Pages

2 June 2018

What GDPR Means For India: How Europe's Data Protection Law May Indirectly Protect Indian Users


If you use Twitter, Facebook, Google, or access any online platform really, chances are you have seen a notification that the company has made some changes to its privacy policy before 25 May 2018. All of these updates are in preparation of the GDPR, Europe's new behemoth data protection law.

What's so important about the GDPR?

The main purpose of the GDPR is to ensure that the privacy and personal data of every individual (or data user) within the European Union (EU) is steadfastly protected. It seeks to regulate the purpose for and the manner in which several entities, including governments, collect and process data about individuals using automated means (data collectors / data controllers).


As we all know, the basis on which any personal information is collected, processed, transferred and even disposed off by a data collector is contained in those jargon ridden, sleep-inducing terms and conditions. Privacy policies are equally known for how complicated they are to understand, although they contain crucial information for data users about what parts of their personal, online privacy they are giving up in exchange for the services offered by the data controllers.

A combination of all this heavy legalese and how frequently we encounter them results in us checking the "I Accept" box without reading through. This phenomenon is nicknamed "consent fatigue". Not only are we substantially unaware of what terms we are signing up for, but this is also an added incentive for the data collecting entity, to put in onerous clauses just for good measure. Consent fatigue also means that we run the risk of giving up a lot of the protections every time we hurriedly click on "I Accept".

Most data protection regulations seek to address this problem of consent fatigue in different ways.

The GDPR, for its part, recognizes this problem of fatigue as one that can be solved by simplification of terms and proposes that the entities collecting data (data collectors) shoulder the responsibility of communicating their terms in simple, understandable and interesting ways to the data user.

Although it might have its limitations, this is a significant proposal because it shifts some key responsibilities on to the shoulders of the data controller: ensuring that a user's data is secure, the collector's processes are transparent and the user is informed of any leaks or breaches immediately.

What rights do individuals sharing their data have under the GDPR?

The GDPR contains a robust set of rights for the data user.

It extends to the data user the right to request that her data not be processed anymore, the right to request the collecting entity to reveal what kind of information they collect, to the right to port her data from one data controller to another competing controller. It gives more teeth to the inalienable right to privacy by imposing corresponding obligations of designing secure data processing systems and notifying a data user of any leak or breach immediately.
So, what's the drawback of GDPR?

All of this sounds great, but like most human creations, the GDPR also has its limitations. For instance, it might still not be able to solve consent fatigue. While long winding, highly technical terms and conditions might be the leading reason why we don't read them - making them simpler might just be a temporary solution. Equally, from a compliance perspective, the GDPR is a mammoth legislation. It places substantial new responsibilities on data collectors and data processors, and although this was the leading reason for the buffer period of 2 years before it became effective, many companies are still struggling to put all compliances in place soonest.

Most public policy questions are "wicked problems", meaning that solving one problem will most likely unearth tougher ones, and unleash unintended consequences. So also, the worry with the GDPR is that by imposing heavy compliance burdens on data controllers suddenly, it runs the risk of creating a chilling effect on technology and innovation in Europe.

For these reasons (and a few more), the GDPR might not be an enduring legislation although it has many admirable features such as the list of rights every data user has.

It fleshes out detailed user rights, tries to deter user exploitation by proposing a significant penalty, and does its part to nudge the Europe facing data ecosystem to become more accountable.
How relevant is this law to India?

There are two ways to answer this question - first, the direct impact the GDPR has on Indian businesses and people living in India; and second, its indirect impact on India's legal approach to privacy and data protection.

As the GDPR seeks to protect data users in Europe (and regions where the EU laws apply), it might not really make a difference to data users in India. However, this law extends to both citizens as well as non citizens within the boundaries of the continent. So, if you have plans to travel to Europe, you have the added advantage of being covered by the protections under the GDPR as soon as you land there.

On the other hand, the GDPR requires companies all over the world to comply with its provisions if they provide any goods or services anywhere in Europe, or in any manner monitor the behaviour of any individuals in Europe. This means that some Indian sectors such as information technology, the outsourcing industry and pharmaceuticals might be hit by the GDPR. As the penalty for contravention is up to 4% of the annual turnover of the company, this is not a trivial obligation for affected Indian data controllers.

However, the biggest impact of the GDPR for India is probably the indirect, or the persuasive impact. Evidently, in preparation for the day this law kicks in, companies across the world have updated their consent terms and their privacy policies. Although it seeks to protect people within the jurisdiction of the European Union, it has clearly shaken up the entire ecosystem. This is not necessarily a bad thing.

GDPR - the new global standard

India is behind schedule when compared to the advancements several western nations have made in privacy and data protection. This becomes a cause of concern when a regulation (such as the GDPR) sets the global standards for data protection. A situation where Indian companies are arm twisted into accepting EU standards of data protection is undesirable, but wholly possible given the flurry of activity following the GDPR.

That said, solutions to the legal gaps in privacy and data protection should be arrived at keeping in mind historical cultural, socio-economic and jurisprudential contexts. In India, unlike many countries across the world the right to privacy was not treated as a fundamental right until last year. It is only now, post this paradigm shift will we begin seeing several connected legal norms changing. Data protection is but one aspect of this sea change.

India must take this opportunity to objectively examine how the GDPR is rolled out and how it fares. In order to ensure that it creates a legislation that lives on, it must identify the core principles on which a data protection law will be founded. With the divide between technology and the law gaping wider with each passing day, India's data protection law must aim to bridge any information gap between data users and data controllers. It must build in review mechanisms to ensure that controllers are held accountable, while at the same time encouraging them to innovate voluntary best practices for privacy. It should learn from the GDPR and flesh out the rights every individual has over her data and the harms that are recognized under law. Equally, as observed from the GDPR, India must not over-regulate, as this is one of the surest ways of creating a chilling effect on both technology as well as privacy.

About the author: Manasa is a Research Associate at the Takshashila Institution, an independent and non-partisan think tank and school of public policy. Manasa works on issues at the intersection of technology, law and policy. She tweets from the handle @nasac.

No comments:

Post a Comment