It is often joked in India, by the end of a journey, two strangers travelling together in a train know not just about each other but their extended families as well.
So, what does privacy mean in Indian context and to what extent can India be influenced by EU' General Data Protection Regulation (GDPR) framework, were some of the questions asked by Devender Kumar Sikri, Chairperson, Competition Commission of India (CCI) at the ASSOCHAM's Global summit on Data protection, privacy and security.
He admitted that laws are struggling to keep pace with the developments in technology. "The regulators have not much idea, I must confess, what has to be done to make human centric anti-trust laws, applying effectively to the bot-intermediated transactions and that connect is going to be a real challenge."
Hence, there is a need of a robust regime for data protection as dangers to individual's privacy originate not just from the state but from non-state actors. "There needs to be a balance between individual interest and legitimate concerns of the state such as protecting the national security, preventing and investigating crime, encouraging innovation and spread of knowledge and dissipation of social benefits," he says.
He said that CCI understands that data companies are not an economic threat in themselves, they are a source of innovation and so must be encouraged for economic development. "But the practices of the dominant digital players need to be competition compliant," he added.
The question that is being asked and debated is - could there be an abuse of dominance, when unreasonable amount of data is extracted for reasons other than improving the quality or reducing cost, asks Sikri.
There are two schools of thought on this - abuse of dominance can lower privacy protection. French and German authorities have the view that data privacy can be viewed from the prism of competition. It is also being discussed that any agreement that is not privacy friendly can harm consumer welfare. There is another school of thought that privacy is fundamentally a consumer protection issue and there is no need for competition authority to get involved. "Anti-trust can deal with privacy as a non-priced factor of competition but it is an uneasy fit as it is hard to measure because value of privacy is subjective," he says.
He also said that collusion between digital players through self-learning algorithms is one of the biggest challenges that the Competition Law enforcers are facing.
"Algorithms are not systems that are moving on their own, somebody has designed them and there is some logic put into that," said Sikri sharing the instance during Jaat agitation when airline ticket prices shot up to Rs 60,000-Rs 90,000 for a Chandigarh-Delhi flight.
"When we asked the airline they said, 'we do not know, the algorithms are driving it up'," he said. But algorithms are not moving on their own, they have been designed in such a way to increase these prices. "They [airlines] said, we don't know and as of now they were not going to give it up," said Sikri.
He informed that CCI has been in talks with many technical people to understand algorithms. "We have been even suggested by the IITian professors whom we interacted that you develop your own algorithms to unravel this one. It is not easy and requires huge investment. Another solution given to us was derive a hypothesis and put this algorithm to test. If it fails, hold them responsible."
What is clear is that Indian data protection law will be drawn in the context of Supreme Court's judgment in Puttaswamy vs Union Of India, which holds that the right to privacy is protected as a fundamental constitutional right.
Also, the data protection law will be largely influenced by the seven key principles in the white paper released by the Justice Srikrishna committee: a law that is technology agnostic law; applicable to the private sector entities and the government, maybe with different obligations; informed consent; minimal and necessary data processing; data controller is accountable for any processing; enforcement by a statutory authority; and penalty for wrongful data processing.