INTRODUCTION
Online data transfers globally threaten data privacy and security, pushing divergent national laws and regulations to tackle each other. Although democratic societies uphold the central values of equal protection of personal information, privacy rights differ considerably across national boundaries. National differences endorse two distinct political options for the positions entrusted to the state, the economy, and the citizen in a democratic society: either liberal, market-based government or socially protective, rights-based governance. Such institutional gaps make it necessary for international collaboration to secure data privacy in cyberspace successfully.
The acceptance by the Supreme Court (Puttaswamy)[1] of a constitutional right to privacy, as well as the design of the triple test,[2] lay foundation for determining legislations that can limit the “right to privacy”. The same legislation that stretched to the “Aadhaar project[3]”, played a major role in promoting popular dissertation in India about privacy. Different countries across the globe adopted privacy protection laws, but whether these laws will benefit or harm is a debatable question. India has adopted the Data Protection Act 2018 which seems to be beneficial. However, the law’s after-effects might succumb Indian business and investments and might lead to a trade war.
WHY PRIVACY LAW IMPACT GOES WELL BEYOND PRIVACY?
Privacy laws also have two political purposes: i) to show the actions of the state to secure the interests of its citizens, and ii) to assert control over other countries and to enforce its laws and conditions on all countries worldwide.
Seeing how the global economy works, any organisation that somehow uses the personal data of citizens of any country is obligated to some degree to comply with the regulatory requirements of the respective country. For the bulk of global privacy and cybersecurity rules, this extraterritorial scope is existing.
The laws on data localisation are a ‘protectionist’ tactic in the trade war on privacy. They can be compared to import duties in terms of raising external obstacles to foreign companies’ collection of citizen’s data.
DATA PROTECTION LAWS IN INDIA
Data has become more central in our lives as everything we do today is in terms of an economic transaction or social interaction, data is all-pervasive. Privacy is no longer about any fewer things, it’s about the surveillance state and the whole capitalism run on data. Due to this, it is so central and no longer a fringe human rights issue. In fact, it is an everyday existence issue.
As far as India is concerned, the Data Protection Bill that India implemented has a huge amount of progress in terms of data protection. However, it leaves much to be desired and enforced. It creates offences and the approach for enforcement of the laws are sledgehammered by the government. In technology, the focus sector might be counterproductive. The bill doesn’t give a platform or framework for the government to interact with businesses and technology innovators to develop more efficient, usable, and practical regulation on data protection which is the need of the hour.
The government will never be the domain expert on these issues where input needs to come from industries and cutting-edge businesses before we kill innovation. As far as India’s approach is concerned, there is an element of protectionism. India wants to promote its outsourcing industry across the world and therefore restrict cross-border data flow. This is a very narrow, restrictive approach. It will result in a new form of a trade war and reciprocal restriction on India.
PRIVACY PROTECTION: A LOSING GAME FOR INDIA
The cost of doing business in India increases by forcing foreign companies to host the host data locally. It is already being done for credit card companies like Visa and MasterCard through the RBI[4]. It is also proposed to be done through a personal data protection bill for critical personal data. Through its action, what the government will be doing is increasing market entry costs, which in-turn will result in reciprocal restraints on Indian online, and outsourcing businesses using foreign data.
Given the massive industrialisation in India every further step should be taken considering its feasibility for long run. Data and the Internet can thrive only if they’re open, and the cross-border flow of data is unrestricted. However, keeping all these in mind, bringing consumers central to the whole conversation is necessary because consumers need to have certain rights and those rights should be enforced through easily accessible means. That is a balancing act that every government needs to contend with but with the current data protection laws, the government is not doing things in such a way.
USA, CHINA AND EU LAWS HECKLING DATA THEFT
According to Consultant Control Risks, policymakers in the U.S., Europe, and China treat and monitor data very differently, which is a big obstacle that corporations have to navigate in the coming years[5]. EU law is a benchmark of data protection.[6] However, being a benchmark depends on what one’s objective is? The approach that various jurisdictions have taken on privacy has been different. As far as the USA is concerned, it has taken a light-touch, almost reluctant regulation on data protection. In contrast, the EU has been more proactive and more stringent in terms of regulating the data.[7]
In China, Data is seen as an economic and potentially political benefit that needs to be safeguarded and contained within the region. In Europe, information is of vital importance and must be safeguarded, leading to a new legislation called the General Data Protection Regulation (GDPR)[8]. Meanwhile, the U.S. has traditionally seen data as commercialised, but with the data leak fallout from the Facebook and Cambridge Analytica fiasco, this practice has come into doubt[9].
These diverse methods mean that corporations will have a tougher time gathering, maintaining, and moving data inside and within those three major economies. In fact, according to the Consultant Control Risks consultancy, complicating the global context is an uptick in data security risks that companies must address when managing the different regulatory landscape in the three major economies[10].
DATA PROTECTION BILL 2018: A STEP TOWARDS TRADE WAR
It is the time to consider, given the current Indian economy, the growth trajectory that India is likely to see in the next 20 years, and the innovation that we seek to encourage and foster, we don’t want a sledgehammer regulatory approach that kills innovation. The Indian government seems to be trying to sail on two boats at the same time. The government emphasises on the ‘make for India’ and is trying to open up the FDI.[11] However, on the other end of the spectrum India is trying to have the data laws which will restrict the goal for innovation.
Data laws aren’t the problem. The problem is creating criminal offenses out of minor misdemeanours. One can’t use a nuclear bomb to kill a fly. Assigning corroborative punishments could have been a fair deal. Such sledgehammer approach will make the laws counterproductive.
It is very important to preserve the quality of the Internet. The Internet has changed the way to do business, it has completely collapsed costs of capital. Building data protection laws that restore capital costs are going to be counterproductive. For instance, the data protection bill requires consent managers and data protection officers of significant data collectors to be hosted locally. The length of time between a business, for example, Facebook becoming popular and having a whole host of consumers and be able to open up physical offices in various parts of the world is hugely short. So, people have no option but to restrict themselves to all these new-age businesses that will become popular in a matter of months. The business which will be a significant data fiduciary that connects a significant amount of data over a very short period. The Indian government will ask for appointing Data Protection Officer then.
These things are going to isolate India from the market. For example, we take great pride in the Indian market being a huge market and it will offset the regulatory cost but that is not true. The math doesn’t add up for every Facebook consumer in India or South Asia. Facebook owns about $40 on average versus a consumer in the United States where Facebook owns $120[12]. Therefore, the purchasing power comparison is just queued. If India’s continues with a sledgehammer, restrictive regulatory approach, it will neither protect data nor will it help innovation, it will only kill the sector. All these great ideas about data protection will all be lost if the enforcement mechanism is just a strangulation of innovation. India needs an everyday compliance mechanism where it can impose penalties depending on the misdemeanour and the harm caused. Criminal offence doesn’t serve the purpose of this context. The Companies Act is a different ballgame; but as far as data is concerned, it will be used willy-nilly every day and, in all businesses, so you can’t penalise businesses for doing business. The government needs to find a way where one is able to strike balance.
CONCLUSION
Technology is becoming a critical weapon to assist any global enforcement program in the latest whirlwind of privacy laws. Software programs cannot fix all privacy and security problems for us, but they can effectively free up our hands for the critical enforcement tasks ahead of us. It is only fair to see technology help us solve some of these newly raised problems, with the entire dilemma of a privacy trade war being set off by exponential advances in data usage by technologies.
Privacy protection is a hurdle that India has to get rid of. However, seeing the sledgehammer regulatory approach through the data protection bill, the future seems oblivious. Even in the European Union which is the most stringent and most restrictive privacy regime globally, there are no criminal offences. The idea of data protection in India should be similar. India proposes the anonymous Asian standard, that data should be anonymized irreversibly. However, it is technologically impossible. No data can ever be universally anonymized. One could apply various technological means to re-identify the same data resulting in a criminal offense under the current proposal. Moreover, it is not even a standard in the EU, the most stringent data privacy regime. Therefore, through the current law in presence, we are looking at an unrealistic protection regime that will not even cover the rights it seeks to give citizens. Furthermore, there won’t be any innovation; no new online products will come to India in the market; Indian consumers will have a very restrictive internet experience and ultimately people will have to circumvent.
With the internet, territorial jurisdiction is not a challenge anymore, people will host websites out of other countries and outside the reach of any enforcement agencies and still continue to do what they were doing before. Hence, the law that the government was enforcing serves no purpose. Therefore, while dealing with the privacy trade war India has to have laws that solve the intricacies at a wider extent.
This article has been authored by Ujjawal Vaibhav Agrahari, 2nd year student of National Law University Odisha.
[1] Justice K. S. Puttaswamy v. Union of India, (2017) 10 SCC 1
[2] Modern Dental College & Research Centre & Ors v. State of Madhya Pradesh & Ors, AIR 2016 SC 2601
[3] Justice K. S. Puttaswamy v. Union of India, (2019) 1 SCC 1 [4] Rule 2(1)(i)
[4] Aditya Kalra, Mastercard says storing India payments data locally in face of new rules OCTOBER 30, 2018 https://www.reuters.com/article/us-india-data-localisation-mastercard-idUSKCN1N4204
[5] Julia Coym, Uncertainty in EU-China ties sees companies caught between opportunity and risk, https://www.controlrisks.com/campaigns/china-business/uncertainty-in-eu-china-ties-see-companies-caught-between-opportunity-and-risk
[6] Supreeth Shastri, Vinay Banakar, Melissa Wasserman, Arun Kumar, Vijay Chidambaram, Understanding and benchmarking the impact of GDPR on database systems, Proceedings of the VLDB Endowment (March 2020)
[7] Paul M. Schwartz and Daniel J. Solove, Reconciling Personal Information in the United States and European Union, California Law Review 102 (August 2014)
[8] European Commission, Data protection in the EU, https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
[9] Nicholas Confessore, Cambridge Analytica and Facebook: The Scandal and the Fallout So Far, THE NEWYORK TIMES (Newyork) April 4, 2018
[10] COYM, supra
[11] Reuters Staff, India eases foreign investment rules for several sector to boost growth, Reuters August 28, 2019
[12] Facebook and Bain & Company, A Sync Southeast Asia Report Riding the Digital Wave Southeast Asia’s digital consumer in the Discovery Generation, (2019)
Comments