The ‘Internet’ has today become an essential part of our lives and revolutionised the way communication and trade take place far beyond the ambit of national and international borders. It has, however, also allowed unscrupulous criminals to misuse the Internet and exploit it for committing numerous cybercrimes pertaining to pornography, gambling, lottery, financial frauds, identity thefts, drug trafficking, and data theft, among others. Cyberspace is under both perceived and real threat from various state and non-state actors. ‘World internet users’ have increased by 826%, from 16 million in 1995 to 3,270 million in the last 15 years, making about 46% of the world population. Internet has emerged as a preferred medium of expression of free speech, conducting trade and business, running daily errands like controlling multipurpose home devices thus generating large volumes of personal data. This data includes names, addresses, mobile numbers, dates of birth, emails, geographic locations, health records like BMI and can aid in various social, political and commercial purposes. This big data, which has been disclosed voluntarily or incidentally through interactive (e.g., Online Surveys) or technological (e.g., Cookies) means has high potential of secondary uses. The protection of privacy and confidentiality of this personal data at residence and in motion within and across the borders is a cause of concern more particularly in modern economies where the data is a treasure- trove for businesses. The current debate in India on “whether privacy (including data privacy) should be a fundamental right or just a right or just a concept purportedly seems to be advanced in the light of privacy law in Europe and US, who have adopted divergent approaches to this issue. However, transposition of these foreign laws to Indian scenario neither takes into account the socio-economic fabric of the country nor its present and future economic interests.
In EU, though most of the member states recognise privacy as a fundamental right, and the right to data protection is generally derived as extension to this right. However, EU Primary Law viz., Charter of Fundamental Rights (CFR) of the European Union of 2000, Treaty on European Union and the jurisprudence of the CJEU, now recognise data protection as a fundamental right. But this right is not absolute and “must be considered in relation to its function in society” and is subject to the principle of proportionality and limitations of Article 52(1) CFR. European Court of Human Rights (ECtHR) recognises processing of personal data and its protection as encompassing the right to privacy. The basic premise of EU privacy protection approach is embodied in EU Directive 95/46 recognizing privacy as a fundamental human right as demonstrated by the repetition of word ‘fundamental right and freedom’ 16 times in the Directive. The spirit of fundamental right has been further reiterated in further refined in EU Directive 2002/58/EC prohibiting any type of interception or surveillance, erasure and anonymization of processed data and location-related data, opt-out regime for itemised-billing and calling-line identification. Most importantly inclusion of opt-in regime for cookies to be stored in browser, all these subject to consent and certain exceptions like security or criminal acts. Recently, EU has passed Regulation (EU) 2016/679 which would replace the existing privacy law in EU by 25 May 2018. It is a comprehensive Regulation covering Businesses outside EU and data residing outside EU. Thus the approach of EU to protect privacy of individual, essentially remains ‘regulatory, State-controlled and penal’ and devoid of self management.
The US approach to protection of online privacy is ‘self regulatory’ favouring voluntary market-based approaches over central regulation depending mainly on industry norms, codes of conduct etc. The laws are in piece-meal, sporadic, inadequate or non-existent demonstrating that protection of privacy is not an issue for the political and democratic systems in US. There is neither a comprehensive law nor any comprehensive mechanism to enforce protection of privacy in US leaving everything to ‘industry self-regulation’. However, due to interdependence of EU-US businesses over each other and presence of a well-crafted law in EU, the US negotiated a ‘Safe Harbor Privacy Principles’ as an alternative to the adequacy clause in Article 25 of Directive 95/46/EC, wherein US businesses qualifying ‘safe harbour’ would be deemed to have provided adequate privacy protection. The ‘safe harbour’ provision was struck down as invalid in famous Schrem’s Case by Court of Justice of the European Union in 2015. Subsequently, in view of invalidation of ‘safe-harbor framework’ and General Data Privacy Regulation (EU) 2016/679 likely to be in place by 2018, the US Government have negotiated with European Commission, an “EU-U.S. Privacy Shield” purportedly more stringent and robust than ‘safe harbour framework’. In future US would bring pressure on EU to relax privacy protection framework while negotiating TTIP, but EU would have to limit itself within the framework prescribed by CJEU.
While EU approach recognise protection of privacy as a fundamental human right, US approach is to adopt iota of interference in privacy rights of individuals, treating these rights as commodity and thus leaving the issue to market forces. Does this statement gives an impression that US has closed its eyes to the stringent data privacy laws in EU? Superficially it may look so but that is only an illusion. US is vigorously using its negotiating skills in drafting Free Trade Agreements (FTAs), with trading partners across the globe, incorporating crippling provisions, putting fetters to the data privacy concerns, in the name of facilitating free trade. Disguised in it is the message that if a partner want free trade with US, its data privacy laws should not act as an impediment to free flow of data to US. Two such FTAs of interest are Trans-Pacific Partnership (TPP), already signed but not in force, and Transatlantic Trade and Investment Partnership (TTIP) being negotiated between EU and U.S., wherein the U.S. has well-intentioned moves to soften the relatively stringent privacy law, thus giving a protection shield to US businesses from prosecution under ‘post-Schrem-EU Law’. The TTIP is under reconsideration after President Trump announced his intentions, but US intentions relating to protection of privacy are obvious in TPP agreement.
The TPP is first legally binding international agreement affecting data privacy and having provisions for enforcement of violations. A perusal of TPP provisions like Articles 14, 28 and 9 would send a ‘chill wave’ down the spine of proponents of data protection privacy. The entire exercise seems to be an attempt by US to bye-pass the local data privacy laws to protect businesses operating from its soil and pre-empt litigation against its own business interests. A study of TTIP Text which was being negotiated reveals that privacy concerns are being sacrificed over so called free trade.
The present ‘right to privacy” debate in India is however oblivious to the fact that privacy issue being debated today could adversely impact the socio-economic interests of India as a Nation and its Citizens. It seems ‘rights based approach, is getting crushed under the growing weight of the economic based approach being adopted by the combined might of EU- US trade blocks. The varying cultural backgrounds of the societies of EU and US were reflected in their contrasting approaches to protection of privacy initially. Recent developments like BREXIT, trade expansionist policy of US and the probable future dependence of EU on US for its economic survival and stability would decide if these two comparative and contrasting approaches to protecting privacy remains so or evolve into a ‘willingly-accepted-forced’ compromise by sacrificing the privacy rights of individuals. With Supreme Court of India recognizing right to privacy as fundamental right and recognizing that a balance between data regulation and individual privacy raises complex issues requiring delicate balancing to be drawn between the legitimate concern of to the state on one hand and individual interest in the protection of privacy on the other. The court has recognized the various facets of information privacy like principle of non-discrimination, anonymity of data etc., leaving it for the State to enact a law which may be fair, just and reasonable and also be subject to constitutional safeguards. The State would do well if it explores the Lessig’s model of regulation of cyber space by regulating the ‘code’ (a factor comprising of sub factors like software hardware internet protocols, standards, biometrics privately controlled governance structure of internet contributing to the character and peculiarities of internet, making it the way it is) as regulation of cyber space would be more efficient and effective if the law regulates the ‘code’ rather than individual behaviour. The ‘code’ if regulated by law has high potential to improve the behaviour of the delinquents in cyber space. A balanced approach in which individual control over data is ensured as a fundamental right but subject to limitations on grounds of maintaining social-well-being or larger national interest, would be desirable in India for protecting privacy in an age of voluntary disclosure and secondary uses of personal data.
Dr. Sandeep Mittal is a cyber security and data privacy expert. These views are his own and do not reflect directly or indirectly the views of organization where he works.
©️ The content of this Article is intellectual property of The 4th Estate and can not be used except with prior written consent of the Editor, The 4th Estate.
