In the judgment establishing individual privacy as a fundamental constitutional right, the Supreme Court highlighted the need for legislation to uphold individual informational privacy and data protection. Privacy and Internet rights advocates have long called for such a law, and the government has finally started taking steps towards this by appointing a committee to make recommendations. As a nation, India lags among world economic and Internet leaders when it comes to data protection. As the country formulates such a law, it may be instructive to look at what other countries have enacted. In this regard, the United States, China and the European Union have all taken drastically different directions. The EU’s laws may have a significant impact on Indian companies sooner than any Indian law.
Broadly speaking, data privacy entails getting consent from individuals before collecting their information, being transparent about why information is collected, what its use will be and deleting the information when it is no longer needed or when consent is withdrawn. Variations exist on the mechanisms, such as whether consent may be implicit (individual must take action to opt out) or explicit (individual must take action opt in). Data protection involves taking adequate steps to protect data from accidental or malicious disclosure. The factors in considering what efforts must be made to protect data depend on the type of data, its value to criminals and the harm to the victims. Every year there are multiple cases globally of malicious data theft, the latest being the Equifax breach in the US.
Around the World: A look at the US, EU and China
The issue of data privacy in the US made news in early 2017 due to the passing of a law that allows Internet service providers (ISPs) to collect and sell their customers’ browsing data without prior consent. Despite this example, the US is generally considered to have strong data privacy and protection laws, albeit in a patchwork of regulations and federal and state laws. Disclosure of health data is highly regulated at the federal level, for example, and breach notification laws were pioneered in the US, though they vary by state. The threat of legal class action lawsuits adds a powerful impetus for companies to take measures to protect data and privacy. Among the states, California has some of the most restrictive laws (it alone has 25 laws). Due to its economic size and population, it sets a trend for many other states. Yet, incidents such as the Equifax breach highlight the need for better regulation and accountability.
China too has multiple laws and regulations covering data protection. They provide individual protections such as requiring consent, protection of sensitive information, and limitation on use of data. The laws also highlight the state’s interest in knowing and controlling individual’s speech and activities on the Internet. A new Cybersecurity Law that took effect on May 1, 2017 forbids people from using information networks to violate the privacy of others, using illegal methods to acquiring personal information, and using their positions of access to acquire, leak, sell or share personal information. The law has also created confusion for foreign businesses by requiring providers of critical information infrastructure (CII) to store “personal information and other important data” on mainland China. The exact definitions of what constitutes a CII provider and what is “important data” remain unclear.
In the EU, attention is focused on a new General Data Protection Regulation (2016) that will be enforced starting 25 May 2018. The GDPR is expected to have a significant impact beyond the EU because it applies to any organization that collects or processes data in the EU or from residents of the EU. The GDPR was created to harmonize laws across all member states, though it still allows for individual nations to customize certain aspects to fit national needs. It provides a comprehensive set of privacy and data protections, as well as rules on breach disclosures, transfer of data and redress mechanisms. It also specifies some of the highest penalties for violating such protections, with a maximum fine of up to €20 million for companies and other organizations, or 4% of the prior year’s turnover for a company, if that amount is higher. If the GDPR were being enforced in 2017, Equifax, which collects information of UK citizens and who are still EU citizens pre-Brexit, would come in for considerable scrutiny for both its security measures prior to the breach and its actions thereafter.
One of the goals of data privacy laws is to give control of data back to individuals, which means getting their consent for the collection and processing of data. In the US data controllers can get a one-time blanket consent for a variety of uses by putting them in the terms of service and privacy pages, and making the use of the site conditional upon giving consent. The EU’s GDPR takes a more restrictive approach, so data collectors must obtain consent for specific uses, and if they want to use personal data for other purposes, obtain explicit content for those purposes. However, the GDPR also specifies situations when consent may be bypassed, such as for protecting the population from illnesses, for the legitimate activities of government, and such. China’s laws only mention that network operators must obtain consent, so it is unclear whether consent must be explicit and specific. Nearby South Korea, which is considered to have one of the toughest data privacy laws in Asia, also takes a similar approach to the EU.
What will India do?
In India, if or when a new privacy and data protection law is enacted, the question is how well will it be enforced. Such is currently the issue with the existing Information Technology Rules (2011), which govern many aspects of data protection and privacy, but which remain abysmally unenforced. It is not even clear what the current mechanism for enforcement should be. The Cyber Appellate Tribunal, set up as a forum to redress cyber fraud, had not adjudicated a single case in five years, according to a report in December 2016. It was therefore encouraging to see the alacrity with which law enforcement investigated and apprehended suspects in the case of the Reliance Jio data breach in July. However, six weeks later, Jio still has not acknowledged the breach or notified its customers. In the past year, despite news reports of data breaches at banks and ATM systems, there have been no full public disclosures.
This is where the EU’s GDPR may play a role. Companies that do business in Europe, or that may have customers in Europe, will have to abide by the GDPR. That means, for example, that SBI, which has a branch in Frankfurt, would be subject to GDPR practices on data collection, systems security and breach disclosures. So would Flipkart, which recently announced that it would expand internationally. Indian companies that have branch offices or employees in Europe would also be affected, as would Indian companies that want to provide back-office data processing services to European companies.
The GDPR also generally prohibits the transfer of data from Europe to companies from outside the EU unless those non-EU countries have been certified as providing adequate data protections. It is a high bar and currently only a handful of countries have been certified. The Indian government and industry have unsuccessfully lobbied for years to get India accredited under the current regulations, but GDPR will make that even more difficult. In this regard, the Supreme Court ruling that privacy is a fundamental right will help, but a lot more work needs to be done. A comprehensive data protection and privacy law with real enforcement mechanisms would benefit Indians in more ways than one.