After increasing cases of data frauds and privacy breaches by the big, globally renowned and respected companies like Microsoft, Facebook and Google, the Eurpean Union was one of the first to open their eyes and realise that the world of technology is changing. The result was a comprehensive, robust data protection and privacy framework : the General Data Protection Regime (GDPR) in 2018.
The GDPR is a privacy regime applicable only in Europe but in its spirit it has managed to inspire and affect governments all around the world as an effective regulatory measure to ensure the safety and privacy of its citizens and limit the breaches made by companies and governments. The Indian government has hardly been successful in having a privacy protection framework in place and the GDPR plays a persuasive and guiding role in filling this gap. The principles of democracy, user-autonomy and liberty are the basis of Europe’s privacy regime, something that India needs to incorporate to ensure it upholds a citizen’s right to privacy and liberty.
India’s IT and data protection laws are incompetent and outdated. Internet is a rapidly changing space, technologies like cloud computing, Internet of things, artificial intelligence are becoming advanced and common, and the government has no regulation in place to control what can these tech companies store, process or sell. Scandals like Cambridge Analytica, Fake news, etc. show us that there is an urgent need to protect the most important asset of today’s time: your data! India’s digital economy is on track to reach a $1tn valuation by 2022, thus India needs a data protection regime in place that would allow India to make its place in the global economy by ensuring proper regulations and mechanism in place.
After the controversial case of Aadhar(the universal and mandatory biometric identity card) in 2017 wherein the Supreme Court explicitly declared that Right to privacy is a fundamental right, the government set up a committee to draft India’s first data protection bill headed by Justice B N Srikrishna. The bill, yet to see the light of parliament can be seen to be inspired by the European Model. Like in the GDPR, the bill proposes that data could be processed by companies and government only for specific purposes and only with the necessary data. By treating government as an entity equally subjected to the strict data protection and privacy laws India would ensure the guarantee of users’ rights and freedom, and not compromise individual privacy.
The lawmakers can choose to follow the European model which is more respectful of individual freedoms and liberties than of government’s control tactics. Transparency between the clients or citizens and data agencies is given utmost importance in the GDPR. Transparency ensures smooth functioning of democracies and empowers citizens. In realms of data protection and privacy where individual liberties and autonomy are often threatened and compromised by companies and government, transparency becomes heavily important and should be guarded at any cost.
The GDPR is very progressive and user-centric, allowing user the sole authority to decide what can be done with his data in most cases. It gives the user the right to be informed if his data is being processed or stored and why, right to rectify one’s data, right to be forgotten, right to restrict processing and data portability, right to object to store or give one’s data and right in relation to automated decision making and profiling on the basis of one’s data. It has also introduced the concepts of ‘data minimisation’ (store only the required data), ‘purpose limitation’(collect data for purposes that are necessary) and ‘storage limitation’(store limited and necessary data) into legal fora which essentially put restraints and controls on any entity holding and processing your data. This makes GDPR very comprehensive and leaves very little scope for companies to misuse or find gaps to exploit users or their data, something that Indian lawmakers need to learn and take a serious notice of. The GDPR provides for a robust mechanism comprising of Data Protection Officers, legal remedies and hefty fines to not let companies get away with their illegal actions.
Another important thing that India needs to take note of is its pro-surveillance outlook. The Modi government issued a notice in the previous year, empowering 10 government agencies to monitor, intercept, and collect data from any computer. Such an environment threatens not only the Constitutional rights of individuals but also presents India, the largest democracy in the world as restrictive and with an infrastructure of censorship. GDPR allows companies and government to surveil on their subjects but in the least intrusive way possible so under the GDPR the mandatory Aadhaar will probably not be considered completely legal. Surveillance on citizens and mandatory collection of data is out-ruled in the GDPR by introducing concepts of ‘consent’ and ‘purpose’ while collecting data.
The rolling out of GDPR throughout Europe meant massive overhauls and reforms for every little company and administration office to keep up with the law and the same would happen in India if the new privacy regime is made applicable here (in its entirety). This is where India can learn from the EU as they have effectively ensured that before the GDPR becomes applicable in 2018, all affected entities are ready and in place. They ensured that the rules and institutions enable change and not make it another long standing affair.
India has a choice, an important choice to choose a model that is robust, comprehensive and progressive. Data privacy is not a sector where it can afford to be lax or irresponsible. The position India takes will impact its business domestically and internationally and also determine its place among liberal democracies. The GDPR is not only a behemoth and detailed regimen but it also took into account the urgency of implementing an effective and enabling data protection law in the ever rapidly changing world of technology, a lesson that India needs the most. It has all the possible alternatives before it, what it does not have is the luxury of time.