25 MAY 2018
Answer questions in NOT MORE than 200 words each. Content of the answer is more important than its length.
Links are provided for reference. You can also use the Internet fruitfully to further enhance and strengthen your answers.
GS II- GOVERNANCE
Q1. The European General Data Protection Regulation (GDPR) is a very progressive text and closer to Indian Constitutional understanding, yet it should not be blindly followed while framing India’s data protection policy. Comment.
- The European General Data Protection Regulation (GDPR) seems like as a modern, progressive text. The GDPR is in a lot of ways closer to our constitutional understanding of data protection as articulated by the Puttaswamy judgement of August, 2017, in which nine judges of the Supreme Court unanimously held privacy to be a pivot for our fundamental rights. So when the GDPR provides for an explicit consent-based mechanism and continuing control for users, it seems to be setting a legislative template for India. However, it is not as if there are no risks in parroting the European solution. When it provides a “strong law” for users, the GDPR also seems like a strong-arm law to trade and commerce. Two common business objections are made. The first cites a rise in costs that would impact users, in which a bureaucratic apparatus would require companies to pass on a data protection tax. Such an argument is clearly out of step with the realisation of recent months that leaving personal data unprotected erodes trust in technology.
- The second objection concerns the wider, sectoral ambitions of India’s IT entrepreneurs who ideologise permission-less innovation. They argue that regulation will make them unable to compete globally. This is incorrect on several counts, beside being self-defeating. It ignores that privacy and data protection are inherent to the coming waves of innovation. Data protection will act as a regulatory springboard to the next generation of online products and services. This, in turn, will provide a cleaner, sustainable and rights-friendly alternative to the existing theology of treating data as a fossil fuel. If anything, “strong” data protection is beneficial for the long-term health of the technology sector by improving user trust and sectoral competitiveness.
- If we hasten, we are sure to fall. Blind adoption of the GDPR would present immediate peril for several reasons. As an ambitious project, the text of the GDPR has tremendous breadth and is riddled with business exceptions which may provide porous sieves for personal data. While refinements may be incrementally made in Europe, we in India at the outset need to have foresight in adopting the drafting choices of a foreign, even if influential, text.For instance, two areas where concern arises are its impact on the right to free speech and expression and the right to information laws.
- In India, there has been constant worry by activists defending the embattled Right to Information Act. Prior experience makes them wary, as the judiciary has been frequently citing privacy to undermine government transparency. The Supreme Court upheld an order denying access to the income tax returns of a public servant. Hence, every effort should be made that the motivation to correct the absence of a data protection law does not end up hurting individuals by making government opaque and unaccountable.
- As India stands at a crossroads, it should chart its course picking up the best ideas and practices that promote user control over data. This requires adaptation from both the U.S. and the GDPR. Our challenges are extensive, and our interests diverse. Here virtue lies in the humility to learn from others and care to protect our residents. As a public policy goal, we should borrow freely but use such knowledge within legal regulation to enlarge individual liberty.