India must be careful in picking up best practices from elsewhere in drafting a data protection law

Apar Gupta

While the Americans and Europeans both call a sport football, they play a very different game. This difference is rooted not only in culture but in the rules of the game that provide rewards for goals, and penalties for breaching allowances. In the case of privacy regulations too, such a marked distinction is visible. With the European General Data Protection Regulation (GDPR) coming into effect on May 25, 2018, the absence of a comparable regulation across the Atlantic poses a question for India: What path should it take? Should it follow the U.S. or Europe? Or, in fact, should India take the lead in this regard?

American exceptionalism
Last year, in November, the U.S. Supreme Court heard arguments in Carpenter v. United States, which many commentators termed as one of the most critical electronic surveillance case in decades. Among other finely threaded legal arguments was the “third party doctrine”. It reasons that once a person turns over her data to a third party (such as a bank or a website), her expectation of privacy ends. This severely cripples the immunity that protects people from “unreasonable search and seizures”, thereby permitting the government to requisition data from third parties such as banks. Our Supreme Court realised the error in this narrow doctrine, rejecting it more than a decade ago in the case of District Registrar v. Canara Bank, ruling that our privacy protections would continue to apply as they ultimately vest in a person rather than the possession of personal artefacts. Another area where the U.S. seems to be a poor defender of privacy and data protection is when it comes to the conduct of private parties. With revelations around Cambridge Analytica and growing concern around the power of technology companies, new concerns have come to the fore. The consumer interest approach enforced by the Federal Trade Commission for unfair and deceptive trade practices and a panoply of sectoral regulators and state laws are an ineffective substitute to a federal regulator that draws its power from a comprehensive data protection law. This is not only a deficiency in the absence of law, but a fundamental design error in which legal regulation has been designed to protect property, rather than people.

While the U.S. may present a dismal picture for data protection, it has seen an incremental movement towards surveillance reform after the disclosures made by Edward Snowden on surveillance programmes. While data protection and surveillance may seem like separate issues, they build off each other since they both concern personal data — greater government surveillance weakens and hurts data protection offered by private companies. Even before the disclosures, the U.S. had an imperfect body under the Foreign Intelligence Surveillance Court, which has the legal authority to pass interception orders. We in India have no such counterpart or even a bare acknowledgement that interception requires prior judicial sanction. Even existing procedures which are supposed to act as safeguards are flouted with little repercussions. For instance, evidence which is gathered illegally in the U.S. may eventually lead to an acquittal, but our courts have consistently reasoned that such an impropriety at best could lead to a departmental inquiry against the erring official. Even when it seems we are much more progressive in our constitutional doctrine, there always remains room for learning.

Growing European influence
In contrast, the GDPR seems like as a modern, progressive text. The GDPR is in a lot of ways closer to our constitutional understanding of data protection as articulated by the Puttaswamy judgement last August, in which nine judges of the Supreme Court unanimously held privacy to be a pivot for our fundamental rights. So when the GDPR provides for an explicit consent-based mechanism and continuing control for users, it seems to be setting a legislative template for India. However, it is not as if there are no risks in parroting the European solution. When it provides a “strong law” for users, the GDPR also seems like a strong-arm law to trade and commerce. Two common business objections are made. The first cites a rise in costs that would impact users, in which a bureaucratic apparatus would require companies to pass on a data protection tax. Such an argument is clearly out of step with the realisation of recent months that leaving personal data unprotected erodes trust in technology.

The second objection concerns the wider, sectoral ambitions of India’s IT entrepreneurs who ideologise permission-less innovation. They argue that regulation will make them unable to compete globally. This is incorrect on several counts, beside being self-defeating. It ignores that privacy and data protection are inherent to the coming waves of innovation. Data protection will act as a regulatory springboard to the next generation of online products and services. This, in turn, will provide a cleaner, sustainable and rights-friendly alternative to the existing theology of treating data as a fossil fuel. If anything, “strong” data protection is beneficial for the long-term health of the technology sector by improving user trust and sectoral competitiveness.

If we hasten, we are sure to fall. Blind adoption of the GDPR would present immediate peril for several reasons. As an ambitious project, the text of the GDPR has tremendous breadth and is riddled with business exceptions which may provide porous sieves for personal data. While refinements may be incrementally made in Europe, we in India at the outset need to have foresight in adopting the drafting choices of a foreign, even if influential, text. For instance, two areas where concern arises are its impact on the right to free speech and expression and the right to information laws. A joint statement by two of the leading digital rights organisations, the Electronic Frontier Foundation and Article 19, have stated that in the context of the right to be forgotten, the GDPR “poses a significant risk of misuse to stifle free expression online”.

Much closer to home, there has been constant worry by activists defending the embattled Right to Information Act. Their prior experience makes them wary, as the judiciary has been frequently citing privacy to undermine government transparency. For instance, in Girish Deshpande v. Central Information Commissioner, the Supreme Court upheld an order denying access to the income tax returns of a public servant. Hence, every effort should be made that the motivation to correct the absence of a data protection law does not end up hurting individuals by making government opaque and unaccountable.

Synthesise carefully
As India stands at a crossroads, it should chart its course picking up the best ideas and practices that promote user control over data. This requires adaptation from both the U.S. and the GDPR. Our challenges are extensive, and our interests diverse. Here virtue lies in the humility to learn from others and care to protect our residents. As a public policy goal, we should borrow freely but use such knowledge within legal regulation to enlarge individual liberty.

Apar Gupta practises law in New Delhi

http://www.thehindu.com/opinion/lead/the-transatlantic-variants/article23980900.ece/