Should There be a 'Developing Country' Template For Data Protection Legislation?

If we are to follow the European path, we first need to see some rigorous Indian scholarship explaining why a European-style General Data Protection Regulation is the best way for India and how it affects our existing rights.

A few weeks ago, in his weekly column on law and technology in Mint, lawyer Rahul Matthan questioned whether India should be adopting European standards of data protection instead of designing its own system.

He illustrates this dilemma by giving as an example the American experience with upholding copyright law. For the longest time, the US was known as an outlier to international copyright law until its domestic industry was strong enough to compete with the world after which it took the lead in setting global IP standards by forcing the agreement on Trade-Related Intellectual Property Rights (TRIPS) on the world.

The Indian experience with negotiating IP treaties has been similar. Ever since the sixties, when India succeeded in negotiating down the standards of copyright protection in the Berne Convention, the Indian government has constantly demanded different standards for developing countries. The Indian argument at the time was that newly-independent countries had completely different development concerns when compared to European countries fattened by colonisation and thus, it would not be fair to impose the same standard of IP protection on developing countries.

Indian negotiators followed the same line of argument during the WTO negotiations in the nineties while demanding flexibilities like compulsory licensing in TRIPS. At the UN-controlled World Intellectual Property Organisation (WIPO), developing countries spearheaded by Argentina and Brazil have forced the adoption of a development agenda. IP is not the only field where developing countries have sought differential standards – developing countries have made similar arguments in the context of environmental policy and climate change talks.   

Strangely enough, with regard to the Indian debate on data protection there appear to be multiple calls for India to adopt a European-style General Data Protection Regulation (GDPR) with little debate on whether a developing country like India with all of its unique peculiarities needs a different type of legislation to meet its unique needs?

Rather, the presumption is that what’s good for the EU is good for India. But is that necessarily true?

Why is there so little Indian scholarship on data protection law?

The first level of the debate is the lack of any substantial scholarship on the shape of a future data protection legislation and the needs of Indian people. A search of SSRN reveals less than a handful of working papers written by Indian scholars on the concerns with a future data protection law. But if there is no substantive scholarship from Indian universities or Indian think-tanks on the contours of a future data protection law, why have there been so many calls for adopting a GDPR-style legislation in India?

If we are making a legislation that has significant implications for the future of Indian democracy and the Indian economy, should we not be basing our conclusions on rigorous scholarship? Is it possible that many of the calls for adopting a GDPR-style data legislation in India are influenced primarily by foreign scholarship and foreign media, both of which have been written in a specific context that may not be applicable to India?

Context matters while making new laws

The second level of the debate is the lack of attention to the differing contexts in the EU and India.

The European experience with data protection laws has evolved gradually over the last three decades. One of the key milestones in the European experience with data protection laws was a judicial decision of the German Bundesverfassungsgericht, which is the highest German constitutional court. The case arose out of opposition to the Population Census Act enacted by the Bundestag. The German population was opposed to the kind of data that was being collected by the government under that legislation and the possibility of it being processed by computers to create unique personality profiles. Such opposition is understandable in a country which was ravaged by Hitler and fascism. The decision of the German constitutional court created a right to informational self-determination that was grounded in an existing right to personality under the German law. Certain sections of the Population Census Act were struck down by the German court and although the census went ahead, the Germans apparently never held a census again.

Those principles laid down by the German court such as the right of citizens to control their data, data minimisation, purpose specification and proportionality formed the basis of the first EU-wide data protection enacted in 1995. It was after more than two decades of experience with a data protection law that the Europeans decided to upgrade the standard of protection with the GDPR. One of the issues spurring the new standards of data protection was the Snowden scandal, which caused huge public outrage in the EU.

Prima facie, the Indian experience with large-scale data collection, computerisation and foreign surveillance appears to be radically different. The Census Act which allows the government to collect massive amounts of data has never been opposed in India. Like the German government, the Indian government began using computers to crunch census data in the eighties. There also appears to have been no opposition in India to the use of computers. Similarly, on the question of foreign surveillance, there was hardly any outrage in India after Snowden’s leaks revealed that India was one of the top targets of the American spy agencies. This is not surprising since Indians have hardly protested the surveillance being conducted by their own government in the form of phone taps or the Central Monitoring System (CMS).

Does the lack of protest automatically mean that Indians do not care about their informational privacy? Certainly not.

However, both examples are reflective of the fact that the Indian attitude towards “informational privacy” is not the same as that of the Europeans. The same Indians are very likely to take offence to the state violating his “spatial privacy”.

Different shades of privacy

It is necessary to understand that despite fundamental rights having a universal flavour, the final shape of such rights can differ widely from country to country. Take for example free speech of the western order which is understood very differently in the US and EU. One reason the #MeToo movement appears to have been confined to the US and not spilled into the EU or UK to any significant degree is because the American understanding of the fundamental right to free speech is quite different from their English or European counterparts making it easier for American women to level allegations against public figures without being sued themselves for defamation. Similarly, the US does not recognise the European version of a fundamental right to informational privacy. The Americans don’t apply the right to privacy horizontally against private citizens.

So clearly, even in the liberal western order, there are differing conceptions of certain fundamental rights. In the Puttaswamy case, the Supreme Court of India did recognise a right to informational privacy but left a lot of room for parliament to craft a new law without borrowing the European version lock, stock and barrel. If we must follow the European path, we first need to see some rigorous Indian scholarship explaining why the GDPR is the best path for the Indian people and how it affects our existing rights such as our rights to information and free speech amongst other rights.  

The Supreme Court of India has recognised the right to informational privacy as a fundamental right. Credit: PTI/Reuters

The shape of future Indian legislation

Any temptations by policymakers to follow the GDPR will have to account for at least four important public policy considerations. The first consideration is the need to fiercely protect the right to free speech. As I’ve written on The Hoot, the EU data protection law dragged the English media into very long drawn, expensive litigation with celebrities seeking to protect their privacy. Do we want to risk the same situation with the Indian media?

The second consideration is the need to shield the Right to Information Act against further curtailment on the grounds of privacy. Transparency activists like Shailesh Gandhi have been warning about the detrimental effects the right to privacy will have on the Right to Information Act, 2005. Public trust in government amongst Indians is quite low these days and transparency is key to accountability and building public trust. We are far from European levels of public trust in our democracy and government. The third consideration should be the dangers of centralisation of further power with the Central government.

As I’ve written earlier in these pages, an EU-style data protection law necessarily also means an EU-style data protection authority and that means vesting the Central government with a whole new set of powers. Such regulators may work in the EU but do we really want to vest more such powers in the hands of our notoriously coercive Central government?

The fourth concern should necessarily be the broad development concerns in a country like India which not only needs data for governance but also to build an industry that can compete globally. Big data is in a position to contribute to the development agenda and we must not forget it.       

Indian laws should be based on an Indian context

The bane of Indian lawmaking since the late 19th century has been the tendency to enact English law in India without quite understanding the implications for the Indian people. Be it land revenue legislation or criminal legislation, colonialism created a disaster in India because the British never really understood how Indian society was functioning.

Since independence, even with a sovereign parliament, the tendency has been to reproduce English and of late, European legislation in India without understanding that those laws have been written in response to social and economic conditions in those countries. Usually, those exercises are preceded by rigorous inter-disciplinary studies, not only by their governments but also by their universities. We have seen neither in India and we should worry about it because a data protection is going to fundamentally change the manner in which we access information and any new law will adversely affect our rights to speech and information.

Prashant Reddy T. is an assistant professor at the National Academy for Legal Studies and Research (NALSAR), Hyderabad and is co-author of Create, Copy, Disrupt: India’s Intellectual Property Dilemmas (OUP).