Data privacy is broadly concerned with giving individuals control over their sensitive data. They should have proper inputs on why their information is being collected and how it will be processed, all done within the realms of consent and confidentiality. The spotlight being on the last two words.
While privacy is becoming the new cool word for brands, its impact is much deeper than any of them can visualise. This is because they hold the personal data of so many people, most of which should never go public. In the rat race to become the fastest and smartest, companies have even resorted to bullying individuals into giving them consent (read: WhatsApp). Surely that is not the precedent we would like to see.
European Union: The Leader in Privacy Laws
European Union’s General Data Protection Regulation (GDPR) has become the gold standard for privacy laws worldwide. Rolled out in 2018, it applies to all businesses and institutions that ask for EU citizens’ and residents’ personal data. It doesn’t matter if the entity is based in the EU or not.
GDPR lays out seven comprehensive principles on which accountability and protection are to be based. It includes the likes of transparency, minimal data collection, limited duration of data storage and confidentiality. Violations attract hefty penalties, going upto (and beyond) €20 million in some cases. It forces companies to prove and stay on top of their compliance requirements,
As stated earlier, consent is at the heart of data privacy, and GDPR amplifies the same. It categorically lays out what consent means, who can consent, and how that information can be processed. The law moves away from “implied consent” and towards “expressing consent”. For example, it states that requests for consent must be given in “clear and plain language.” Additionally, consent must be “freely given, specific, informed and unambiguous,” thus adopting a no-nonsense approach.
GDPR lays out the ordinary person’s privacy rights to ensure that they remain in control of their data. Not other individuals, not governments and definitely not businesses.
Building on the GDPR
Along with the Electronic Identification, Authentication and Trust Services (eIDAS), which secures cross-border electronic transactions, GDPR has become central to the digital transformation of Europe. Both the laws provide the legal environment necessary to implement and safely offer other initiatives.
Without going into its nitty-gritty, one such initiative is the European Self Sovereign Identity Framework (ESSIF), a part of the European Blockchain Service Infrastructure (EBSI). The primary aim of ESSIF is to implement self-sovereign identities so that users can control their identity without relying on any centralised authority.
A more recent one was the launch of the European Digital Identity Wallet, which hopes to enable people to access services online and offline without sharing unnecessary personal data.
The ESSIF and the digital wallet derive their powers from the privacy and compliance guidelines set out in the GDPR and eIDAS because that will make people trust these new services. It is precisely the need of the hour world over – cross-sectoral privacy laws that protect citizens and encourage them to participate in the digital transformation of a nation.
Some Other Governments Who Care
While the EU was one of the first to take a step in the right direction regarding data protection, many other countries also set out strict privacy laws. Taking cognisance of these legislations, many global companies have started appointing compliance offers to ensure they work within the legal framework.
United States of America
When we talk about the USA’s privacy laws, the one that stands out is the California Consumer Privacy Act (CCPA). The CCPA has broad applicability for businesses and institutions that involve Californian citizens. While the country does not have a law that transgresses regional boundaries, different states have taken the initiative to implement their own ones. Virgina and Colorado recently introduced their privacy laws.
Japan amended its Act on Protection of Personal Data in 2017 to extend its scope to domestic and foreign enterprises that use data of Japanese nationals. Further, Japan collaborated with the EU to create a “white list” of companies that qualify as compliant with their laws. This made it easier for those companies to operate globally.
The island nation’s Privacy Act came into force in 1993. An amendment then took place in December 2020. While it incorporates different aspects related to personal data, it has fewer restrictions and fines than GDPR. However, some of its elements are similar to Australia’s Privacy Amendment passed in 2018.
The Latin American country’s Lei Geral de Proteçao de Dados (LGPD) was implemented in 2020. It was also very closely based on the GDPR guidelines issued by the European Union. Therefore, all companies planning or doing business in Brazil were under the umbrella of this privacy law. They had severe consequences for non-compliance.
India: Privacy as a Fundamental Right but no Law?
In August 2017, a nine-judge bench of the Supreme Court gave a landmark judgment stating that privacy is a fundamental right for Indians. It was said to be intrinsic to life and liberty and thus, was to be included in Article 21 of the Indian Constitution.
While that judgment brought attention to privacy and data protection, there was an eminent gap in the country’s regulatory framework. The only existing law, the Information Technology Act, 2000 (IT Act), had a limited scope. As the largest democracy in the world, it did not do much to prevent institutions from misusing its citizens’ sensitive data. All this despite the cry for help in the wake of rising cybercrimes and data breaches.
In 2017, the government appointed a Data Protection Committee (DPC) under the chairmanship of Justice B.N. Srikrishna to unearth data protection issues in India. Through its report, it proposed an all-encompassing law on data protection.
The Personal Data Protection Bill (PDPB), 2019, was introduced in the Lok Sabha but ran into serious trouble, as luck would have it. The stand-out issue was that it gave the government the right to allow law enforcement agencies and authorised third parties to access personal data, in case of crime investigation, without any legal obligations. This part of the law also directly contradicted the Supreme Court’s judgement of privacy as a fundamental right.
Taming the Big Ones
Granted that the PDPB 2019 has its fair share of controversies to deal with, but time is indeed running out. It has the makings of a strong legislation and has taken great inspiration from its European counterpart. But the initiative and determination to roll it out are still missing.
The European Union has been successful in taming the big names. Investigations and penalties have been levied on the likes of Google, Facebook, Apple and Amazon for detracting from the law.
There is undoubtedly a strong precedent that the EU has established. If India can just take a leaf out of its books, the future may look brighter. The government has been vocal about its digital agenda, but that dream is far-fetched without data security.
While the challenges are certainly evident, ensuring that fair privacy laws are passed is only a part of the problem. Implementation will be a whole new challenge for the government. We get a brief idea from the non-enforcement of current IT sector rules. Big or small, rarely have companies come under the radar for non-compliance.
Apart from that, Indians may be missing out on powerful initiatives, such as an EU-like digital identity wallet. It can be a silver lining for a country grappling with inequality and the unavailability of services to the masses. Digital can empower development.
The clouds are our new home, and we are building them brick by brick with our data. But, how can we live in them if there is no lock?