Europe’s data protection law offers a sound basis for India to craft its own
During the throes of India’s independence struggle, an image of Mahatma Gandhi spinning the hand-spun khadi symbolised not only economic and political autonomy but to its critics an insular withdrawal from industrialisation and technology. This tension is gingerly revealed in a letter by Nehru to Aldous Huxley, as a partial defence of the Mahatma’s position, when he writes, “I believe in the machine and would have it spread in India, but also believe in the social control of it…”. While dialogues of the past, do seem distant to the rapid advances in the fields of big data, algorithmic and artificial intelligence they undergird deeper truths. Surfacing visibly in debates over the formation of a privacy and data protection framework.
Presently India has the second highest number of internet users in the world being an important market for many global companies that have conquered dominance within distinct silos of digital services. While Facebook enjoys sway over social networking, Google completely takes over online search and email, Amazon continues a growing capture of online commerce. This is further supplemented by a maturing, homegrown technology sector which learns not only it’s business models and operational strategies, but even it’s corporate culture from such companies. Though there exists friction between these global and local firms they are united in a singular attempt to collect, store and analyse the online behaviour of millions of Indians. It is immaterial whether customers pay for digital services, for the business model of most firms always factors in a premium for personal data. Another layer for the extraction of information is added by the Government. India has the unique distinction of being one of the few countries, if not the only one, that gathers vast amounts of personal data through it’s compulsory, national biometric ID scheme Aadhaar. It’s wide pervasive use goes well beyond public entitlements or regulated services, to sundry services such as online matrimonial portals. It almost seems data is not the new oil — it is air itself.
As digital technology is finely threaded with the fabric of our lives, India maintains a curious omission of a comprehensive, enforceable, data protection law. The limited protections which do exist are under the Information Technology Act, 2000 and its subordinate regulations remain substantially deficient and practically unenforceable. This stands in stark contrast to Europe which has taken time to develop an advanced data protection framework, the General Data Protection Regulation (GDPR) that goes into effect in a few months. There is good reason to look towards Europe as Prof. Graham Greenleaf, who has studied more than fifty countries in the Asia-Pacific region notes the pre-existing presence of elements of European law within their national laws, with most needing to update them and enact a comprehensive statute. Even as a texts the GDPR is a progressive instrument. The very preamble of the GDPR, reflects an attempt to protect the rights of individuals through a data protection law, treating the requirements of industry and state as limited exceptions. It is this exercise of balance which Nehru adverts to in his letter to Huxley stating that cottage industry is not to the exclusion of the power loom.
Such search for balance comes from a recognition of the principled protection of the right to privacy within the text of a data protection law and then proceeds to exceptions which are determined under the legal doctrines of necessity and proportionality. Necessity is a threshold evaluation requiring objective evidence that is matched against a proportionality exam in which the advantages due to limiting the privacy right are weighed against the disadvantages. Such principles find legal articulation within the GDPR which makes them practically enforceable. These include a transparent system of data processing which makes users practically aware what is happening with their personal information at all times. A user’s knowledge is raised to the level of control, where the necessity and proportionality are placed both as exceptions but also as positive obligations on companies and governments. For instance, they are allowed to use data only for the original purpose under which it was gathered and only to the extent and amount as necessary for performing the function as specified by a user.
The sister doctrines of necessity and proportionality are not strangers to our own constitutional law. Even prior to their express recognition and linking to data protection by the Supreme Court last August when it reaffirmed the fundamental right to privacy, they have found passing references through the decades. For instance, the Supreme Court in a case dating from the 1950s has applied it to hold that a law that prohibited the manufacture of tobacco bidis as a blanket measure to ensure adequate labour during the agricultural season was disproportionate and unconstitutional because it did not limit the prohibition applied for an unlimited period of time. Though further precedent exists which limits the sweep of state action, and further support has recently come from the Supreme Court, many rights advocates hold a balancing exercise for these doctrines may become an unequal bargain between privacy and the demands of big data and the bigger state. There is a credible basis for such fears as often our courts have wavered from the principle of protecting fundamental rights to permitting an expansion of limitations placed on them, gradually the exceptions swallowing up the rule.
This sets up a credible challenge to the future of India’s data protection framework, the teeth of a regulatory body and the courts which will function to enforce it and hold powerful corporations and governments to account. While we must learn and draw from the data protection principles of Europe, we must also focus efforts to ensure their effective enforcement. This will naturally not only be an effort in ensuring desirable legal language within the text of a law but also ensuring a larger environment of compliance and respect for privacy. Opportunity for positive outcomes exist in the domain of technology as India has already taken a global lead enacting a progressive net neutrality regulation. But due to a lack of partnership between civil society and the government, there is a sense of cynicism overcast by the lack of a user oriented data protection law. Many today wonder about their online safety and express a loss of control. In this there is an important lesson from decades past — to continue our belief in the benefits of technology, we must continue to believe in its social control.
An edited version of this article was first published in The Hindu on March 23, 2018 (link).