With data being borderless and accessible, sovereign states often face the challenge of governing and regulating data. Across civilisations and generations, we have witnessed how evolution is inextricably linked to the exchange of information and ideas - that is exactly why the free flow of data is crucial and hence, regulation is inevitable.
The challenge of regulation primarily relates to the possibility of jurisdictional conflict of data protection laws around the world and the need for balance between overlapping fundamental rights.
While we see that the European Union, California, and South Africa have enacted the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Protection of Personal Information Act (POPI Act) respectively, balancing the competing interests of stakeholders in the Democratic Republic of India seems to be taking longer than expected.
In the context of understanding data, it becomes important to think through the impact that each type of data creates. Such impact has led to the need for segregation into personal data, sensitive personal data, critical data, and non-personal data.
The Personal Data Protection Bill, 2019 ("PDP Bill"), follows a long line of privacy jurisprudence in India that has been influenced by global developments as well as the country's own constitutional jurisprudence. Though the constitution does not explicitly mention the right to privacy, Indian courts have held that the right to privacy exists under the right to life guaranteed under Article 211. Since the recognition of right to privacy as a constitutionally protected fundamental right, the Data Protection Bill, 2019 has been formulated to fulfill the twin objectives of protecting personal data while unlocking the data economy.
In the context of the framework for data protection adopted internationally, Lee A. Bygrave has set out the basic tenets that they entail:
The key objectives for the data protection regime in India are set out below:
I. Need for single statute legislation and addressing ambiguities in the current framework
Regulatory ambiguity and inaction have been the primary reasons why instances of data breach have been grossly undervalued. Lack of awareness on the importance and impact of personal data may be called into question only after such primary reasons are addressed.
In the absence of a single statute legislation for protection of data in India, suitable remedies and preventive mechanisms have been provisioned under several sector-specific regulations and other legislations including the Information Technology Act, 2000 ("Act") and relevant rules formulated under the act, Payment and Settlement Systems Act, 2007, Indian Telegraph Act, 1885 and SEBI Data Sharing Policy, 2019 and RBI Guidelines on Cyber Security Framework for Banks and Information Security, 2016. Such a fragmented set of rules and vague redressal procedures necessitate the enactment of the PDP Bill.
The changing trends in technology expose us to loopholes in the established set of laws and one such issue is in relation to section 43A of the Act.
Firstly, the definition of 'body corporate' as defined thereunder is broad and includes a company, firm, sole premiership or other associations of individuals. However, the collection of personal or sensitive personal data by an 'individual' has not been contemplated under the purview of such definition.
Secondly, the responsibility for the protection of data is imposed only on body corporates engaged in 'commercial or professional activities' and it appears to be arbitrary discrimination to exclude NGOs, not-for-profit organisations, or government entities as such.
Thirdly, a body corporate has an option to choose among three varying degrees of compliance i.e. (a) contractual compliance by setting out reasonable security practices and procedures in the form of an agreement; or (b) comply with any law providing for protection of sensitive personal data or information; or (c) comply with such reasonable security practices and procedures prescribed by the central government in consultation with professional bodies or associations that they may deem fit. Such options create absolute chaos in implementation and a body corporate can easily navigate and 'shop' for the most lenient security practice or procedure.
In addition to the above, there are several instances of dysfunctional and non-functional grievance redressal mechanism which urgently need to be revived and relooked. Several problems with implementation often plague the enforcement mechanism due to periodic delays in appointments to the adjudicatory mechanisms created under the act.
Also Read: WhatsApp vs govt: Can traceability and encryption co-exist?
II. India's commitment under international law
Article 51 of the Constitution of India, which forms part of the Directive Principles of State Policy, requires the state to endeavour to "foster respect for international law and treaty obligations in the dealings of organised people with one another".
Privacy is a fundamental human right specifically recognised under Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights ("ICCPR"). The Protection of Human Rights Act, 1993 has referred to the ICCPR as a human rights instrument and the latter makes it mandatory for states to take steps for realisation of such right and ensure protection against interference by private parties.
III. Demonstrating preparedness to meet internationally accepted standards of data protection
In this day and age of information, it becomes inevitable for India to develop a robust and timeless regulation that has the ability to demonstrate compliance warranting the transfer of data from foreign jurisdictions. Such regulation is a precursor to receiving seamless data transfer, especially from the EU and UK regions which are emerging as global leaders in privacy regulation and data protection.
Therefore, it becomes important for India to set out a lucid set of rules for ensuring legitimate cross-border transfer of data and afford the same level of data protection to those residing in India and other countries. The need has been further backed by a significant development in global data protection law wherein the Court of Justice of the EU invalidated the EU-US privacy shield and read down the inviolability of the standard contractual clauses.
The privacy shield is an adequacy decision issued by the European Commission regulating data transfers between the US and any member state of the EU or the European Economic Area data transfer framework. Such a landmark decision has been passed due to the operation of surveillance laws in the US and it has thus been found that the privacy shield does not provide adequate protection of data protection rights of an individual that is similar to the General Data Protection Regulation.
IV. Data localisation and boosting domestic digital economy
Digital sovereignty is the right of a state to govern its network to serve its national interests, the most important of which are security, privacy, and commerce. The need to provide local residence to data in India stems from the fact that India is a nation state and therefore would treat the data generated by its citizens as a national asset. Such national asset may be required to be stored and guarded within national boundaries subject to the security and strategic interests of India.
Also Read: PUBG Mobile Indian Twin in trouble for sharing data with Chinese servers
V. Preventing privacy harms and exclusion
There exists visible inequality in bargaining power between individuals and entities that process personal data, and it becomes important to mitigate the harms flowing from such disbalance. Such harm may take various forms, including subjective and objective harm as contemplated by M. Ryan Calo or architectural harm, often contended by Daniel J. Solove.
Interestingly, Solove has also dealt with the problem of aggregation which arises from the fusion of small bits of seemingly innocuous data. In face of such harms, it is crucial to facilitate a framework that vests the rights of a data principal in an individual who shares personal data and therefore, becomes the focal actor in the digital economy.
The data protection framework is required to embody a relationship created on fundamental expectation of trust between the data principal and data fiduciary. Such forms of privacy harms and principles of decisional autonomy have been re-instated in the Puttaswamy I judgement.
VI. Curing problems associated with information asymmetry and need for facilitating data ownership
The findings from Cambridge Analytica indicated that data subjects had little or no knowledge that their activity on Facebook would be shared with third parties for targeted advertisements around the US elections. 12 Data gathering practices are usually opaque and take complex privacy forms that users have little control over.
Inadequate information on data flows due to artificial intelligence tools often worsen the relationship between data principal and fiduciary. The state is especially able to exercise substantial coercive power and remains largely unregulated for the collection and processing of personal data and thus, majorly contributing to the formation of information silos.
Thus, the objective of a data protection framework is to make the data principal as the owner of their own personal data and make provisions including the right to access, correction, deletion, and updating of respective data.
VII. Imparting differential protection to each class of data
As discussed above, the need for segregation of data sets into personal data, sensitive personal data, critical personal data, and non-personal data is assuming importance in today's age of data economy. Processing of each data set is likely to have a peculiar impact, for instance, health data set of an individual vs. personal details including the name and age of an individual. Therefore, according enhanced level of protection in terms of restrictions on cross-border transfers in case of critical personal data becomes necessary.
VIII. Extra-territorial application of data protection laws
Free flow of data across borders for the purpose of innovation and exchange requires that effective remedy is readily available to deal with any instance of breach.
IX. Mandate prior consent and adherence to principles of data protection
This flows from the need to establish rights of data ownership in today's era of clip wrap agreements and standard form contracts. In this context, it becomes important to ensure a constructive content mechanism is in place and suitable principles of data protection are followed.
X. Remedy and prevent problems of free data flows and data sharing practices
Deficiencies in the regulation of data flow in India are merely a consequence of a simplistic assumption that data flows are an unadulterated good. Such regulation becomes important to ensure an orderly digital market which shall lead to a win-win situation for citizens, nations, and multinational corporations.
To conclude, while each of the objectives set out above form the building blocks for the enactment of the PDP Bill, the need for protecting privacy as a matter of fundamental right and demonstrating preparedness to meet widely accepted standards of data protection in the international community tops the list.
It is indeed crucial to respect the need for a reasonable timeline for the introduction and enforcement of such regulation as we eagerly look forward to the monsoon session of Parliament. Until then, the government and industry bodies can cooperate and focus on capacity and infrastructure building, data literacy, and understanding technological innovations better.
(The author is a technology law and policy fellow with Daksha fellowship, Sai University, Chennai, and a law graduate from Government Law College, Mumbai.)
Copyright©2022 Living Media India Limited. For reprint rights: Syndications Today