In May 2018, the regulatory framework around digital identity underwent a transformation with the enforcement of the General Data Protection Regulation (GDPR). A European Union (EU) regulation dealing with data protection and privacy for persons in the EU and the European Economic Area (EEA), the GDPR also impacts the transfer of personal data outside the EU and EEA. Before the GDPR came into existence, regulatory oversight over the use of personal data shared by individuals (primarily over the internet) was practically non-existent. The GDPR has tried to introduce new regulatory tools and seeks to create a balance between the degree of control that individuals have over their personal data and the complexity of regulatory compliance for international businesses.
It would be a misnomer to classify the GDPR as solely an EU law, for its scope extends beyond enterprises established in the EU/EEA, to any enterprise that processes personal information of individuals in the EU/ EEA, regardless of the location of the enterprise, or the citizenship of the individuals whose data is being processed (also referred to as “data subjects”). This complex regulatory arrangement, therefore, effectively impacts any business with any interests in the EU. As Indian enterprises go global and engage more deeply with the collection, production, processing, and consumption of data, naturally, they are impacted by the GDPR too. This means that businesses with operations that fall within the scope of the GDPR must necessarily properly understand the GDPR and ensure compliance, so as not to fall foul of the law.
In this regard, a new book titled ‘Data Protection Laws Demystified’, co-authored by Anghrija Chakraborty, Ashima Obhan and Amar K Sundram is a timely and important publication and serves as a guide for different types of stakeholders affected by the GDPR.
The book has three distinct parts. In its first part, it is designed as a manual that explains basic but important concepts that are fundamental to the working and enforcement of the GDPR, such as data subjects, automated decision-making, data controllers, data processing registers, and so on. This section forms the bulk of the book and is, arguably, has the most practical information for readers, for it contains checklists of to-dos for various stakeholders. Audiences that will find this particularly useful include legal advisors and practitioners, especially those with a client portfolio that includes businesses with EU exposure or interests; in-house counsel in such businesses; data controllers; professionals or businesses required to maintain client confidentiality (such as chartered accountants, or telecom, e-commerce and fin-tech businesses), and potentially, even architects involved in designing the technical frameworks around data collection and processing.
The second part of the book is a reckoner of sorts on the (limited) law and regulation around data protection and data privacy in India. A large part of this section is devoted to a discussion on the Srikrishna report that proposed a draft of a Personal Data Protection Bill for India, and critiques and responses and developments since the report came out in 2018. This section also discusses other related regulatory areas, such as DNA technology, finance, and telecom, besides laws such as the Information Technology Act, 2000, and the Aadhaar Act, 2016. For those seeking to understand the intense debates around data privacy regulation in India over recent years, this serves as a brief introduction to the various issues.
The third part of the book is a review of the status of data protection and related laws and regulations around the world. With the GDPR having considerable ‘first mover’ advantage on the issue, this section is essentially a peep into how other jurisdictions are imitating or distinguishing themselves from the GDPR. This section is very topical and updated to the latest developments. Copiously footnoted throughout, the book references material from international industry leaders and makes it accessible to Indian audiences.
The utility of the book goes beyond the subject itself. Many books that set out to be manuals can lose their audiences by indulging in verbiage and bad presentation. This book stands out on both counts. A signature of the book is its uniform tone: it is clear and precise throughout. This is no surprise, for it is written by practitioners, and therefore, understands its audience well. Some slang (e.g., ‘all that jazz’) could have been avoided, but minor quibbles should not take away from the book’s usefulness. The checklists of to-dos clearly point out which category of stakeholders they are directed at, or useful to. For example, specific guides are directed at different roles within organisations, such as recruiters or persons responding to data access requests. And the checklists are printed in a way that they can actually be replicated and used directly, which is a sign of thoughtful typesetting and publication. Tables making distinctions between pre- and post-GDPR compliance requirements make it easy for stakeholders to understand precisely how they need to change.
For the present, the book is updated to the latest developments. But, as time goes by, with both the technology and the law undergoing rapid evolution globally, this book will certainly require regular updation to remain relevant. Similarly, case law references are (obviously) limited now, but will surely change in the very near future, and impact the implementation and enforcement of the law. Since data protection and data privacy is an emerging area of practice, newer questions and problems are bound to come up over time. If a future edition is contemplated, an online forum for posing such questions would be useful, with the answers to the questions being provided in the later edition. An online resource containing the various checklists could also be a useful addition.
The book has limited critical engagement with the many policy, political, economic, moral or ethical questions around data privacy and protection. But the book’s primary objective is to be a ready reckoner for practitioners, particularly those in the daily grind of regulatory compliance, who will have limited inclination or practical necessity to engage with a critical commentary on the subject. Instead, the book is an introduction to the key issues around the subject, and explains fundamental concepts. For an in-depth understanding, interested readers could use this as a starting point, and explore other texts.
Data privacy can be an abstruse subject for many, even those already familiar with the law or the technology, and certainly, it is a hard subject to translate into readable language. The authors have been successful in this regard. It is a very well written and well-presented book, easy to read, using a light, conversational tone, and simple and clear sentences, and equally importantly, attractively-priced. These are all fundamentally important aspects of technical writing that many other books of this genre tend to ignore or forget. This book will surely be an important addition to the libraries of professionals and others working or interested in data privacy and protection.
Sumathi Chandrashekaran works as a policy lawyer.