P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.
Applicability of any law is generally limited to the jurisdiction in which the law making body has the power to legislate. Hence every sovereign Government has the power to make laws within a given jurisdiction.
In some countries there is a federal governance system and there could be multiple sub geographical areas where law can be made independently while the federal law may apply to all such sub units.
For example the Union of India or USA or EU can make federal law applicable to the entire country of India, United States of America or all the EU member countries etc. At the same time individual States of India may have certain powers to make laws for Governance activities listed in the state list or concurrent lists. Similarly the States of USA such as California or New York or Colorado or Connecticut can make laws applicable within the state. So also the individual members of the EU which are countries in their own right can also make laws for their countries.
Some times the Federal laws and State laws may over lap and create compliance confusions. It is for the law makers to avoid such confusions by incorporating suitable explanations in the law.
One distinct take of this law making principle is that India cannot make a law applicable in EU and EU cannot make a law applicable in India. However in certain circumstances, if the activities of a resident of a foreign country could lead to an adverse impact on a local resident, the local Government can add “Extra Territorial Jurisdiction” in its law and say that the law is also applicable for activities outside the jurisdiction of the law making body.
This extension of the jurisdiction has been used in laws like GDPR where it is provided that if the personal data of a EU citizen is processed outside EU for profiling a EU citizen/resident or for carrying on targeted business with the local resident, then GDPR is applicable to such processing.
Some times organizations which are constituted subject to laws in a particular country represent the country and its activities outside the country, need to be monitored by the Government of the resident country of the organization in order to ensure that its citizens (individual or corporate) do not become an embarrassment to the country.
In view of the above, while defining the applicability of law such as the data protection laws, we normally consider
a) What is the type of data and what activity related to such data to which the law is applicable.
b) What type of organizations and their place of constitution to which the law is applicable
c) Whether the law is applicable to organizations constituted and operating outside the law making country and if so under what conditions
While PDPB 2019 followed the GDPR and stated that the law is applicable for “personal data” when collected, or processed in India, it also extended the law on the basis of companies constituted in India for their global operations and for foreign entities who could remotely process the data of Indians for profiling and for targeted business.
In these circumstances, it is necessary for us to remember that all laws are basically applicable within the country of origin of the law and every extension to this basic principle is an exception and should be read with the conditions attached.
Also when we speak of a duty to pass a law as part of Governance responsibilities, the duty is to the citizens of the dominion. Any extension of this to the “Non Citizens” is also an “Extra-territorial application” considering the category of people to whom the law is applicable as a “Territory”. Hence when the law says that data protection law is applicable to “Residents”, it can be made conditional and the remedies available to a resident who is not a citizen could be different from a citizen though such differences could lead to charges of “Discriminations” based on racism.
However, as long as the differences are logical and have a purpose, they can be justified. One example is the Indian law of CAA which gave some different treatment to immigrants based on whether they are Hindus/Sikhs/Jains or not.
Laws may some times overlap not only because of the territorial reasons, or citizenship or residential status but also on the material scope such as ITA 2000 being applicable to both personal data and non personal data while PDPB 2019 is applicable only to personal data.
One of the challenges in designing the New Data Protection Law in India is to consider if we can reduce the potential overlapping of the laws by being clear about the “Applicability of law”.
Most data protection laws often state that the “Notice given to a data subject/Data Principal should be clear and precise”. Similarly the citizens have the right to expect that the law itself is as much clear as possible at least regarding its applicability though on other aspects, interpretation may be inevitable.
The argument made by one of the justices (Justice Chelmeshwar) in the Puttaswamy judgement that ” ..there is no need to define Privacy to create liability on organizations to protect privacy” is not an ideal way to handle law making. It is with such approach that today every day to day operational notification of a company (eg UIDAI tender to appoint an agency for social media monitoring and IRCTC tender to study the monetization prospect) is referred to the Supreme Court besides the notifications issued by ministries, converting the Supreme Court into a sub executive body rather than a separate judicial body.
We therefore try to define applicability of the New law by defining Privacy, Data, Roles of different stake holders properly. Once an organization or an individual understands clearly that the law is applicable to them, it becomes easy for them to consult experts on how to be compliant. If the stake holders are in doubt about the applicability then they tend to remain non compliant by ignorance or mis-interpretation.
In the new Data Protection Act, one option is just to adopt the current PDPB 2019 provision of Section 2 according to which the law will apply to “Personal Data” of “Natural persons” processed by any type of juridical entities constituted in India (Companies, Government, Partnership firms, associations of persons and also individuals collecting data for business purpose) with exceptions of foreigner’s data processed in India (Erstwhile Section 37).
While this would be a straightforward approach and would suffice with the addition of “Exemption for processing of personal data of foreigners in foreign locations also” on the lines of Section 37, we would like to explore if it is possible to adopt a different approach to define applicability.
In all laws, we define the applicability and then define rights and obligations of the stake holders to whom the law is applicable. What we are trying to explore is whether it is possible to define the rights and obligations first and then all those who have those rights or obligations will automatically be considered as coming under the applicability of the law. This may also re-define the chapter on “Cross Border Restrictions or Data Localization” which becomes exercising of the rights of the data principals rather than a compliance imposition by the law enforcement agency.
This approach is radical and needs deep thinking. We shall debate this both here and also in the IDPS 2022. In the meantime, please do share your thoughts.
P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi. Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.