Does India Need Only One Data Protection Law and Regulator to Rule Them All?

As the Justice Srikrishna committee goes about its job, it is important to understand that fusing European-style regulation with a coercive Indian political system is a recipe for disaster.

Cables and computers are seen inside a data centre at an office in the heart of the financial district in London, Britain May 15, 2017. Credit: Reuters/Dylan Martinez

Does India need one data protection law to cover both the public and private sector? Credit: Reuters/Dylan Martinez

After a few months of a lull, post the Puttaswamy judgment, the data protection issue is back in the limelight with the publication of a 243-page white paper by the ‘committee of experts’ who have been tasked by the government to recommend the framework of a possible data protection framework. While the decision of the committee to publish a white paper and solicit public comments is most welcome, it could have done without the ‘shock and awe’ approach of asking for comments in response to 229 questions.

By expending its efforts in painting a wide canvas, it has sacrificed a deep analysis on some core issues. Nevertheless, by Indian standards, this white paper is a good start to a complex policy exercise.

A foundational issue that I think should be at the heart of the debate is whether India needs one data protection law to cover both the public and private sector. The second question, that flows from the first, is whether we really want to bestow, on the infamously coercive and abusive Indian state, the authority to create a data protection authority that will have the powers to punish both public and private sectors across the country for any violation of privacy or data protection laws.

One law to rule them all?

The white paper does touch on the first issue in chapter 2 and even frames a question asking for comments on whether India should have one common law for the public and private sector or different laws for both sectors. The committee however does not adequately inform its readers of the advantages and pitfalls of both.

Any discussion on this issue, in my opinion, should begin with an analysis of the Supreme Court’s judgment in Puttaswamy. There is little doubt that the Supreme Court recognised privacy as a fundamental right vis-à-vis the state but there is significant doubt on the horizontal applicability of the privacy right vis-à-vis private citizens. As originally conceived, fundamental rights were meant to apply against the state, as a means to curb the power of the state in its attempts to curb basic liberties of the citizenry. There have been calls from radical scholars for applying these fundamental rights horizontally against private corporations and citizens. Maybe it will happen in India, maybe it won’t – but the immediate problem is that the Puttaswamy judgment is not clear on whether privacy is a fundamental right that can be applied horizontally.

Also read: India’s Data Protection Regime Must Be Built Through an Inclusive and Truly Co-Regulatory Approach

One of the nine judges who wrote the judgment, Justice S.A. Bobde, made it clear that in his opinion, privacy as a fundamental right would apply only against the state and that private citizens could only claim a common law right to privacy against each other. He states in the pertinent part:

“Where the interference with a recognized interest is by the state or any other like entity recognized by Article 12, a claim for the violation of a fundamental right would lie. Where the author of an identical interference is a non-state actor, an action at common law would lie in an ordinary court.”

However, Justice S.K. Kaul seems to be of the opinion that privacy as a fundamental right could apply even against private citizens. He states:

“The right of privacy is a fundamental right. It is a right which protects the inner sphere of the individual from interference from both State, and non-State actors and allows the individuals to make autonomous life choices.”

In addition to the above dicta, there is one particular holding from the Rajagopal judgment which has been endorsed by several of the nine judges in the Puttaswamy case where it was held that “A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters. None can publish anything concerning the above matters without his consent whether truthful or otherwise and whether laudatory or critical.” This particular holding frames privacy as a horizontal right because it restrains “everybody”, not just the state, from reporting on private matters. For whatever reason, none of the lawyers or the judges raised the issue in the Puttaswamy case and it appears that none of the judges read the concurring opinions of their fellow judges with the attention that it deserved. If they had, they would have resolved this contradiction.

If the committee can clarify its understanding on this fundamental issue, we will perhaps be in a better position to discuss the outline of a data protection law. If privacy is a fundamental right only vis-à-vis the state, then it makes no sense having a single law for both the public and private sectors when the underlying legal basis of both are entirely different. The nature of the Indian citizens’ relationship with the Indian state is almost always coercive and the information that the state extracts from the citizen pursuant to an exercise of its coercive powers should be placed at a far higher standard of privacy protection when compared to information that the citizen-consumer voluntarily hands over to a private company in pursuance of a contractual relationship. There is no logical basis for covering both the public and private sector under the same data protection law.

Clarifying this issue will also go a long way in resolving the concerns that will be raised by journalists who are worried about their common law right to free speech having to face a fundamental right to privacy in court.

More importantly, it must be remembered that with regard to public records, the law will have to toe a fine line between transparency under the Right to Information Act, 2005 and privacy under a prospective data protection law. This is going to be a difficult job. For some categories of information such as tax records, privacy is non-contentious. But once we move onto issues like electoral rolls, lists of people below the poverty line benefitting from public funds or public examination results, there will be tension on how much information should go behind the veil of privacy. If the basis of ‘informational privacy’ is to protect the dignity and autonomy of the citizen, then we are looking at a lot of information being sealed under a future data protection law. In this context it may also be pointed out that there will be jurisdictional conflicts between the information commissions and data protection regulators. This is all the more reason to approach the issue of data protection separately for the public and private sectors.

Supreme Court of India. Credit: PTI

A data protection authority to rule all?

The second issue that flows from the first is the creation of a data protection authority as a regulator that will wield a big stick against everybody in the public and private sector. Going by the tenor of the white paper, it appears that Justice Srikrishna and his colleagues are looking at creating a big regulator that is going to be expensive and wield punitive powers.

There are serious consequences of putting so much power in the hands of one authority that will be working under the beck and call of the government of India. Not only will this regulator have the power to inspect records and data in the guise of data audits, it will also be able to levy fines that can bankrupt businesses and regulate Indian companies with enough red tape to make them uncompetitive in a global marketplace. If it seems like I am exaggerating, just look back into history and see the legacy of Indian regulation – be it the Industrial Licensing Act, 1951 or the Essential Commodities Act, 1956. Indian politicians and babudom have demonstrated a superb ability to throttle free enterprise.

As the Indian economy becomes more digitised and generates the avalanche of data that everybody is betting on, this data regulator will accumulate more power over the ‘oil of the 21st century’. With more regulation, there will be consequences on civil liberties. Take for example the role of social media today, especially Facebook, Twitter and Google which provide Indian public debate with a much-needed lifeline in the age of a compromised mainstream media. There currently exist few options for the Indian government to control and regulate platforms like Facebook, Twitter and Google. A data regulator will however presumably have power to substantially regulate these platforms and that will have consequences for our ability to use the platforms to communicate and debate issues of importance.

Is that a preferable outcome? A recent case in point is the coverage on the death of Judge B.H. Loya, which went viral on social media but was mostly ignored by the mainstream media. Can we be sure that social media giants will be willing to stand up to the government in power, especially the Indian bureaucracy which I am sure is relishing the prospect of having power over these Californian data companies?

Also read: The Digital Universe Is Growing. It’s Also Becoming More Unequal

Does this then mean that we should simply give a free pass to these powerful data companies? No. These companies should be regulated but through the judicial system, where power is not concentrated in the hands of any single judge and where the government has a minimal role to play. The problem with Google and Facebook today is they require Indian users to arbitrate claims against them in California – which is an impossible task. I reproduce below one such clause that is a part of Gmail’s term of service is as follows:

“The laws of California, U.S.A., excluding California’s conflict of laws rules, will apply to any disputes arising out of or relating to these terms or the Services. All claims arising out of or relating to these terms or the Services will be litigated exclusively in the federal or state courts of Santa Clara County, California, USA, and you and Google consent to personal jurisdiction in those courts.”

Facebook’s contract states the following:

“You will resolve any claim, cause of action or dispute (claim) you have with us arising out of or relating to this Statement or Facebook exclusively in the U.S. District Court for the Northern District of California or a state court located in San Mateo County, and you agree to submit to the personal jurisdiction of such courts for the purpose of litigating all such claims. The laws of the State of California will govern this Statement, as well as any claim that might arise between you and us, without regard to conflict of law provisions.”

The default position in both requires Indian users to approach Californian courts, which is literally impossible. Any parliamentary data protection law targeted at foreign data companies, be it social media giants or cloud service providers, should provide Indian consumers with a bill of consumer rights guaranteeing certain baseline rights protecting their data, which they can enforce in India through either litigation or arbitration panels like the ones used to resolve domain name disputes, provided that both take place in India and are accessible to Indian citizens.

India has a fantastic opportunity to innovate and come up with a new regulatory framework. We shouldn’t fritter it away by replicating an outdated model of European data regulation, which even the Europeans are struggling to implement. The European model envisages a complex data regulatory framework with a great number of restrictions on processing data and a central bureaucracy that can enforce such a framework. The underlying principles of the EU framework stem from a judicial decision of the German Bundesverfassungsgericht (the highest German constitutional court) which created a right to informational self-determination in 1983 when citizens challenged the German government’s plan to carry out a large-scale census that would be processed with the aid of computers. As the EU grew, the German principles were transposed into a European wide legal framework in order to facilitate the free transfer of data in the common market. Most of this happened in the eighties and nineties when the internet was in its infancy.

The European model of data protection finds great resonance within the Indian bureaucracy and activists because both lobbies are suspicious of new technologies and have a historical tendency to lean towards heavy state regulation of the private sector. But we also need to be alive to the fact that the Indian bureaucracy and Indian political system works very differently from Europe. Our systems of governance are already far too centralised, concentrating too much power in the hands of too few. Creating a centralised data protection authority will contribute to that centralisation of power and will have ramifications for liberty, freedom and economic competition in 21st century India.

Fundamental rights may be a universal phenomenon, but the mode of their enforcement needs to be adapted to different jurisdictions.

Prashant Reddy T. is an assistant professor at the National Academy for Legal Studies and Research (NALSAR), Hyderabad and is co-author of Create, Copy, Disrupt: India’s Intellectual Property Dilemmas (OUP)