Controlling the machine: legislation for data protection

Europe’s new data protection regime offers a sound basis for India to craft its own legislation

March 26, 2018 02:02 am | Updated 02:02 am IST

A padlock on technology for the General Data Protection Regulation (GDPR)

A padlock on technology for the General Data Protection Regulation (GDPR)

During the throes of India’s independence struggle, an image of Mahatma Gandhi spinning khadi symbolised not only economic and political autonomy but to its critics an insular withdrawal from industrialisation and technology. This tension is gingerly revealed in a letter from Jawaharlal Nehru to Aldous Huxley, as a partial defence of the Mahatma’s position, when he writes, “I believe in the machine and would have it spread in India, but I also believe in the social control of it.” While dialogues of the past do seem distant to the rapid advances in the fields of big data, algorithms and artificial intelligence, they undergird deeper truths and surface visibly in debates over the formation of a privacy and data protection framework.


It’s all connected

At present India has the second highest number of Internet users in the world, and is an important market for many global companies that have staked dominance within distinct silos of digital services. While Facebook enjoys sway over social networking, Google has completely taken over online search and email, and Amazon continues a growing capture of online commerce. This is further supplemented by a maturing, home-grown technology sector which learns not only its business models and operational strategies but even its corporate culture from such companies. Though there is friction between these global and local firms, they are united in a singular attempt to collect, store and analyse the online behaviour of millions of Indians. It is immaterial whether customers pay for digital services, for the business model of most firms always factors in a premium for personal data.

Another layer for the extraction of information is added by the government. India has the unique distinction of being one of the few countries that gathers vast amounts of personal data through its compulsory national biometric ID scheme, Aadhaar. Its wide pervasive use goes well beyond public entitlements or regulated services to sundry services such as online matrimonial portals. It almost seems data is not the new oil — it is air itself.

The European template

Though digital technology is finely threaded with the fabric of our lives, India maintains a curious omission of a comprehensive, enforceable data protection law. The limited protections which do exist are under the Information Technology Act, 2000, and its subordinate regulations remain substantially deficient and practically unenforceable. This stands in stark contrast to the European Union which has taken time to develop an advanced data protection framework, the General Data Protection Regulation (GDPR), that goes into effect in a few months. There is good reason to look toward Europe. Graham Greenleaf, professor of law and information systems at the University of New South Wales, Australia, who has studied more than 50 countries in the Asia-Pacific region, notes the pre-existing presence of elements of European law within their national laws, with most needing to update them and enact a comprehensive statute. Even as a text, the GDPR is a progressive instrument. The very preamble of the GDPR, reflects an attempt to protect the rights of individuals through a data protection law, treating the requirements of industry and state as limited exceptions. It is this exercise of balance which Nehru adverts to in his letter to Huxley, stating that cottage industry is not to the exclusion of the power loom.


Such search for balance comes from a recognition of the principled protection of the right to privacy within the text of a data protection law and then proceeds to exceptions which are determined under the legal doctrines of necessity and proportionality. Necessity is a threshold evaluation requiring objective evidence that is matched against a proportionality exam in which the advantages due to limiting the privacy right are weighed against the disadvantages. Such principles find legal articulation within the GDPR which makes them practically enforceable. These include a transparent system of data processing which makes users practically aware of what is happening with their personal information at all times. A user’s knowledge is raised to the level of control, where necessity and proportionality are placed both as exceptions and as positive obligations on companies and governments. For instance, they are allowed to use data only for the original purpose under which they were gathered and only to the extent and amount as necessary for performing the function as specified by a user.

The sister doctrines of necessity and proportionality are not strangers to our own constitutional law. Even prior to their express recognition and linking to data protection by the Supreme Court last August, when it reaffirmed the fundamental right to privacy, they have found passing references through the decades. For instance, the Supreme Court has applied proportionality to strike down a law in the 1950s which completely prohibited the manufacture of tobacco bidis. Since the basis of law was to ensure adequate labour to work in the agricultural seasons, a blanket prohibition for all months was held to be disproportionate. Though further precedent exists which limits the sweep of state action, and further support has recently come from the Supreme Court, many rights advocates hold that a balancing exercise for these doctrines may become an unequal bargain between privacy and the demands of big data and the bigger state. There is a credible basis for such fears as often our courts have wavered from the principle of protecting fundamental rights to permitting an expansion of limitations placed on them, with the exceptions gradually swallowing up the rule.

Challenge ahead

This sets up a credible challenge to the future of India’s data protection framework, with sufficient powers for the regulatory body and the courts which will function to enforce it and hold powerful corporations and governments to account. While we must learn and draw from the data protection principles of Europe, we must also focus efforts to ensure their effective enforcement. This will naturally be an effort in not only ensuring desirable legal language within the text of a law but also a larger environment of compliance and respect for privacy. Opportunity for positive outcomes exists in the domain of technology as India has already taken a global lead in enacting a progressive net neutrality regulation. But due to a lack of partnership between civil society and the government, there is a sense of cynicism overcast by the lack of a user-oriented data protection law. Many today wonder about their online safety and express a loss of control. In this there is an important lesson from decades past — to continue our belief in the benefits of technology, we must continue to believe in its social control.

Apar Gupta practises law in New Delhi

Top News Today


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.