Data protection across the Atlantic
Our challenges on data protection and privacy are larger than in the United States and Europe. We must borrow freely and adapt with care.
While the Americans and the Europeans both call it football, they play a very different sport. The essence of this difference is rooted not only in their culture but in the rules of the game; that provide rewards for goals, and penalties for breaching allowances. In the case of privacy regulations, such a marked distinction is visible. With the European General Data Protection Regulation (GDPR) coming into effect on May 25, 2018, the absence of a comparable regulation across the Atlantic gives rise to a temptation to borrow.
It also posits an essential question for India. What path should it take? Should it follow the United States or Europe, or may it even venture to ask, if it should take the lead?
A case of American exceptionalism
Last year in November, the United States Supreme Court heard arguments in Carpenter v. United States, which many commentators termed as one of the most critical electronic surveillance case in decades. In contention among other finely threaded legal arguments was the “third party doctrine”. It reasons that once a person turns over their data to a third party (such as a bank or a website), their expectation of privacy ends. This severely cripples the immunity that protects people from, “unreasonable search and seizures” thereby permitting the government to requisition it. Our Supreme Court realised the error in this cabined doctrine, rejecting it more than twelve years ago in the case of District Registrar v. Canara Bank. Distinguishing and ruling that our privacy protections would continue to apply as they ultimately vest in a person rather than the possession of personal artefacts.
Another area where the United States seems to be a poor defender of privacy and data protection is the conduct of private parties. With revelations around Cambridge Analytica and growing concern around the power of technology companies, there is a new dawn of realisation. The consumer interest approach enforced by the Federal Trade Commission for unfair and deceptive trade practices and a panoply of sectoral regulators and state laws are an ineffective substitute to a federal regulator that draws its power from a comprehensive data protection law. This is a deficiency not only in the absence of law but a fundamental design error in which legal regulation has been designed to protect property, rather than people.
While the United States may present a dismal picture for data protection, it has seen an incremental movement towards surveillance reform after the disclosures made by Edward Snowden. While data protection and surveillance may seem like separate issues, they build off each other since they both concern personal data — — greater government surveillance weakens and hurts data protection offered by private companies. Even before the disclosures, the United States had an imperfect body under the Foreign Intelligence Surveillance Court which has the legal authority to pass interception orders.
We have no such counterpart or even a bare acknowledgement that interception requires prior-judicial sanction. Even existing procedures which are supposed to act as safeguards are flouted with little repercussions. For instance, evidence which is gathered illegally in the United States can lead to an acquittal, but our courts have consistently reasoned that such an impropriety at best could lead to a departmental inquiry against the erring police or government official. Even when it seems we are much more progressive in our constitutional doctrine, there always remains room for learning.
Growing European influence
When one looks towards Europe and the GDPR, it seems like a modern, progressive text. The GDPR is in a lot of ways closer to our constitutional understanding of data protection as articulated by the Puttaswamy Judgement, last August, in which nine judges of the Supreme Court unanimously held privacy to be a pivot for our fundamental rights. So when the GDPR provides for an explicit consent based mechanism and continuing control for users, it seems to be setting a legislative template for India.
However, it is not as if there are no risks in parroting europhone. The GDPR when it provides a “strong law” for users, almost seems like a strong-arm law to trade and commerce; two common business objections are made. With the first citing a rise in costs that would impact users, in which a bureaucratic apparatus would require companies to pass on a data protection tax. Such an argument is clearly out of step with the realisation of recent months that personal data when left unregulated, harms trust in technology.
The second variant are the wider, sectoral ambitions of India’s silicon valley entrepreneurs who ideologise permissionless innovation. They argue that regulation will make them unable to compete globally. This is incorrect on several touchstones, even being self-defeating. It ignores that privacy and data protection are inherent to the coming waves of innovation. Data protection will act as a regulatory springboard to the next generation of online products and services. This, in turn, will provide a cleaner, sustainable and rights-friendly alternative to the existing theology of treating data as a fossil fuel. If anything a “strong”, data protection is beneficial for the long-term health of the technology sector by improving user trust and sectoral competitiveness.
If we hasten, we are sure to fall. A blind adoption of the GDPR presents immediate peril for several reasons. As an ambitious project, the text of the GDPR has tremendous breadth and is riddled with business exceptions which may provide porous sieves for personal data. While refinements may be incrementally made in Europe, we at the outset need to have foresight in adopting the drafting choices of a foreign, even if influential, text.
For instance, two areas where concern arises are its impact on the right to free speech and expression and the right to information laws. A joint statement by two of the leading digital rights organisations, the Electronic Freedom Foundation (EFF) and the Article 19 have stated that in context of the right to be forgotten the GDPR, “poses a significant risk of misuse to stifle free expression online”. Much closer to home, there has been constant worry by activists defending the embattled Right to Information Act. Their prior experience makes them wary, as the judiciary has been frequently citing privacy to undermine government transparency. For instance, in the case of Girish Deshpande v. Central Information Commission, the Supreme Court upheld an order of denying the income tax returns of a public servant. Hence, every effort should be made, that the motivation to correct the absence of a data protection law does not end up hurting individuals by making government opaque and unaccountable.
As India stands at a crossroad, it should chart its course picking up the best ideas and practices that promote user control over their data. This requires adaptation from both the United States and the GDPR. Our challenges are much extensive, and our interests are diverse. Here virtue lies in the humility to learn from others and a belief to protect our residents. As a public policy goal, we should borrow freely but use such knowledge within legal regulation to enlarge individual liberty. Such an approach is not as foreign, for after all, even our fundamental rights are a synthesis of the Magna Carta, Declaration of the Rights of Man and the Bill of Rights.
An edited version of this article was published by the Hindu on May 25, 2018.
