• With the European General Data Protection Regulation (GDPR) coming into effect on May 25, 2018.
• The absence of a comparable regulation across the Atlantic poses a question for India:
1. Carpenter v. United States
• The U.S. Supreme Court heard arguments in Carpenter v. United States, which many commentators termed as one of the most critical electronic surveillance case in decades.
• Among other finely threaded legal arguments was the “third party doctrine”. It reasons that once a person turns over her data to a third party (such as a bank or a website), her expectation of privacy ends.
• This severely cripples the immunity that protects people from “unreasonable search and seizures”, thereby permitting the government to requisition data from third parties such as banks.
• Our Supreme Court realised the error in this narrow doctrine, rejecting it more than a decade ago in the case of District Registrar v. Canara Bank, ruling that our privacy protections would continue to apply as they ultimately vest in a person rather than the possession of personal artefacts.
2. Cambridge Analytica
• With revelations around Cambridge Analytica and growing concern around the power of technology companies.
• The consumer interest approach enforced by the Federal Trade Commission for unfair and deceptive trade practices and a panoply of sectoral regulators and state laws are an ineffective substitute to a federal regulator that draws its power from a comprehensive data protection law.
• This is not only a deficiency in the absence of law, but a fundamental design error in which legal regulation has been designed to protect property, rather than people.
3. Surveillance programmes
• An incremental movement is seen towards surveillance reform after the disclosures made by Edward Snowden on surveillance programmes.
• While data protection and surveillance may seem like separate issues, they build off each other since they both concern personal data — greater government surveillance weakens and hurts data protection offered by private companies.
• India have no such counterpart or even a bare acknowledgement that interception requires prior judicial sanction.
European General Data Protection Regulation
• The GDPR is in a lot of ways closer to Indian constitutional understanding of data protection as articulated by the Puttaswamy judgement last August, in which nine judges of the Supreme Court unanimously held privacy to be a pivot for fundamental rights.
• So when the GDPR provides for an explicit consent-based mechanism and continuing control for users, it seems to be setting a legislative template for India.
Problem for trade
• When GDPR provides a “strong law” for users, the GDPR also seems like a strong-arm law to trade and commerce.
• Two common business objections are made. The first cites a rise in costs that would impact users, in which a bureaucratic apparatus would require companies to pass on a data protection tax.
• The second objection concerns the wider, sectoral ambitions of India’s IT entrepreneurs who ideologise permission-less innovation. They argue that regulation will make them unable to compete globally.
• The “strong” data protection is beneficial for the long-term health of the technology sector by improving user trust and sectoral competitiveness.
• Blind adoption of the GDPR would present immediate peril for several reasons.
• The text of the GDPR has tremendous breadth and is riddled with business exceptions which may provide porous sieves for personal data.
• The two areas where concern arises are its impact on the right to free speech and expression and the right to information laws.
• A joint statement by two of the leading digital rights organisations, the Electronic Frontier Foundation and Article 19, have stated that in the context of the right to be forgotten, the GDPR “poses a significant risk of misuse to stifle free expression online”.
• There has been constant worry by activists defending the embattled Right to Information Act. The judiciary has been frequently citing privacy to undermine government transparency.
• For instance, in Girish Deshpande v. Central Information Commissioner, the Supreme Court upheld an order denying access to the income tax returns of a public servant.
As India stands at a crossroads, it should chart its course picking up the best ideas and practices that promote user control over data. This requires adaptation from both the U.S. and the GDPR. Our challenges are extensive, and our interests diverse. Here virtue lies in the humility to learn from others and care to protect our residents. As a public policy goal, we should borrow freely but use such knowledge within legal regulation to enlarge individual liberty.