The landscape of the converging forces of digital economy of today is of an ever-changing nature marked by an exponential augmentation of disruptive innovations, both in number and their sphere of influence. However, as digital disruption grows while making everyday life more accessible, concerns regarding data handling and privacy are on the rise subsequently.
By delivering its judgment in the case of Puttaswamy[i], the Supreme Court formally recognised the Right to Privacy as a fundamental right flowing primarily from Article 21 of the constitution. Hence, the Personal Data Protection Bill, 2018 has been introduced by the government to subject the concerned actors to a horizontal application of the right to privacy. It was much required because Right to privacy is not a deontological right of an isolated individual but is instead essential for the attainment of the common good.[ii]
The further sections deal with the inherent challenges related to jurisdiction and applicable law (collectively referred hereinafter as inter-legal challenges) and how they have been dealt with by the India regime on Data Protection.
Inter-legal Issues involved with Data Protection Laws
“Jurisdiction” is primarily defined as the power to determine the rights and obligations of the parties involved in a dispute.[iii] With respect to the present article and its purview, we are concerned only with the prescriptive jurisdiction i.e. the power to make laws applicable upon the parties.
Prescriptive Jurisdiction is exercised on the grounds of following principles[iv]:-
Territoriality,
Nationality,
Protective,
Universality,
Passive Personality,
Effects Doctrine or Objective Territoriality.[v]
In any case submitted for adjudication, there are two inter-legal issues to be decided, namely, –
Jurisdiction of a court or authority- This question largely relates to public law and if the jurisdiction of a court or authority is once finalised, then the law of the land (Lex fori) is applied.
The law to be applied (lex causae)- It is decided within the sphere of private law following two steps, namely, first- identification of the specific area of law and second- the relation of the specific area of law with the country of the forum. For instance- the use of principle lex locus deliciti commissi (the place where the damage took place) in cases of liability.
Adjudicatory authorities by the usage of the above-mentioned normative steps, sometimes assisted by the closest connection principle, are able to resolve inter-legal questions surrounding traditional laws. However, in cases of data protection laws, the same cannot be said.
For instance-
Consider a flight travel information system operating out of a database maintained in country X. Now, in case the data is transferred by the Operating entity to a third-party in country Y which subsequently violates it. Then the question regarding the application of a particular data protection law leads to positive conflicts of authority. As regards a claim of violation, the countries from whose terminals data regarding the timings, registration, etc. of the flights is accessed, country X (state where the operator is based) and country Y (where actual damage took place) all three have legally tenable claims based upon the above principles.
The inherent jurisdictional issues involved in the application of data protection laws can also be understood as:
With regard to the application of certain important conventions and instruments, it becomes important to determine whether a particular law falls within public or private law[vi], however, the same cannot be said with certainty in case of Data Protection Laws. A data protection law “will typically contain provisions of a public law nature, relating to an authority and its duties and decisions. But the law will also often include civil law provisions, typically on liability for data protection violations. Following the traditional method, different aspects of one case may then have to be decided by different lex causae, which easily may lead to distortions as the legislation is conceived as an organic whole where the different provisions support an appropriate solution.”[vii]
In cases involving parties of multiple nationalities, the courts generally take into consideration the geographical place of the incident. As established in the SS Lotus case[viii], whereby it emanated that extra-territorial exercise of jurisdiction by countries is not welcome, however, “it leaves them in this respect a wide measure of discretion, which is only limited in certain cases by prohibitive rules”. And in the context of Data Protection Laws, associating incidents of violations to a particular jurisdiction can only be incidental and requires other concrete links too. Such a complexity surrounding the application of data protection laws has so far prevented the development of a comprehensive International Framework on Data Protection.
The Data Protection Laws have their origin in Human rights and Consumer laws, which lead to certain courts and enforcement authorities to regard its rules as order publique (laws which are applied nevertheless), making their application more difficult.
Jurisdiction as Established under Indian Law
Section 2(1) of the Bill[ix], states that:-
Any processing of Personal data within the territory of India, and
Any processing by State, Indian Company, Indian citizen or any entity incorporated under Indian Law,
shall be subjected to the jurisdiction of the Data Protection Bill. Introduction of such a section conferring a broad jurisdiction upon the Bill follows on the lines of EU GDPR[x].
Further, section 2(3) of the Bill provides an exception to the processing of non-personal data with an explicit exemption provided to anonymous processing activities.
Section 2(2) of the Bill confers upon it extra-territorial jurisdiction over a data fiduciary and a data processor not situated within the territory of India in the following two cases-
The processing done is connected to a commercial activity undertaken in India or any directed and systematic offering of services to data principals within India,
The processing activity is in connection to the profiling of data principals within India.
The above clause follows upon the line of Article 3(2) of the GDPR[xi], hence, it applies to any person within the territory of India irrespective of his/her nationality or domicile.
Thus, a corporation whether incorporated in India or not, is subject to Indian law if it carries out processing activities in India. It is a deviation from the GDPR and the SPD[xii] rules which warrant an establishment within the respective territory.
Section 2(1)(a) of the Bill establishes the jurisdiction of the Indian Law over the mentioned processing activity by application of the principle of territoriality. It includes the acts committed on the territory of the State concerned[xiii] or an essential element of the act taking place.[xiv]
Section 2(1)(b) of the Bill brings processing by Indian entities and state done anywhere worldwide, within its ambit by the application of the principle of nationality. Under the APEC Principles[xv] this principle is only used to decide upon the issues which involve the transfer of data to a third party.
Section 2(2) provides extra-territorial jurisdiction by virtue of the effects principle (“conduct outside the state has an effect inside state”)[xvi]. It is one of the most controversial basis for the establishment of jurisdiction especially in the context of Internet activities in a digitalised economy ‘where everything has an effect on everything’[xvii]. It was the reason behind the controversial nature of Art 4(1)(c) of EU Directives[xviii]. However, the same has been attempted to be taken care of by the Indian Bill by precluding an ad-hoc or non-serial collection of personal data of data principals within India.
Also worth mentioning is the data localisation provision under the Bill[xix], which requires the data fiduciary to keep a copy of the data within the territory of India. This provision may also lead to certain disputing claims over jurisdictions in future. An example for the same can be witnessed in the SWIFT case[xx] wherein we can witness the willingness of the data protection authorities to assert their jurisdiction over foreign entities.
Moot Point:- A data fiduciary claims his/her rights have been violated by a foreign data processor it holds no contractual relation with, and also demands compensation. How is the Indian law to be applied in such a situation especially when we are not signatories to mutual cooperation treaties like Lugano Convention?[xxi]
Conclusion
The field of Data Protection is fairly recent when compared to other fields of law. However, it needs to be noted that application of a law and assertion of jurisdiction work together, hence, it is important to develop the data protection regimes worldwide in a harmonious fashion. The EU GDPR guidelines are a strong step in this direction and a lot of countries are already making or have already made necessary amendments to their national legislations. However, intricate questions regarding jurisdiction in Data Protection can only be resolved with a wholesome cooperative attitude being adopted by the lawmakers worldwide.
[i] Justice K.S. Puttaswamy (Retd.) v. Union of India 2017 (10) SCALE 1.
[ii] Lee Bygrave, Privacy Protection in a Global Context–A Comparative Overview , in Peter Wahlgren (ed), Scandinavian Studies in Law 319 (Stockholm Institute for Scandinavian Law 2004).
[iii] Andrew Keane Woods, Against Data Exceptionalism, 68 Stanford Law Review (2016) at pp. 765-773.
[iv] Jurisdiction with Respect to Crime, 29 American Journal of International Law (1935) at p. 519. Described herein with respect to cross-jurisdictional issues raised in criminal law cases.
[v] Mika Hayashi, The Information Revolution and the Rules of Jurisdiction in Public International Law, in Myriam Dunn, Sai Felicia Krishna-Hensel, and Victor Mauer (eds), The Resurgence of the State 59, 74-75 (Ashgate 2007). The Internet has extinguished the difference between a message being seen in a foreign territory and its effects.
[vi]Pippa Rogerson, Article 1, in Ulrich Magnus and Peter Mankowski (eds.) Brussels I Regulation (Sellier European Law Publishers 2007) 51.
[vii] Jon Bing, Data Protection, Jurisdiction and the Choice of Law, (1999) Privacy Law & Policy Reporter 92 available at http://www.austlii.edu.au/au/journals/PLPR/1999/65.html accessed on 18 December 2018.
[viii] PCIJ, SS Lotus (France v Turkey), PCIJ Reports, Series A, No 10, p. 19 (1927). The case may have been criticised but it still remains an influential authority upon a question of extra-territorial jurisdiction.
[ix] Personal Data Protection Bill, 2018 s 2(1).
[x] EU Regulation 2016/679 (General Data Protection Regulation) OJ L 127.
[xi] ibid art 3(2).
[xii] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
[xiii] Cedric Ryngaert, Jurisdiction in International Law (Oxford University Press 2008) 187.
[xiv] International Law Commission (ILC), Report on the Work of its Fifty-Eighth Session UN Doc A/61/10, Annex E p 11.
[xv] APEC Privacy Framework (2005).
[xvi] Dan Jerker B. Svantesson, Private International Law and the Internet (Kluwer Law International 2007) 1.
[xvii] Thomas Schultz, Carving up the Internet: Jurisdiction, Legal orders, and the Private/Public International Law Interface (2008) 19 European Journal of International Law 799, 815.
[xviii]Directive (EC) 95/46 of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/31.
[xix] Personal Data Protection Bill, 2018 s 40.
[xx] Belgian Privacy Commission, Decision of 9 December 2008 in the SWIFT Affair. Unofficial English translation at <http://www.privacycommission.be/en/static/pdf/cbpldocuments/a10268302-v1-0 151208_translation_recommswift_fina.pdf>, p. 167.
[xxi] Lugano Convention 1988.
By- Prashant Kaushik and Alok Bharadwaj, 3rd Year Students, Dr. Ram Manohar Lohiya National Law University (RMLNLU)