India Can’t Afford To Ignore New EU General Data Protection Regulation

In the same month that Facebook now concedes a privacy bug affected no less than 1.4 crore of its users, something significant happened in guarding against info leak in the cyber world: the EU General Data Protection Regulation (GDPR) came into force in May. It is a charter of rights for the digital age, setting one of the highest standards for data protection anywhere in the world. The regulation, implemented from May 25, is binding on all organisations that deal with data subjects in Europe (and not just citizens of EU member states), irrespective of where they are or where the data is processed.

True, the regulations are framed in Europe, but then America cannot ignore the new EU data protection law. Neither should India gloss over its clauses that were finalised after six years of debate and deliberation.

Law and policy everywhere in the world will be informed by this regulation. This is because it has wide jurisdiction and can impose penalties of at least €20 million for non-compliance. Yet, the GDPR, for all its potential impact, will not be tested first in legislatures around the world. The first frontiers where this regulation’s global salience will be tested are in the courts—in particular, the Supreme Courts of India and the United States.

This is because neither India nor the US has an overarching data protection law. Both the nations aren’t close to getting one. However, the apex courts of both countries have heard two of the most significant cases so far on data protection:Aadhaar and Carpenter V United States.

It’s worth noting that the founding principles of GDPR and the petitioner’s arguments in both these cases are consistent with each other in terms of the kind of standards of data protection they seek. Both the new regulation and the petitioners in both cases have sought protection of citizen’s right to ownership of personal data. They give primacy to citizen’s consent to any use of such data. They also support choice for alternatives that would lower privacy compromises.

The response of the supreme courts in both India and the US will mould subsequent legislative attempts in these surveillance-happy states. Their judgments will travel beyond national boundaries, directly and indirectly influencing human rights in South Asia and the west. They will also have implications for civil liberties movements in Orwellian states everywhere.

Aadhaar and Carpenter V United States

The core of the GDPR is in its chapters on principles of data processing and rights of data subjects. These chapters respectively resonate with the Indian Supreme Court’s judgment in the right to privacy case, the petitioner’s arguments inCarpenter and with Aadhaar. Arguments in both cases have been concluded and judgments are awaited.

In Carpenter, authorities collected 127 days’ worth of past cell-phone locations data related to Carpenter, who was the petitioner and suspect in a series of robberies. The data was able to reveal where—and therefore with whom—Carpenter had been. This information was acquired without a warrant under the challenged US Stored Communications Act. It was used to convict Carpenter with six robberies. He was sentenced to a 116-year prison term.

In contrast to this warrantless procedure against a single suspect, the Aadhaarcase challenged the violation of privacy rights of every Indian citizen. The case challenged en masse collection of sensitive, personal, biometric data of every Indian citizen (sometimes foreign nationals as well) for access to essentials like pensions, scholarships, even food and modern necessities such as mobile phone connections and bank accounts.

Principally, the petitioners in both cases have argued that citizens are owners of their personal data. It follows that data shared by citizens can be accessed, processed and stored only with their consent. Such consent must be freely given, specific, informed and unambiguous. Finally, the citizen must have a real choice for alternative means to access a service with lower privacy compromises. This would include the choice to erase any private information held and a choice to not fall victim to the harvesting of unconsciously generated data.

Chapter II of the GDPR states the principles of processing data: It limits legal protection to the collection of data that is accurate, minimum, for a specified, explicit and legitimate purpose, processed in a manner compatible with the purpose and stored only for the period required to meet this purpose. Chapter IIIembodies rights of data subjects. These include the right to exercise choice on what, how much and for how long their data can be stored and processed, the right to access data held and information on processing of personal data. Data subjects also have the right to request restriction of or object to the processing of anypersonal data and even the erasure of such data.

What now?

The new law and the petitioners in both courts ask for ownership, consent and choice for individuals. In Carpenter and Aadhar, both courts have been presented with a formidable opportunity to achieve legal protection harmonious with GDPR, until their legislatures draft the much-needed laws.

As for the Facebook’s May bug, the leading social media platform says that it has fixed the problem, where posts were getting public despite the privacy settings of the user. The bug won’t affect past posts, the world’s largest social media company has assured.

(The writer is a Delhi-based lawyer, and has assisted senior advocate Shyam Divan in the Aadhaar case.)