Ed. Note: This post by Shweta Rao is a part of the TLF Editorial Board Test 2018
In today’s day and age, where a majority of our lives are documented on the internet through online registrations, Instagram uploads and various social media profiles; data collection and the protections around the same are becoming exceedingly critical. Data Privacy (or as otherwise known as Data protection), aims at protecting private data collected through an interdependent relationship between the gathering and dissemination of data, the expectation of privacy, technology and politico-legal issues surrounding the same. Data privacy regulations strive to strike a balance between the utilization of data whilst also protecting the particular individual’s privacy preferences with respect to their personally identifiable information that they have provided to Big Data collectors. The fields of computer, data and information security utilize a variety of software and human resources to handle any issues that arise with respect to Data Privacy.
The field of Data Privacy, much like any technology linked field is ever evolving and dynamic, and hence any regulation or law relating to it must be strike a balance between being stringent enough to protect the best interest of the individuals whose data is being harvested as well as being flexible enough for the field to develop and advance. An example that has been the inspiration for many other forms of data regulation is the General Data Protection Regulation (GDPR)
As far as wide reaching, functional policies go, the GDPR which is a set of regulations set in place by the European Union which aims at regulating the usage and export of data of European Union residents outside of the European Union. This is a regulation that has passed through the scrutiny of the European Parliament, the Council of the European Union and the European Commission and has now been put through a two year testing period. The GDPR was passed with the intent to strengthen and streamline the data protection process for all the individuals within the European Union. This regulation was adopted on the 26th of April 2016 and shall become fully enforceable in 2018 upon the lapse of the two year probation period. The regulation also discusses the export of personal data of EU residents outside the EU. The main discernable aim of the GDPR is to hand the citizens of the EU control over their personal data and its usage. Another aim of the GDPR is the homogenizing of the regulation process so as to ease the business transaction within the EU relating to data collection. This regulation shall be replacing the 1995 Data Protection Directive, a move that has been long overdue given the large technological leaps that have occurred in the field of data sciences over the past two decades.
Whilst the GDPR has received its fair share of criticism, from arguments based on procedural aspects and labeling it as an “administrative burden”, to criticisms pointing out the stark lack of protection offered to the personal data collected by employers from employees. Most of these criticisms have been or are in the process of being ironed out, as the end of the regulations two year trial run comes to an end. Regardless of the various loopholes that exist with the system, the biggest advantage of the GDPR is the fact that the regulation is specifically uniformly tailored to provide protection for the citizens of the EU against the various data harvesters that one encounters on a daily basis, be it signing an employment contract or logging into Facebook, rather than depending on precedent and dealing individually with instances of data privacy violation.
It is here where the data regulations for India and its citizens differ. It would be untrue to say that there exists no data protect or regulation in India, and it would also be untrue to say that the protection is not through. But what the laws regarding the regulation data of Indian citizens do lack is the broad coverage of the types of data that may be protected under this. The act controlling the regulation of some types of data is the Information Technology Act, 2000 and the subsequent Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (IT Rules) which were issued so as to be in accordance with the power of the Central Government to lay down “reasonable security practices and procedures” (RSPPs). The main focus of this act is with respect to data that originates in India, rather than Indian data, i.e. data of Indian citizens. Whilst the data generated by Indian employees and or employees of Indian companies are heavily regulated, the personal data, non-business related, are left almost unmentioned within the act. As evidenced through this act, the context of data protection and privacy has been largely in term of employment and data produced during the course of the same. This would have remained the context, if not for the Puttaswamy judgment delivered by the Supreme Court of India in mid-2017, which threw data protection and privacy back into the limelight and drew a plethora of demands for the implementation of GDPR-esq regulation system that is all encompassing of a citizens data related activities rather than being limited to only data related to business transactions. This judgment, which declared the Right to Privacy as a fundamental right, flowing from Article 21 of the Indian Constitution, bought into question as to how the handling of routine data of Indian citizens was going be affected. This is also in context of the ongoing hearing at the Supreme Court on the constitutional validity of the mass personal database of all Indian residents (not only citizens) by the way of the Aadhar Act. Which brings one to this juncture where in one must ask, does India need a general data regulator and who shall perform the function for the same? Answering affirmative for the same is simple, of course India needs to regulated the trade of Indian’s data and ensure that access to such data lies solely inside the shores of India and within hands of Indian people, but then answering the follow up question becomes difficult.
Directly implanting the European model of data regulation, which was a highly political process, is in complete contravention to the Indian scenario wherein the Right to Privacy was judicially realized, rather than through the legislature. The direct European implementation would also completely contradict the abovementioned Aadhar proceedings, which is for the prevention of the mass collection of bio-data of Indian residents. The Indian system of governance works very differently to that of the EU. The Indian system is heavily centralized and it concentrates too much power in the unaccountable hands of a few, and creating a centralized data protection authority much like the GDPR will continue to contribute to and aggravate the centralization of power within the Indian Bureaucracy. A method of combatting the same would be through the partial usage of the process of “individualization” of data privacy and its regulation. This process, which heavily involves the active participation of the individual whose data is being used, takes inspiration from the usage of “individualization” process in computer privacy, where individual’s quantifiable traits are used to provide security nudges. The transposition of the same individual-centric principle would prevent, to some extent, the accumulation of data in the hands of the few, and rather allow the people to control the usage of their data.
India is situated in a position to innovate and implement a new type of data regulatory framework that are a universal phenomenon but are adapted and enforced for different jurisdictions, and should not whittle away this opportunity through imitation.