The “Privacy laws” as they are emerging in the world are more intended to protect the community of those who want to hide their identity and commit crimes against the society than protect the honest citizens from Governmental surveillance or spamming by commercial advertisers.
The risk in Government surveillance is not so much from the fact that the Government of the day knows too much about its citizens in a Privacy Un-protected world but some political elements would misuse the information for personal gain and for harassing the honest citizens.
If in US we are against Donald Trump, we would not like the US Government to know what is my political affiliation and what underground work I am doing to ensure that Mr Trump does not win the next election. In India, if I am Black Money holder, I would like to do everything to ensure that Aadhaar is not linked to my Bank accounts and argue that such an attempt is privacy invasion. If Congress was in power, I would have been comfortable since I could hold any amount of black money as long as I take care of the politicians.
Most privacy activists may take a public stand as if they are the guardians of democracy but beneath their desire for absolute Privacy Protection, there is an ulterior motive to being able to continue their activities which the society may not like.
We need to give up this hypocrisy and admit that what we need is a protection against misuse of information by politicians for which checks and balances should be built rather than preventing Big Data Processing for profiling of certain activities.
Now with the advent of “Right To Erasure”, GDPR holds out a great threat to the society by erasing vital information that is actually intelligence about potential terrorist activities.
I donot foresee any possibility of a terrorist to give consent in any form to let his activities be monitored either by Google or Face Book or the law enforcement. Whether a terrorist has made a recce trip to survey his target or is trying to campaign for radicalization of innocent friends on the Face Book etc become unavailable for intelligence gathering. Terror sleeper cells will therefore consider 25th May 2018 as a day of “Freedom from Oppression from Counter terrorist activities”.
It is to be expected that terror organizations operating from the EU zone will have an umbrella of protection from surveillance. Some of their activities may be directed towards the non EU countries and hence EU may become a haven for terrorists from which global terror activities would be planned and executed.
However, in due course, as terrorists take shelter in EU, it would be the EU countries themselves which would be affected most and in the coming two decades we can see EU countries being radicalized one by one.
I am not sure that EU regulators have taken adequate precautions in the direction of making GDPR immune from being misused by terrorists. Though National Security is a ground under which security agencies can cut free from GDPR regulations, in practice the restrictions would severely affect the capability of the security agencies to identify potential threats.
This sentiment has also been expressed by US homeland security officials I hope Indian authorities also flag this issue and ensure that Indian interests are fully protected in the context of EU countries becoming too rigid in the implementation of GDPR.
In case any citizen of EU is acting in a manner which could be detrimental to the interests of India, we need to assert that ITA 2008 provides the legal power to ensure that “Data Retention” norms and power of “Interception”, “Right to demand Traffic Data” etc may be exercised by the Indian authorities.
I therefore urge the Indian Government to issue an advisory that all Companies having an establishment in India or engaged in the monitoring of any activities in India are required to be compliant with ITA 2000/8 whether they are compliant with other regulations or not.
In order to ensure that business interests of outsourced operations is not affected, a system of “Special Data Processing Zones” on the lines of STPI are set up so that data entering into such zones are insulated and adequate protection measures are available to ensure that there is no mix up of “International Data Flow” with the “Local Data Flow”.
Government may consider a “Special EU Data Processing Zone” which is GDPR compliant but ensure that data flow in and out happens through a special gateway which can be secured as per the provisions of GDPR but also protecting the Indian interests.
Probably this concept needs further exploration but there is need for Privacy and Security Professionals in India to sit together and find a proper means of working that does not allow Privacy laws of EU or US or Singapore or Australia does not hurt Indian interests.