Data protection regulation

The laws that govern the handling of our personal information have heightened importance in a data-centric polity. As social distance grows between individuals and the institutions that we navigate, our personal information begins to represent us in various spheres of life. Any misuse or unwanted disclosure of our information therefore begins to have not only immediate subjective effects (of pain or embarrassment) but also wider social and economic effects, as our personal data trickles through to the institutions and individuals with whom we interact. The debate around legal protections for informational privacy in India was re-ignited in 2017 following a constitutional challenge in the Supreme Court to the Government’s mass collection of personal information to create a national unique identification system (called Aadhaar). The recognition of a constitutionally protected right to privacy in India by the Supreme Court (among other developments) created momentum around a stand-alone data protection legislation, which was introduced into the Indian Parliament in 2019. During the course of the public consultation on India’s proposed Personal Data Protection Bill, 2019 (PDP Bill), the approach of the USA and the European Union repeatedly emerged as two distinct regulatory counterpoints for data regulation. While the European Union has developed an omnibus data protection regulation that applies across all Member States, the US has a patchwork of laws, rules and regulations on data protection which have developed in a more reactive manner. This chapter undertakes a comparison of the approach to data protection across India, the US and the EU. In doing so, the attempt is to compare the core principles of data protection in key legislations in these jurisdictions. The ultimate objective of this comparison will be to discern how each jurisdiction approaches the regulation of the relationship between an individual, their personal data and the data-processing entity.