Tech companies have been flooding user inboxes with solicitous emails in an attempt to convince users that they respect their privacy.
This sudden and indeed, unprecedented, outpouring of Silicon valley concern over the past few weeks has been prompted by the impending enforcement of the General Data Protection Regulation (GDPR) - a new European Union law, billed as “the most important change in data privacy regulation in 20 years”.
Indians hoping for a little more privacy, however, will have to wait as tech behemoths like Facebook look to work around the EU provisions by migrating their India users into non-GDPR jurisdictions.
The law seeks to fundamentally change the way corporations and government entities deal with data in an increasingly data-hungry world.
At its core is the concept of meaningful and informed consent: data controllers are required to clearly disclose what data they are collecting, for what purpose the data will be used, and create options for users to access their data or opt out. It also widens the definition of personal data, thereby drawing a large number of previously unaffected companies into its ambit, and prescribes hefty fines – of up to 4% of a company’s global turnover - for transgressions.
In a world where data equals power, GDPR seeks to remind data controllers that big data comes with a commensurate amount of responsibility.
While the law will only apply to EU citizens, its implications are far-reaching: a number of tech giants have re-thought their entire approach to privacy and data protection. Google, Twitter, AirBnB, and Facebook-owned Instagram and Oculus were among the major tech platforms that reached out to international users over the last week alone, informing them of changes to their privacy policies as they move to become compliant with GDPR.
Facebook, the company now synonymous with the lack of data protection, released a draft version of its revised terms of service and data use policy earlier this month. The social networking behemoth has insisted that it will implement new GDPR-compliant data controls worldwide. But that claim appears to be hollow considering that the company’s new terms of service will move 1.5 billion of its 2.2 billion users - including the entirety of its Indian user base - outside of the EU jurisdiction, and out of reach of the punitive measures that forced it to act in the first place.
India is currently in the process of drafting its own comprehensive data protection framework. The Justice Srikrishna Committee, constituted in August 2017 to “study various issues related to data protection” and “suggest a draft data protection bill”, is expected to submit its report next month.
An RTI request filed by Anjali Bhardwaj of the National Campaign for Peoples’ Right to Information revealed that the committee is working with a draft data protection bill drafted by the Ministry of Electronics & Information Technology. The committee has not released this draft bill publicly. It has however, released a white paper outlining the various issues at stake, articulating its views, and listing over 200 questions for public comment.
Can Indian users expect the same level of protection from the forthcoming law that European users will enjoy under GDPR?
“The white paper recognises the need for a rights-based data protection framework, but how it goes about providing that is problematic.” says Apar Gupta, a Supreme Court lawyer who has worked extensively on privacy and freedom of speech related issues in India. “It articulates the central problem as achieving an acceptable trade-off between innovation and data protection, instead of attempting to harness innovation in order to facilitate individual autonomy, dignity, and self-determination.”
Gupta identifies surveillance and big data as key areas of concern in the white paper. “Industry wants big data to be exempted and this demand seems to find recognition under the Srikrishna Committee.” In the context of big data, the white paper says that “consent may not be as relevant”.
“The white paper is also largely silent on surveillance. You can’t have data protection without surveillance reform,” he adds. The white paper also completely glosses over the issue of Aadhaar, despite the fact that it represents the most prominent debate related to data protection in India today.
The Committee’s docile attitude towards state and business interests, critics say, is unsurprising, given that it does not have a single independent member drawn from civil society.
“Most members on the current committee have in the past voiced or echoed views that seem to support Aadhaar, the brand created by the UIDAI. Some have even taken stands in the Supreme Court to challenge the fundamental right to privacy,” said an open letter submitted to the Srikrishna Committee, signed by 22 eminent citizens including Justice AP Shah, who headed a previous committee tasked with studying data protection.
The manner in which the Srikrishna Committee has conducted public consultations on its white paper has also drawn sharp criticism. In its submission to the committee, the Internet Democracy Project lamented the lack of time available to respond to the voluminous white paper.
“By leaving such little time for a consultation with over 200 questions, only very few stakeholders will be able to respond in detail to a consultation that may well determine the future for all Indians in the digital age for decades to come.”
“The GDPR took many years and a lot of deliberation to draft. The process involved academics, experts, and civil society. They invited comments, released drafts, and worked with a higher degree of transparency,” says Gupta. “With the Srikrishna Committee, the process has been problematic.”