ALGORITHMS, LAW AND DEMOCRACY – THE INTERNATIONAL PERSPECTIVE

This article was written by Saloni Agnihotri a student of RGNUL

In order to best understand Privacy vis-à-vis digital media and draft a proper legal framework, it is essential to understand the functions and the objectives of the data protection law and the State-citizen relationship of the concerned jurisdiction. According to Srikrishna Committee’s Report[1], broadly three approaches to data protection dominate the global landscape in contemporary times.

• United States –

In the United States, liberty stands for freedom from State Control. Accordingly, Laissez-faire approach to data protection is followed in the United States. In US, right to privacy was given due recognition under all the existing legal (privacy protection) frameworks mentioned in the 1^st, 4^th , 5^th and 14^th amendments to the US Constitution, Roe v. Wade 410 U.S. 113 (1973)  Griswold v. Connecticut 381 U.S. 479 (1965)[2]. Consequently various legislations including The Right to Financial Privacy Act, 1978, The Privacy Act, 1974 and The Electronic Communications Privacy Act, 1986 were passed to secure the people their right to privacy and protect them from its invasion at the hands of the State.

1.2  European Union

In EU, personal data protection is a fundamental right[3]. the purpose of data protection laws is to uphold individual dignity. A comprehensive legal framework to protect people’s data privacy called the EU GDPR exists. It is applicable to all the organizations established in the European Union regardless of whether or not the processing takes place in the EU, to all the organizations that are not established in the EU but are involved in processing the personal data of Data Subjects who are citizens of EU and to all organizations established at places where EU exercises jurisdiction courtesy public international law[4].

1.3  China

In China, the jurisprudence propounds the favoring of collective interest over individual interest. a proper Cyber Security Law exists which delineates certain principles for the handling of personal data. A consent based framework with strict controls on cross border sharing was adopted recently in China.[5] The Chinese framework on data protection was essentially drafted from the perspective of national security[6].

2.      DATA PROTECTION LAWS IN INDIA – ARE WE KEEPING PACE?

2.1  Existing Laws

2.1.1  The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, MINISTRY OF COMMUNICATIONS AND INFORMATION TECHNOLOGY (Department of Information Technology)

2.1.2        Information Technology Act, 2000

2.1.3        Indian Penal Code

2.1.4        Intellectual Property Rights

2.1.5        Credit Information Companies Regulation Act, 2005(“CICRA”)

2.1.6        Industry Initiative

2.1.7        Offshoring Data and Contractual Obligations

• Personal Data Protection Bill, 2018

Protecting privacy also means preserving democracy. Indian Constiution does not expressly provide for a Right to Informational Privacy but it is considered to be inherently a part of Art. 19 and Art. 21 of the Constitution. Accordingly, the Right to Informational Privacy can be exercised within the limits prescribed by Art. 19(2). This propostition was upheld by the Hon’ble Supreme Court in 2017 by a nine-judge constitutional law bench in the landmark judgment of K.S. Puttaswamy v. Union of India. Through this judgment, the Indian Judiciary acknowledged the sensitivity of the Data Protection and Data Privacy issue.  It legislated a “transformative, rights – oriented” Data Protection Law that held all powerful entities, including the State, accountable in dealing with citizens’ personal data. Strict, comprehensive and a higher standard of observance was imposed upon the State.

Each country has its own unique style of approaching the Data Protection issue depending on the nature of relationship between its citizens and State. As against the most popular and successful Data Protection approaches adopted by the European Union, the United States of America and China, India recently made a commendable initiative of coming up with its own approach, (the Fourth Way, as many put it), through its draft personal data protection bill which was introduced in 2018. The bill provides for extensive data protection rights to Indian Data Subjects. Accordingly, several severe guidelines with respect to the collection and processing of personal data are included. An analysis of the basic provisions of the bill is merited at this instant to understand it comprehensively and get an overview of the prospective techno-legal landscape of India.

In today’s age of technologically advancing economy, Data is undoubtedly the most crucial asset. In such a scenario, protecting informational privacy, alongside ensuring the processing of personal data to ensure progress, empowerment and innovation, merits serious consideration.    In tune with this, The Personal Data Protection Bill, 2018 provides for a framework to –

1. Protect the autonomy of individuals in relation to their personal data.
2. Specify where the flow and usage of personal data is appropriate.
3. Create a relationship of trust between persons and entities processing their personal data.
4. Specify the rights of individuals whose personal data are processed.
5. Create a framework for implementing organisational and technical measures in processing personal data,
6. Lay down norms for cross-border transfer of personal data,
7. Ensure the accountability of entities processing personal data,
8. Provide remedies for unauthorised and harmful processing, and
9. Establish a Data Protection Authority for overseeing processing activities.

The introduction of Personal Data Protection Bill is the first step towards what seems like a promising future for the technological legal landscape of India.

[1]A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians, Committee of Experts under the Chairmanship of Justice BN Srikrishna

[2]Roe v. Wade 410 U.S. 113 (1973); Griswold v. Connecticut 381 U.S. 479 (1965).

[3] Charter of the Fundamental Rights of the European Union, 2000/C 364/01, Article 8 (2000); Treaty on the Functioning of the European Union, C115/47, Article 16(1) (2008).

[4] General Data Protection Regulation: The Paradigm Shift in Privacy, Article 3(2).

[5]Samm Sacks, New China Data Privacy Standard Looks More Far-reaching than EU GDPR, Centre for Strategic and International Studies (2018).

[6]James Q. Whitman, The Two Western Cultures of Privacy: Dignity Versus Liberty, 113 Yale Law Journal 1151 (2004).