Building consensus on privacy laws will be an arduous task – istock.com/weerapatkiatdumrong
Convergence on this front will be in the interests of nations, organisations and citizens. India is capable of leading this effort
With the introduction of China’s Personal Information Protection Law (PIPL, effective November 1, 2021), which complements its Cyber Security Law (CSL, 2017) and Data Security Law (DSL, 2021), all multinational organisations that collect or process data and do business in or with China have a new set of rules to follow. The Chinese legal triad works in tandem, has a broad global reach and provisions heavy penalties for non-compliance.
Unfortunately, despite the world being digitally intertwined, a cybersecurity, data protection and privacy framework that is binding at the global level still doesn’t exist. With the finalisation of report on the Personal Data Protection Bill 2019 by the Joint Parliamentary Committee on November 22, India is on the verge of getting its data protection law. India has a fantastic opportunity to learn from China’s dilemma proactively and lead by example.
The majority of the personal data protection laws evolving across the globe, India’s PDP and China’s PIPL included, align well with the European Union’s Global Data Protection Regulation (GDPR.) Basic rules of personal data collection, consent, storage, use, processing, transmission, disclosure, retention, and deletion are quite consistent across the nations.
Need for global consensus: The majority of personal data protection laws, which more than 80 countries have enacted so far, honour privacy as a fundamental human right. However, when it comes to digital activities conducted within or outside of a country that have the potential to harm national security or public interest or damage the legal interests of a national or organisation, each government discerns the potential threats through their own lens.
The vested economic, political, and multinational interests further cloud the government’s vision and exacerbate the complexity. A global framework can remove the discrepancies amongst nations’ enforcement of their laws worldwide. Secondly, it allows concerted efforts to combat data terrorism, identity theft, data breach and fraud. That, in turn, sustains cyber security and privacy compliance within the nations.
Organisations: Multinational organisations have a new set of rules to follow with every passing legislation. The differences in legislation that might appear minor have profound implications. It distracts the focus from their core competencies and thus affects their ability to create value for society.
For example, the July 2020 ‘Schrems II’ judgment by the Court of Justice of the European Union (CJEU) illustrates how the perceived difference in EU’s philosophy on privacy from that of the US carries the potential to bring the day-to-day business of more than 5,000 companies on both sides of the Atlantic to a screeching halt. In extreme situations, it may even lead to the withdrawal of companies.
Societies: Numerous observations, especially from international trade and taxation, indicate that large corporations, with their deep pockets, have a propensity to exploit the loopholes due to the lack of consensus amongst governments. This behaviour further pre-empts a level-playing field for any emerging ideas, leads to the monopoly of a few, and directly impacts societal growth. Mutually agreed rules of cross border data flows are also essential to share the data for international research in health, agriculture, education, and other fields. Finally, it can provide assurances in an environment where it is hard to know what is fake or misinformation and whom to trust.
Individuals: Privacy is about an individual’s cognitive freedom and the right to protect one’s identity. And identity is about one’s dignity, which is the foundation of all fundamental rights. Therefore, the human-centric rationale demands that the global consensus effectively enforces existing privacy protections and thus enable citizens to exercise their privacy rights agnostic to the governance models.
Current efforts, challenges
The current efforts to adopt standard guidelines go back to the 1980s when the OECD adopted the Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data. Recently, forward-thinking agreements on the protection of privacy and transborder data flows have been devised both between countries through bilateral agreements — for example, United States Mexico-Canada Agreement (USMCA) — and within the multi-lateral organisations, for example, the Organisation for Economic Co-operation and Development (OECD), the Asia-Pacific Economic Cooperation (APEC), Council of Europe, etc.
These arrangements suffer from apparent limitations. First, although the decisions are reached by consensus, the commitments are non-binding on the members. Secondly, the scale of participation is too thin to be genuinely regarded as a global agreement. Lastly, these frameworks lack the ability to customise with the local needs.
It is due to the governments discerning the threats from activities that can harm national security, public order or damage friendly relations through disparate lenses. The economic, political, and multinational interests further exacerbate the complexity. These politico-economically crafted perceptions of surveillance states and protectionist measures are one of the biggest roadblocks in the path to a consistent global framework. Building a consensus that normalises each country’s national security and balances it with its respective privacy laws will be an arduous task.
India has a historic opportunity to present Aadhaar and PDP symbiosis as a global benchmark. India’s Aadhaar architecture has shown how a democratic government can effectively deliver services to more than one billion citizens while preventing possibilities of a surveillance state or misuse of personal data. In fact, the Aadhaar Act is one of the first pieces of legislation to have imbibed the principles of privacy.
The judiciall scrutiny through the ‘Puttuswamy I’ and ‘Puttuswamy II’judgments on data privacy’s legal, humane, and technical aspects further deeply examines and elaborates multiple perspectives.
Besides legal frameworks, India can provide the technology and build capacity for other nations. For instance, CoWIN, UPI, Aadhaar, EVMs are India’s technological successes in which around 150 nations have shown their interest.
India can leverage its technical, economic, and legal wisdom from international collaborations in several other sectors, such as climate change, solar energy, space research, and the blue economy.
The way ahead
The cross-border data flows become very complicated with sovereignty, privacy, and security concerns at both ends of each data flow. Unlike the incumbent costly oil wars, the global data wars could have unprecedented costlier consequences. Learning from its past mistakes and recent collaborative efforts, it is in the interest of nations, organisations and citizens to converge the data privacy regulatory regime.
With all the right ingredients to nurture, build and share such an ecosystem, as the fast-growing diverse economy and the IT/ITeS powerhouse of the planet, it is in India’s best interest to address this gap by taking the lead in building a global consensus on the broader contours of the data privacy frameworks.
Jain is a US-based cyber security advisor, and Mittal is an IAS, and CEO of Zila Panchayat, Raigarh.Views are personal