Give India the Data Security Law it Deserves

The much-awaited Srikrishna Committee report was finally submitted to the government on July 27. The report was aptly titled A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’. The report has proposed penalties for violation, initiation of criminal proceedings in case of the violation of the data privacy, setting up a data privacy agency and provision of withdrawal of consent and the concept of consent fatigue.

The major highlights of the report were that any data processed or collected in India would be accountable to Indian laws, any Indian company incorporated in India would be accountable to data processing laws of India even if they have data about non-Indian firms, individual or entities, penalties may be involved if there is a violation of data protection laws and consent will be the basis of sharing personal data.

The committee’s recommendations on key issues such as consent, setting up a data authority, definition of personal data and sensitive personal data along with data localisation are keenly awaited for their implications on tech majors such as Google, Facebook, Instagram and Twitter and many software majors who are based out of India or have subsidiaries in India. 

If we take a look at data protection laws the world over, we come across three data privacy rules that apply, and this has been mentioned in the Srikrishna Committee report too. The US, the European Union and China. The US follows a laissez-faire approach towards data protection and does not have an all-encompassing framework. The judiciary in US, however, has collectively recognised a right to privacy by piecing together the limited privacy protections reflected in the First, Fourth, Fifth and Fourteenth Amendments to the US constitution. 

Certain legislations — for example, the Privacy Act, 1974, the Electronic Communications Privacy Act, 1986 and the Right to Financial Privacy Act, 1978 — protect citizens against the federal government. For the private sector, there are sector-specific laws that have special rules for specific types of personal data. For instance, the GLB Act2 has well-defined provisions for collection and use of financial data.  The EU has recently enacted the EU GDPR, which has come into force on May, 25, 2018. 

This replaces the Data Protection Directive of 1995. It is a comprehensive legal framework that deals with all kinds of processing of personal data while delineating rights and obligations of parties in detail. It is both technology and sector-agnostic and lays down the fundamental norms to protect the privacy of Europeans, in all its facets. Sixty-seven out of 120 countries outside Europe largely adopt this framework or that of its predecessor.

In recent years, the world community has criticised China. Though the aforementioned approaches have dominated global thinking on the subject, recently, China has articulated its own views in this regard. It has approached the issue of data protection primarily with reference to mitigate national security risks. Its cybersecurity law, which came into effect last year, is a unique law to handle personal data. A follow-up standard or a regulatory framework, issued earlier this year, adopts a consent-based framework with strict controls on international sharing of personal data. It remains to be seen how such a standard will be implemented. 

Each of these regimes is founded on each jurisdiction’s own understanding of the relationship between the citizen and the state in general, and the function of the data protection law, in particular. In the US, the laissez-faire approach to regulating data handling by private entities while imposing stringent obligations on the state is based on its constitutional understanding of liberty as freedom from state control.

Data protection is thus an obligation primarily on the state and certain categories of data handlers who process data that are considered worthy of public law protection. In Europe on the other hand, data protection norms are founded on the need to uphold individual dignity. Central to dignity is the privacy of the individual by which the individual herself determines how her personal data is to be collected, shared or used with anyone, public or private. The state is viewed as having a responsibility to protect such individual interest. China, on the other hand, frames its law with the interests of the collective as the focus, based on its own privileging of the collective over the individual. 

With major government-led initiatives such as Make In India, MyGov.in, Digital India among others aided by cheap mobile and wireline data, the impact of the data security bill, which has been drafted and needs a parliamentary approval, can be far-reaching for the Indian technology sector. Now it’s up to the Indian government to provide India with its first data security law, which can revolutionise the Indian technology industry.