Data is the new gold and future wars are going to be fought for this precious commodity, not in trenches or air but with computers from the confines of airconditioned offices.
I don't know whether my above prophecy will ultimately come true or not but today it seems likely. Before we go for a deeper dive in the issue, let us understand what is data.
Data in layman's language is collection of numbers, facts, observations, patterns, etc., and is collected for analysis. Data plays an important role in society and can be both quantitative and qualitative in nature. Data readable or processed by humans is called unstructured data and machine-readable data is called structured data. Structured data can be processed by machines or computers and different software, which include machine learning, automation, artificial intelligence, etc. Data privacy laws are concerned with unstructured data and management and protection thereof.
Another important kind of data in terms of digital data is ‘Big Data'. There is no set threshold or criteria which would qualify data as Big Data. Accordingly to Gartner's Glossary - Big data is high-volume, high-velocity and/ or high-variety information assets that demand cost-effective, innovative forms of information processing that enable enhanced insight, decision making, and process automation.
The importance of data.
With the growth and cost optimisation of internet in the last few years, internet is more accessible and its penetration has increased rapidly in the society, leading to generation of unprecedented volumes of data. Coupled with development of technology, collection and processing of data of personal preferences, shopping habits, sexual orientation, etc. have given new tools in the hands of marketeers. Similarly, demographic data – peoples age, gender, income, religion, etc. – is very useful tool for both marketing companies and pollical parties for targeted campaigning and influencing election results. There is no end to use and importance of data and everyday new usages of data are being discovered everyday leading to mad scramble for collecting and making money out of data.
With banking and economy going online and every aspect of life connected digitally, globally governments started making laws in the last 7 – 8 years around data protection and validation on one hand and on the other activist rights group being conscious of power of data, started war on entities having access to large pool of data. Across the globe governments started taking note of potential of data race to protect and control data as a national resource.
At this stage it is pertinent to capture recent development in key global data protection laws.
The General Data Protection Regulation 2016 enacted on May 25, 2018 across European Union and European Economic Area, is the law on data protection and privacy, which also deals with transfer of personal data of residents outside of both these jurisdictions.
Presently, China does not have a comprehensive legislation around data privacy, which is administered through different rules relating to personal information protection and data security. While still working on a comprehensive federal legislation, China has enacted on June 1, 2017 the Cybersecurity Law of the People's Republic of China primarily to address the issues of cybersecurity and protection of data privacy, which has brought in large obligations on domestic network and infrastructure operators, etc.
There is no comprehensive federal legislation in the USA dealing with online or digital data regulation and privacy. However, there are sectoral federal legislations dealing with personal information, healthcare and health-related information, and information relating to children; unfair usage of customer data and deceptive business practices; protection of patients and medical records; and to protect online information of children. Various provincial governments of the USA are now bringing their own specific data protection legislations, while some have already enacted.
India too currently doesn't have a specific law for data protection, while sectoral regulations are in place for decades like – for banking and financial institutions; the Information Technology Act, 2000 and rules thereof covering a wide gamut of field including digital signature, protection of personal sensitive information, Critical Information Infrastructure, confidentiality of customer data, etc.; and llocalization of customer data, payment sensitive data and transaction data of customers of payment entities. In this regard the Federal Government constituted Justice BN Srikrishna Committee gave its report in July 2018 along with draft Data Protection Bill, which was introduced in the Parliament the same year. However, revised Personal Data Protection Bill, 2019 was introduced in the Parliament on December 11, 2019, which has since been referred to Joint Parliament Committee, where is still being debated.
The development of privacy laws around the world has neither followed a standard pattern nor introduced around the same time. The staggard and uncoordinated approach of data protection laws of different countries have led to conflicting provisions causing much pain and adding to cost of compliance for global entities having operations in multiple jurisdictions. What is private data may fall in public data in other jurisdiction(s). The situation is further compounded by different privacy standards and approach to data localization norms in different jurisdictions.
Data localization means data of residents or citizens of a specific jurisdiction must be dealt and processed within territorial limits of that jurisdiction itself, and cannot be transferred to other countries.
The striking feature of all data legislation enforced so far globally is in diversity of treatment of privacy, processing and holding of data. Some countries have kept data localization compliances very stringent and conflicting with other jurisdictions' data localization norms, others don't have any data localization regulation at all or have very different approach to data localization. This has not only badly hurt compliance programme of multinational entities having global operations but also added significant costs of compliance. While handling data of employees, customers and other business partners, multinational entities have to routinely transfer data to regional hubs or corporate office, diversity in local data privacy laws have stymied these activities. Further, in the eventuality of any internal investigation for ethical violations or for any other reason– whether in house or by external consultants – data of employees or vendors have to be consolidated at one place for review. All these activities pose challenges of compliance with local data privacy legislations, where such persons are located in different countries.
The GATT Agreement in 1994 led to the creation of the World Trade Organisation (WTO), which is the global body to regulate international trade and deal with protectionist measure to ensure free and fair international trade. ‘National Treatment' under the GATT Agreement, ensures that nations do not discriminate between foreign and domestic goods and must treat similar goods similarly. However, hidden measures in many data privacy legislations have in-built protectionist measures, which defeat the very purpose of National Treatment of the WTO. Hence, there is dire need of an international body to bring in consistency in data protection legislations of member countries to bring in harmony and pari materia treatment of data collection, sharing with others and protection thereof.
It is not out of place to say that impact of diverse data protection laws of different countries have wider ramifications not only for multinational entities but also for residents thereof. There is already trade war going among many nations and now diverse data practices have also added another dimension to disputes among them. Already many governments are accusing other governments of data theft and cyber-attacks, in full public view. Further, data mining and processing practices of many large global players are under investigations by various governments. Some of these investigations are on account of genuine concerns and some other for local or political compulsions, which is not fair.
Further, cheaper availability of internet, rolling out of 5G and now with the possibility of satellite based internet services being introduced in couple of years, data is going be much sought after commodity - more precious than gold. Global entities which have access to large volume of data; be it e-commerce companies, social networking companies or global brands; they all have inherent advantage and are sitting on data gold mines are ready to monetise them. While these entities have legitimate rights to mine and monetise such data having made huge investment in creating infrastructure to collect and manage the same, they do not have unfettered rights to infringe functioning or influence decision making of sovereign governments. A fine balance has to be struck between data mining and monetising, and abuse thereof. Similarly, governments should also look at governance and protection of citizens' rights and not unnecessarily put fetters in legitimate business practices.
The way trade laws and processes have been standardised under the WTO, the global community has to come together and either entrust the WTO or create a similar specialised body like World Data Organisation to ensure harmony and minimum common compliance standards among data laws of various nations. Till this happens we will continue to be struggling with data mining and management thereof, in addition to privacy issues, and war mongering among nations.
1 Author is partner with Ashok Dhingra Associates, Gurgaon, India, and views expressed here are strictly personal.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.