locally; and localization may increase costs for local businesses and reduce access to global services. Data localization addresses one aspect of data colonialism (geographic control) while potentially creating new governance problems.

13. "Community data governance models — including data cooperatives and data commons — have been implemented in the Global South, not just theorized."

Answer **True.** *Explanation:* Section 37.5 provides multiple examples of community data governance in practice in the Global South: agricultural data cooperatives in East Africa, community health data governance initiatives in India, and artisan data cooperatives in Latin America. These are not merely theoretical proposals but operational governance structures that are generating evidence about the feasibility and effectiveness of alternatives to corporate and state-controlled data governance.

Section 3: Short Answer (2 points each)

14. Explain the concept of "infrastructure dependency" in Global South data governance and identify two specific governance risks it creates.

Answer Infrastructure dependency refers to the reliance of Global South countries on digital infrastructure — cloud computing platforms, undersea cables, domain name systems, content delivery networks, mobile operating systems — that is owned, operated, and governed by corporations headquartered in the Global North. This dependency creates governance vulnerabilities because the infrastructure through which a country's data flows is subject to another country's laws, corporate policies, and geopolitical interests. Two specific risks: First, jurisdictional risk — data stored on cloud servers in the United States is subject to US law (including the CLOUD Act, which allows US law enforcement to compel access to data stored abroad by US companies), regardless of where the data was generated or what the originating country's data protection law requires. Second, platform risk — when a country's educational, health, or government systems depend on a single platform (e.g., Google, Microsoft, AWS), that platform's unilateral decisions about pricing, data access policies, or service continuity can affect critical national functions without any governance input from the affected country.

15. Describe the Puttaswamy decision by India's Supreme Court and explain its significance for data governance in India and beyond.

Answer The Puttaswamy decision (Justice K.S. Puttaswamy vs. Union of India, 2017) was a landmark ruling by the Supreme Court of India that established privacy as a fundamental right under the Indian Constitution. The nine-judge bench unanimously held that the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21. The decision's significance for data governance is threefold. First, it established the constitutional foundation for data protection legislation in India — the DPDP Act (2023) was developed in response to the Court's directive to create a comprehensive data protection framework. Second, it provided a legal basis for challenging Aadhaar's most expansive data collection practices, leading to subsequent rulings that limited Aadhaar's mandatory use. Third, it demonstrated that Global South courts can develop privacy jurisprudence grounded in their own constitutional traditions rather than merely importing Western legal frameworks — the decision draws on Indian constitutional principles, not the GDPR.

16. How does the chapter's discussion of data colonialism complicate the "consent fiction" theme that runs throughout the textbook?

Answer The consent fiction is compounded in the Global South context by multiple additional layers. First, information asymmetry is more extreme: users in the Global South may have even less access to information about data practices because privacy policies are written in colonial languages (English, French) rather than local languages, and digital literacy rates may be lower. Second, the "choice" to use platforms is even less voluntary when those platforms are the only available infrastructure for essential services — in many Global South contexts, Facebook is effectively the internet, and refusing to use it means cutting oneself off from communication, commerce, and public services. Third, the consent is given to entities (US or European corporations) that are subject to governance frameworks (US law, GDPR) in which Global South populations have no democratic representation — they are governed by rules they had no role in creating.

Section 4: Scenario Analysis (3 points each)

17. A multinational agricultural technology company collects soil quality, weather, and crop yield data from smallholder farmers in three East African countries through a free mobile app. The company uses this data to build predictive models that it sells to large commercial farming operations and commodity traders worldwide. The smallholder farmers receive weather forecasts and basic crop advice through the app but do not share in the revenue generated by their data. Analyze this scenario using the concept of data colonialism. What governance mechanisms could address the power asymmetry?

Answer This scenario exemplifies data colonialism in the agricultural sector. The structural parallel to colonial-era extraction is direct: raw materials (agricultural data) are extracted from producers in the Global South, processed by a corporation headquartered elsewhere, and the economic value is captured by actors who did not generate the data. The "free app" functions analogously to colonial trading posts that exchanged manufactured goods for raw materials at terms set by the colonizer. The power asymmetry operates at multiple levels: the farmers have limited bargaining power as individuals; they may not understand the value of their aggregated data; and the legal frameworks in their countries may not provide adequate protections for agricultural data. The "consent" given through the app's terms of service is a consent fiction — farmers agree to terms they may not read or understand, in a language that may not be their first, under conditions where refusing means losing access to the only available weather and crop advice. Governance mechanisms that could address this include: (a) Agricultural data cooperatives that pool farmers' data and negotiate collectively with companies, ensuring revenue sharing; (b) Data sovereignty provisions requiring that agricultural data generated within a country be subject to that country's governance frameworks, including benefit-sharing requirements; (c) Transparency requirements mandating that companies disclose how farmer data is used and what revenue it generates; (d) Community consent mechanisms that require approval from farming communities (not just individual farmers) before data collection begins; (e) Technical infrastructure that allows farmers to share data on their terms — open-source platforms, community-managed data storage, interoperable data standards that prevent vendor lock-in.

18. A Global South country is considering adopting India's Aadhaar model to create a national digital identity system. The country has: (a) significant portions of the population without formal identification documents, (b) high mobile phone penetration but low broadband access, (c) a history of authoritarian government, (d) a young and growing tech sector, and (e) significant development aid relationships with both India and the European Union. Advise this country's government on whether and how to proceed, addressing both the potential benefits and the governance risks.

Answer **Potential benefits:** A biometric digital identity system could address the identification gap, enabling access to financial services, government programs, and civic participation for millions of people who currently lack formal ID. The mobile-first approach (leveraging high phone penetration) is appropriate for the technological context. India's DPI model provides a tested template, and South-South cooperation with India could reduce dependency on Global North technology providers. **Governance risks:** The history of authoritarian government is a critical concern. A national biometric database, if not subject to robust governance constraints, becomes a surveillance infrastructure that an authoritarian government can use to track, profile, and control citizens. The Aadhaar model's government exemptions from data protection provisions (as in India's DPDP Act) would be particularly dangerous in this context. Biometric data is irrevocable — unlike a password, you cannot change your fingerprints if the database is compromised. **Recommendations:** (a) Proceed, but with governance-first design: establish the legal framework *before* building the technical system, not after. (b) Include strong constitutional protections for biometric data, drawing on the Indian Supreme Court's Puttaswamy decision. (c) Do *not* adopt India's government exemptions — in a country with authoritarian tendencies, government access must be the most constrained, not the least. (d) Build in purpose limitation: the ID system should be usable for specific, enumerated services, not as a general-purpose identification and tracking tool. (e) Ensure independent oversight through a data protection authority with genuine independence from the executive branch. (f) Implement sunset clauses and mandatory review periods. (g) Engage civil society organizations in the design process — participatory governance is both a democratic value and a practical safeguard against authoritarian misuse. The EU development aid relationship creates an opportunity: the EU could condition aid on the adoption of governance safeguards, leveraging its "adequacy" framework as a governance floor rather than simply promoting GDPR adoption.

Solutions

Selected solutions are available in appendices/answers-to-selected.md.