[This post has been authored by Prashant Khurana, LL.M. Graduate (Class of 2020) from the UCLA School of Law and Founding Editor at Polemics and Pedantics Magazine, and Parth Maniktala, LL.B. Candidate (Class of 2021) at the Campus Law Center, University of Delhi, and Editor at Polemics and Pedantics Magazine.]
COVID-19 has spawned efforts geared towards contact-tracing, triggering collection and processing of sensitive personal data across the world. Legal protections surrounding this large-scale data collection are predominantly nascent, raising significant concerns about the precedent this sets for data privacy. In India, the Supreme Court’s landmark Puttaswamy judgement recognized privacy as intrinsic to the right to life and liberty, as secured by Article 21 of the Constitution. However, the Court conceded that privacy may be abridged if a legitimate interest, say, an epidemic, exists—provided the doctrine of ‘proportionality’ is satisfied. Notably, India’s controversial data protection legislation is yet to be enacted, and in its absence, judicial pronouncements govern.
In this context, a recent order from the Kerala High Court in Balu Gopalakrishnan assumes significance. The Kerala government contracted a US-based software company, Sprinklr Inc., for analyzing medical data to combat COVID-19. The petitioners assailed this contract for, inter alia lacking adequate safeguards for privacy and argued that its choice of jurisdiction of New York virtually renders Indian citizens defenseless against a breach. ‘Data localization’, a concept contemplating the idea that data concerning Indian residents must reside within India to secure jurisdiction of her courts is pervasive in the arguments and the order.
We believe that this reliance on data localization for jurisdictional reasons is an anachronism, severely inhibiting privacy protections envisaged under Article 21 of the Indian Constitution. We argue that for these protections to apply comprehensively, jurisdiction should attach through the residence of the ‘data subject’, as opposed to the location where the data is stored. Notably, the discussion in this article is confined to cases where data is collected and processed by the State, or an entity directly contracted by the State (such as Sprinklr, in the present case).
Issues with Data Localization
From a practical standpoint, data localization achieves very little. By forcing companies to spend considerable amounts on setting up local servers and other requisite infrastructure, data localization creates an unnecessary economic hurdle. It further constricts companies wishing to operate in India from deploying cost-effective or technologically superior analytical resources by moving data outside India. It might also fall foul of India’s obligations under the WTO agreements.
The obsessive focus on data localization also deflects attention from a fundamental obsolescence ailing India’s privacy regime – the absence of a comprehensive data protection legislation. Statutory protections for data privacy in India are entirely contained in the Information Technology Act, 2000 (IT Act). Proponents of data localization, and respondents in Gopalakrishnan argue that localization resolves the jurisdictional issues through §75(2) of the IT Act. The provision extends the IT Act’s penalties extra-territorially, provided that the breach “involves a computer, computer system or computer network located in India.” But consider this scenario: suppose Sprinklr decides to use a supercomputer in Ohio for its calculations, and copies the data from Indian servers. The supercomputer at Ohio is breached and the data is stolen. In such a case, despite data localization, §75(2) will not operate since the breach did not involve a computer in India. This is an absurdity, since the same effective offence yields two different jurisdictional results.
However, even where it operates, the IT Act offers limited protections for privacy. This is primarily because the IT Act is an enabling statute for e-commerce, developed around a UN General Assembly Resolution on that subject. Fundamentally, therefore, its conception, despite numerous amendments, is aimed at securing electronic transactions – not individual privacy (see §§43A, 66, 66C, 66D, 66E, 72, and 72A). The former is predicated on the concept of ‘tangible damage’, whereas a violation of individual privacy (a legal ‘injury’), may or may not result in immediate or proximate ‘damage’. For instance, if a health record indicating that X is suffering from diabetes is disclosed by a breach, she may suffer no ‘damage’ in a tangible sense. Nonetheless, disclosure constitutes an injury upon her privacy. This is a tort law equivalent of ‘damnum sine injuria’.
Remedying these absurdities requires a fundamental re-imagination of our privacy jurisprudence, and the application of proper writ remedies for injunctive and punitive monetary relief. Jurisdiction should attach to any entity collecting, processing, and/or storing personal data based on the residence of the data subject, and not the location of the data. This approach allows greater flexibility to companies like Sprinklr, while also adequately protecting the rights of citizens.
Moving Beyond a Spatial Approach to Privacy
The very conception of privacy is at odds with a spatial approach implicit in the idea of data localization. That privacy attaches to an individual and not a place was first enunciated by the US Supreme Court. The Fourth Amendment to the US Constitution protects individuals against unreasonable search and seizure of their “persons, houses, papers, and effects”. In Katz v. United States, the US Supreme Court was called to determine if wiretapping accomplished without entering a person’s home or tampering with their device, constituted a violation of the Fourth Amendment, provided it met the caveat of being unreasonable. The Supreme Court answered in the affirmative, holding that as a concept, privacy attaches to people, rather than places. Katz highlighted a very significant lacunae in constitutional protections on privacy. Drafted centuries ago, their text could not possibly imagine the scale of intrusion that remote technologies can accomplish today. As such, the legal enunciation of privacy, as in the Fourth Amendment, have been heavily predicated on tangible intrusions. These could therefore be rendered redundant on a literal interpretation in the 21st century.
The Indian Supreme Court has also been mindful of this concern. In District Registrar and Collector, Hyderabad v. Canara Bank, the Indian Supreme Court adopted with approval the ratio of Katz and located the individual at the locus of the right to privacy. This centrality of an individual – breaking from the shackles of tangibility – was also re-emphasized in the Puttaswamy judgement. Chandrachud J., observed that “Privacy is a concomitant of the right of the individual to exercise control over his or her personality,” (¶40) and Justice Nariman bluntly noted that privacy has an informational aspect distinct from an individual’s physical body (¶81). As a principle seeking to protect the right to privacy, therefore, data localization ignores its evolution and attempts to restrict it to an obsolete conception of tangibility. As such, it ought to be rejected as the pre-requisite for jurisdiction since it would unduly restrict access to remedies.
Extra-territorial Jurisdiction of Courts
The Supreme Court in GVK Industries acknowledged that the Indian Parliament may exercise legislative power with respect to extra-territorial causes, in cases where such causes have direct consequences for the interests or welfare of the inhabitants of India. The operation of Article 73 makes the Union executive power contemporaneous with the Parliament’s legislative sphere of authority. Therefore, for specific purposes having direct nexus with the welfare of Indians, the legislative and executive powers of the State extend to undertaking extra-territorial acts.
Since Part III of the Constitution is meant to operate as a check on State authority, it must also have extra-territorial effect, in those limited circumstances where the State pursues extra-territorial acts. To conclude otherwise would grant absolute impunity to State action abroad, despite ramifications on “the interest of, welfare of, well being of, or security of inhabitants of India.” The well-known maxim ‘ubi jus, ibi remedium’ therefore requires that remedies be accorded for violations of privacy rights, even when occasioned by extra-territorial acts of the State or an instrumentality contracted by the State. The jurisdiction of the Supreme Court and the High Courts (under Articles 32 and 226 respectively) must, as a corollary, proceed contemporaneously with that of the State, including their application to extra-territorial situations.
There is precedent in municipal and international law for this understanding of jurisdiction. For instance, §4 of the Indian Penal Code (IPC) provides, inter alia, that an Indian citizen may be charged with an offence (recognized by the IPC) committed while she was abroad, even if the offence is not recognized as such in the lex loci. Regulating the conduct of Indian citizens abroad in accordance with the precepts of Indian doctrines of criminality is one of the ways in which Parliament has exercised its extra-territorial jurisdiction; courts therefore require congruent jurisdiction to ensure effective enforcement of the Parliament’s will. Internationally, the GDPR is a statutory enunciation of jurisdiction of European courts attaching based on the residence of the data subject instead of the location of the data.
Even in the absence of statutory guidance, courts abroad have demonstrated extra territorial jurisdiction for the purpose of enforcing civil liberties (South Africa), enjoining foreign individuals holding assets of errant defendants (England and Canada), among others. Under International Law, jurisdiction of a State can also extend extraterritorially in the event an accused attempts to threaten the State or its interests, under the Protective Principle. It is therefore not a stretch to argue that critical personal data of a citizen is at the core of a State’s interests.
Cumulatively, there is sufficient precedent to demonstrate that if State action leads to a data breach, thereby causing a privacy violation, an Indian national would have basis to invoke the court’s writ jurisdiction to pursue not just the State, but also any instrumentality employed by the State regardless of the latter’s residence or the location where the data is stored. The focus on data-localization clearly obfuscates India’s ability to comprehensively protect its residents’ rights. It is therefore imperative to reshape this debate to account for the complexities of intangibility associated with modern technology.