This article is part 2 of a multi-part series explaining the recently issued white paper on data protection in India. The responses to the white paper will help in the formulation of India’s future data protection laws.
The internet has removed geographical boundaries to a number of our activities, necessitating a change to traditional principles of sovereignty and jurisdiction while enacting and enforcing a law. Laws such as Section 75 of India’s Information Technology Act and Section 4 of the Indian Penal Code, thus enable the exercise of long-arm jurisdiction in cyberspace. For example, any cybercrime which is committed using a computer in India is within the scope of the IT Act, regardless of where the cybercriminal is physically located. In the world of data processing, there are a number of different entities, often located in multiple countries, which access personal data. Determining jurisdiction, therefore, is another crucial issue in determining the scope of a data protection law in India.
Representational Image
Data processing involves multiple foreign entities
In cyberspace, it is very much possible for an entity to conduct business within India, say via a website or an app, without actually having a physical presence in India. This makes factors like, for example, the accessibility of the website in India, or the ability to enter into a commercial transaction with that entity from India, a more relevant factor to determining jurisdiction than the physical location of the entity. Cyberspace will, in fact, in future necessitate a change to most laws applicable to businesses to a more global form, instead of the current geographic forms.
Such activities lead to the collection, use, and sharing of data with entities in different, and even numerous jurisdictions. Consider websites like Facebook, Google, and YouTube, which have their parent corporations outside India, and thus often involve the sharing of data like your personal conversations, your photographs, or details of your online searches overseas. The BPO industry is another example of this, where data of individuals, such as personal information like name and address and financial information like account details, are transferred to another part of the world.
When you visit a foreign located website and it installs cookies, your data, such as your browsing activities, is being shared with it. Even if the entity you have handed your data to is an Indian one, it may be enabling data processing through a foreign located third party. Or it maybe using a cloud computing service where the server is located overseas. For example, if you are using a cloud service like OneDrive, your confidential business data may be stored in another country.
Obligation to protect data must have international application
Now consider the case of Sitesearch in the US, where Sitesearch bought loan applications of people, resold this data to third parties, including data brokers, who in turn used this data to steal millions of dollars from customers’ bank accounts. Now consider if your data was with this US based company, and Indian authorities are unable to exercise jurisdiction over the company for its misuse, simply because it is not located within India.
Current data laws in India, in fact, do have such restrictions, restricting the application of Section 43A of the IT Act to data processing by ‘body corporates’ located within India. An obligation to protect your data and the ability to prevent its misuse must, therefore, apply to all such entities which access it in various stages of conducting business.
The international approach to jurisdiction
Turning to the international approach, the new jurisdiction clause of the EU’s GDPR has every company in the world worried. It enables exercise of jurisdiction not only over any data processor located within the EU, but also over those outside the EU, which process the data of people who are within the EU. For the latter, the processing can be in relation to goods and services being provided by the entity in the EU, and also when the ‘behaviour’ of such people is being ‘monitored’. While the exact scope of this ‘monitoring’ is not clear, it can be extremely broad, and could include even include the use of persistent cookies or IP address logs.
A similar, though less stringent provision can be found under Australian laws, where jurisdiction can be exercised for processing by all Australian organizations, irrespective of whose data is processed by such organization, and by any non-Australian organizations if they have an Australian link. Other countries like Canada and Singapore, on the other hand, are silent on the issue of jurisdiction.
Should data of juristic persons be protected?
While considering jurisdiction, some other issues also arise in addition to traditional issues. One such issue is whether the law should protect only the data of natural persons, or that of juristic persons like companies as well. South African law, for instance, protects both.
This refers, for instance, to the protection of data such as confidential business information and corporate strategies of juristic persons. Such data is typically protected via contract like non-disclosure and confidentiality agreements, or through the general trade secret law, a law which is not in force in India.
Applying the data protection law to juristic persons, however, creates different issues. It may definitely provide better protection to companies for their confidential business data. It may also, however, create conflict between contractual arrangements like the confidentiality agreements and the law, similar to those seen with licensing agreements and copyright law. At present therefore, it may be best to leave a discussion on a data protection law for juristic persons for a later stage.
Application to the public and private sector
Another issue that arises is whether the law should apply to both the public and private sector. Different jurisdictions have taken different approaches to this, with the EU law applying to both, Australian law applying the private sector and certain specified public sector entities only, and Canadian law enacting separate laws for each.
The government normally takes exemptions for activities like investigations, maintaining national security, etc. However, a lack of a law applicable to the public sector can lead to unwarranted intrusion by the state and can legitimize large scale surveillance. The power given to the state to process data and the protections that apply are therefore another crucial issue.
Retrospective application
A last issue is that of retrospective application, or the extent to which the law should apply to past collections of data. This is a tricky area, since reobtaining consent for data previously collected is difficult. At the same time, there is a large amount of data that was illegally collected and compiled, such as that in the possession of data brokers.
A method needs to be devised to deal with such past illegal collections of data. Similarly, consider the Whatsapp Facebook case, where data from Whatsapp users has been shared with Facebook based on past policies. The retrospective application will determine if the new law will protect the data already disclosed to Facebook, and whether Facebook can continue to access, use and disclose the data based on the previous consent.
Striking a balance and key questions raised in the White Paper
While framing a jurisdiction clause, an overly restrictive clause, such as one restricted to entities located in India, will prevent the state from protecting the people against a number of violations. At the same time, an overly broad clause, such as applying to any website that can be accessed in India, can lead to, in effect, regulating the entire internet. For proper exercise of jurisdiction, it is essential to strike the right balance. Additionally, jurisdiction cannot be restricted merely to exercise of judicial power, but must also include investigative powers, and the power of enforcement.
In view of the issues which arise, the White Paper has sought comments of the following key questions w.r.t the territorial and personal scope of the data protection law:
- What should the territorial scope and extra-territorial application of India’s data protection law be?
- Should the law apply to entities with no presence in India which process data of Indian residents?
- What kind of link or parameters or business activities should be considered for applying the law- regulate entities carrying business in India/ entities offering goods and services in India/ entities where processing happens in India?
- What measures are needed to ensure compliance by foreign entities?
- How should the law apply to the public/private sector? Should there be separate laws for each sector?
- Should the law also protect data on juristic persons like companies?
- Should the law have retrospective application? If yes, to what extent?
- Should there be a time limit for compliance?
- Any other views
Part I of the series can be found here.
Asheeta Regidi is a lawyer and author specializing in technology laws. She is also a certified information privacy professional.
Published Date: Dec 02, 2017 11:13 am | Updated Date: Dec 02, 2017 11:13 am
