According to UNCTAD, 128 of the 194 UN affiliated countries have put in place legislation to secure the protection of data and privacy. 158 countries have in place the E commerce laws and 154 countries have Cyber Crime laws.
While the need for a law in each jurisdiction is essential because the countries are sovereign countries, the existence of multiple laws makes it extremely difficult for the global citizens to follow and comply. This problem is accentuated because the technology has been developing in the direction of breaking down the barriers of communication and data moving freely across the political boundaries.
This issue is more pronounced in the data protection laws since data processing is an important business activity and cross border business engagements are common.
While the commercial aspects of data and its utility has created an interest in Governments opting for “Data Localization”, most laws try to retain extra territorial jurisdictions to impose penalties and bring in impossible conditions into business contracts in the form of “Standard Contractual Clauses” and “Abdication of the local security considerations”.
In this scenario, a data processing company which operates a website and cloud services to collect, process and disclose personal data through the internet faces the challenge of being exposed to multiple data protection laws.
While most laws look similar, the very fact that democratic countries which genuinely respect the right of privacy and implements laws to protect the right of privacy, dictatorial regimes like China, fake democracies like Pakistan, religiously fanatic countries in the Muslim world all seem to have laws called “Data Protection Laws”, makes it obvious that that the laws can share the same name but inherently are different.
At the time of compliance this creates a problem since the entire personal data accessed by the organization needs to be properly segregated before the compliance can be achieved.
While in terms of a framework for compliance, the PDPSI or the Personal Data Protection Standard of India promoted by FDPPI (Foundation of Data Protection Professionals in India) has developed a Unified Framework of compliance by incorporating an appropriate data classification system, the complexities of creating a “Foundation Compliance Framework” and customize it for “Law Specific Modifications” remain because every law looks similar but has some subtle differences.
It is therefore necessary that an attempt should be made by the UN to develop a “Model Law on Data Protection” and persuade its members to bring uniformity to the laws. However UN in recent days has become completely in effective because of the archaic “Veto” system and unless this system is disbanded, UN remains a useless organization.
The EU for its own reasons has tried to unify the laws within 27 countries of the Union but still retains differences in terms of State Laws. US calls itself a federation of 50 states but is allowing each state to pass its own data protection laws rather than forcing adoption of a single data protection law for the entire country. Many other countries including Canada, UK and Australia may have issues with provincial Governments and independent administrative territories splintering the laws.
It should be appreciated that India even when it adopted the Information Technology Act adopted it as a federal law and with the integration of J&K into the country with the abolition of Article 370, the upcoming data protection law is also being framed as a “National Law”.
In the Past there has been an attempt by some States to intrude into the Central legislative powers under Information Technology Act 2000 through amendments in Police Act or State Stamp Act or other laws. Given even a slight opportunity there are rogue states who may take an aggressive stand to promote local laws different from national laws by citing the “Powers of the State to control law and order” to infringe on the Data Protection Laws.
To prevent such a possibility, we need to ensure that PDPB 2019 is made water tight as a single data protection law for the entire country including the Union Territories and no opportunity is given to the States to make any amendments.
It should declare that
“No State Government shall have the power to make laws which may contravene the provisions of the PDPB/A” and any amendment required to be be made for regional considerations shall be made only through the PDPB/A and not through any state law.
Based on how this “Unified Data Protection Law for the entire country” is defined, we may also amend the information technology act to define “Cyber Crime” and create a federal agency for investigation and prosecution of cyber crimes.
Comments are welcome.