India need not adopt the onerous European General Data Protection Regulation

There is no need for India to adopt GDPR-like data protection laws as it will hinder local innovation. Historically speaking countries took their time to arrive at a standardised approach to IP law and we need to follow a similar approach - taking a tailored approach to data regulation that balances protection with fostering its burgeoning data industry.

This article was first published in The Mint. You can read the original at this link.

When the nations of Europe signed the Berne Convention in 1861, they were agreeing to accord reciprocal rights to authors of each others’ countries. But even as all of Europe was coming together, American publishers stayed away, refusing to acknowledge that non-resident authors had any copyright within the territory of the US. They wanted to treat the works of these foreign authors as unprotected “common" property so that they could publish their books without need for license or permission. And so, the US government, disregarding the entreaties of well-known British authors like Charles Dickens, sided with its domestic publishing industry. It was not until their own authors—Mark Twain and the like—suffered a similar fate at the hands of Canadian publishers, that the US enacted reciprocal copyright laws.

Over a century later, when the corporations of the US and Europe began to expand their operations into the developing world, they realized their technology was at risk of theft in the countries they were targeting as the local laws did not offer the same levels of protection that they were used to back at home.

Intellectual property (IP) jurisprudence in these developing nations was still at the stage that the laws in the US had been in the 1860s, when creative enterprises were still being offered considerable latitude. This did not suit the global ambitions of the Western world. So they used the World Trade Organization (WTO) trade negotiations to coerce the developing world into adopting Western-style intellectual property law, effectively preventing them from amassing IP assets in the same way that Western nations had before.

The West has always used the law to their advantage in promoting their technology agenda over the rest of the world. Once Europe and the US achieved primacy over creative innovation, they used this advantage to drive the industrial revolution, making sure that they maintained their superiority by enforcing legal restrictions on incremental innovation.

By all accounts, the data revolution will be as transformative of the human condition as the industrial revolution was and it seems as if the West is once again looking to capitalize on its early mover advantage. Even though this is just the beginning and the data technologies that will power our lives in the coming years are still in the process of being perfected, we are already beginning to see the patterns of the past repeating themselves.

There is no doubt that the Cambridge Analytica incident has shaken the global tech community. In its aftermath, Facebook’s Mark Zuckerberg publicly admitted that his company had a responsibility to protect user data, acknowledging that “if we can’t, then we don’t deserve to serve you". Facebook has reportedly begun to investigate apps that had access to large amounts of information from it with a view to imposing restrictions on the access of all third-party developers to its user data. Around the world, technology companies have begun to batten down the hatches, seeking to lock down personal data in order to prevent it from being misused.

All of a sudden, the European General Data Protection Regulation (GDPR) that was, until now, being spoken of as an overly prescriptive, compliance-heavy regulation, is being touted as an attractive option. Nations around the world are being advised to bring their laws up to European standards as that is the only antidote to big data.

Since India is yet to enact a full-fledged privacy law, we are being told that we have a golden opportunity to adopt the high standards of Europe so that we can inoculate ourselves against any future Cambridge Analytica-style attacks on our democracy. We are being advised not to learn from the mistakes of those around us and enforce, from the get-go, strict restrictions on the collection and use of personal data so that no one will be able to misuse our data to violate privacy.

I am not sure this is sound advice. I can see why this approach might benefit Western countries but I am concerned about the consequences of subjecting India to a law as onerous as the GDPR at this stage in its jurisprudential journey. We have only just begun to experience what it means to use data to drive our decision making and to witness for ourselves, the harms and benefits that this can cause. With the exception of our beleaguered national identity project, we have yet to create anything that even approaches the vast data repositories that the corporations and institutions in the West have been building for decades. This is not the time to introduce a regulation that imposes such a heavy compliance burden on our data industry that our companies are forced to shift their focus from innovation to compliance.

Instead, we need to find a way to impose sensible regulations that protect our data subjects from harm but which, at the same time, allows the industry to innovate and grow. It is possible—even likely—that none of the existing privacy frameworks around the world will be able to address our particular concerns. We might, as a result, need to develop a bespoke data protection regime that responds to the unique requirements of our data economy and the particular demands of the big data world we are about to enter.

I would rather we do that than blindly adopt the European GDPR. After all, the last time we were coerced into accepting the laws that were thrust upon us, things did not end so well for us.