International Policy for Data protection – A pipedream ?

Political and cultural makeup of a society has affected evolution of domestic policies, human rights and legislation as societies weigh probability of the occurrence of an event against the possible outcomes based on currently available information, public mindset, change in perceptions and shift in cultural biases.

A recent case in point in India are the changes introduced in laws relating to crimes against women after a nationwide public outrage and angst on the brutal gang rape reported in the capital city of the country. For a society that sees women differently or prefers to not look at them at all, these amendments are evidence of a shift in perception and cultural silence that existed regarding violence against women. (Heise et al., 1994) The shift in the cultural perception of dignity and equality of women and the risks associated with not protecting them has pushed the government in power not only to reform existing laws but also to fast track cases relating to violence against women. (India. The Criminal Law (amendment) Act, 2013 Act No 13 of 2013)

This essay explores the issues of cultural differences in risk perception and why and how the international cyber policy should consider them. Due to the word limit, the scope of the essay is restricted to perception of risk and protection of personal information as viewed by different cultures more particularly India and UK. After discussing the cultural differences in perception of risk, this essay concludes that such differences ought to be considered while aiming at holistic international cyber policy and harmonization of data protection laws so that all the stakeholders can abide by such policy in letter and spirit.

What is Risk Perception?

To understand the full ambit of the term risk perception it will be important to set the context by defining the terms Risk, and Risk Assessment.One of the definitions of risk is the “probability of a particular adverse event occurring during a stated period of time and its detrimental effect.” Breakwell (2009) As per the author, risk is defined in terms of two dimensions, which are probabilities and effect. The detriment is a numerical value of the expected harm or loss suffered due to the adverse event, which may be quantified in terms of money or loss of business or any other such tangible measure. Adams (1995). This is the definition of a scientific or an objective risk, which is capable of measurement or quantification however there is also a subjective component of risk, which cannot be straightjacketed and depends on public opinion that weighs risks and makes decisions.

Risk assessment is risk estimation and evaluation. Risk estimation has to consider two probabilities. First is the probability of occurrence of a hazard and secondly the probability of the occurrence of the specific detrimental effects. Breakwell (2009). There will be several interpretations as what is harmful and the assessment of harm will depend on what is the degree of acceptability of the harm or the outcome. This assessment of risk will vary across individuals and societal institutions. Bernstein (1996)

While Risk assessment can be systematic and methodical giving a near accurate number quantifying risk, Risk perception is intangible. Risk perception is the attitude towards risk and hazards and judgments about them. Risk perception is subjective whereas risk assessment attempts to systematize the estimation and evaluation of risk such that subjectivity is excluded as far as possible. This element of uncertainty or the subjective element of risk is addressed socially or culturally by way people perceive hazards. Further this public perception of risk is not, simply, the sum of individual reactions to specific events but are shaped by social and cultural influences. Douglas (1986)

Are there cultural differences in perception of risk?

As observed by Douglas (1986) people’s response to risk consists of the subjective element of judgment. Culture is one of the factors influencing the judgment. Culture of a society establishes identity and values such as, human rights, diversity, equality and privacy. It also plays a role in interpretation of statutes.  The change in the social fabric, cultural biases or beliefs act as catalysts for progressive interpretation of statutes to set precedents that are in harmony with the social and cultural context of a country.  In India, in the case of Naz Foundation V/s Govt. of NCT & Delhi & others in WP© NO 7455/2001 decided on 2.7.209, Section 377 of The Indian Penal Code which criminalizes homosexuality was declared unconstitutional by the Delhi High Court.  Naz Foundation V/s Govt of NCT Delhi (Naz Foundation, 2009). The Judgment was later set aside by the Supreme Court inter-alia on the technical ground that amendment or repealing of S 377 is to be considered by the Parliament and not by the judiciary. Monalisa (2013) While there was a huge public outcry against the Supreme Court ruling, some political parties lauded the decision stating that it upholds Indian culture which was a completely ill-informed and a misplaced remark. IPC came into force in 1862 under the British rule in India at the time when the ‘Kamasutra’ recognized homosexuality as an acceptable sexual practice and hence the law clearly reflected the cultural norms of the British in that period. UK later in the year 1967 decriminalized sexual acts in private for those above the age of 21 under the Sexual Offences Act of 27 July 1967. Agarwal (2014) From the reaction received from the public after the Supreme Court ruling, it can safely be stated that India is on the verge of abolishing the section and it now only a question of time. What the world saw as a risk is not longer the truth in the changing societal values and international Human Rights law regimes. The influence of cultural on perception of risk is amply demonstrated by this case study.

That people from different countries perceive risks differently is further corroborated by a study which reveals that Hungarians perceive relatively greater risks from common hazards such as railroad or home appliances accidents whereas USA were more concerned with high technology hazards caused due to radiation or chemicals. (Englander et al, 1986) However there is also another study contradicting these findings which state that there are cross- cultural common elements of hazard perception and whether the differences in hazard perception are a function of culture or some other complex combination of other factors such as differences in direct exposure to that hazard, differences in political or economic context in which the hazard is generated and controlled, differences in availability of information of the hazard cannot be concluded. Rohrmann (1991)

The cultural theory of Widavsky (1993) states that what societies choose to call risky is determined by social and cultural factors and is influenced by an individuals prior preferences and interests. He further adds that culture explains the preferences people have for different ways of life and the way they justify their actions, and these in turn determine their priorities in choosing what to fear. People choose what to fear to defend their way of life or culture. Hence cultural biases prioritize the risks. Four types of culture biases have been identified by Douglas (1986) which are  hierarchists, egalitarians, fatalists or individualists. Members of a hierarchical culture approve of technology, providing it is certified safe by experts. Individualists are predicted to view risks as an opportunity and will therefor be optimistic about technology. Fatalists do not knowingly take risks but accept that they will be subjected to risks and accepts it. Egalitarians will suspect technology considering it as a part of the machinery that maintains inequalities that harm society and environment. However Sjoberg (1997) has reviewed the empirical work on cultural theory and risk perception and contradicted it concluding that there is very little quantitative evidence that cultural biases are strongly predictive of risk perception.

Another study conducted by Hofstede (2001) defines national culture as the values, beliefs and assumptions earned in early childhood that distinguish one group of people from another. In the said paper the Power Distance and the Individualist index is discussed to express national culture. Power distance is a measure of the interpersonal power or influence between the superior and subordinate as perceived by the subordinate, the less powerful of the two. The analysis shows that UK has a power distance score of 35 while India’s score is 77. Hofstede has concluded that India has a significantly lower Individualism Index (IDV) and as a society is ‘collectivist’ in nature as compared to the UK or the US, which are individualist societies with higherIDV. A typical feature of an individualist society is the individual is placed on a higher footing than the society or the societies collective interest. Douglas and Wildavsky (1983) make a very interesting argument that the more affluent a country becomes, the more it becomes averse to risk.

There will never be a risk free environment. Risk can be managed by assessing the vulnerabilities to which life is exposed and the impact it may have. Risk perception guided by cultural orientation is one of the key elements in risk management as it has a direct bearing on impact analysis. In the international policy arena where several countries express their intention to co-operate and collaborate for a common purpose and for the common public good of all the stakeholder countries, cultural orientation of the stakeholder countries will be an important consideration while drawing consensus on a particular issue especially in the cyber policy arena where the technological advancements have a massive impact on economic growth of countries. The issue in the context of this essay is whether countries having different risk perceptions influenced by cultural orientation have some common ground relating to personal privacy and personal data protection which may be addressed during policy making.

Why should the international cyber policy consider the cultural differences?

Once having concluded that there are cultural differences in perception of risk, it is necessary to examine the issue of protection of personal data and the way in which India and UK have perceived the risk and addressed or managed it. Once the differences are identified searching for a common ground for international understanding will be easier. As early as the year 1972, the Younger Committee gave a recommendation for  a legislation for protection against intrusion of personal privacy of individuals and suggested 10 principles for use of Computers for processing of personal information.As per the report, people feared that the government might collect and store the personal data in a huge database and of the possible misuse. Thereafter the Lindop committee recommended the creating of regulatory authority or a Data Protection Authority for overseeing the implementation of data protection. The guidelines on the Protection of Privacy and Trans-border flows of Personal Data were adopted by OECD in year 1980 and immediately thereafter came the Council of Europe Data Protection Convention which contained broad guidelines for the safety and control of the information stored and processed on computers. The said guidelines provided for the safety and security of sensitive personal information stored and processes and prescribed legal sanctions in case of a breach. Sensitive personal information inter-alia included race, health, religion, sexual life, and criminal record. Cross-border transfers of information were also strictly regulated and countries with equivalent data protection laws could only ratify the Convention. To transfer data outside any of the ratifying country could be done only under certain restrictions. The UK enacted its Data Protection Act in year1984 and implemented the directive of the European Commission on data protection (Directive 95/46/EC) by enacting the Data Protection Act 1998. Centre for Information Rights Law (Northumbria University, 2010) This legislative history of data protection in the UK clearly indicates that protection of personal privacy means protection of personal data against unauthorized use and disclosures and strictly deals with informational privacy which deals with the collection, use for purpose, storage, transfer and processing of personal data.

The history of legislation of privacy in India indicates that privacy refers to privacy in terms of personal space and protection of democratic values such as liberty, justice, human dignity, individuality and family life. Several judicial decisions have established that the Right to Privacy is enshrined in the Right to Life guaranteed by the constitution which means a right to life without government interference subject to reasonable restrictions. Kharak Singh Vs. State of Uttar Pradesh (1964) 1 SCR 332. The Information Technology Act 2000 enacted in 2000 and amended in 2008 has made provisions for the protection of sensitive personal information by a body corporate and has prescribed criminal and civil liabilities in case of unauthorized used or unlawful disclosure.

Comparison of the legislative histories of the two countries on Data Protection, amply demonstrates that the concepts of privacy in the two countries are diverse.

As per Milberg (2000), “a country’s cultural values are known to affect a population’s attitudes toward privacy and are associated marginally with its regulatory approach”. The perception of personal privacy and the risk perception of loss of personal data gave rise to a privacy interest or right recognized by law. However, in India, the people’s perception about privacy is predominantly associated with bodily privacy or territorial privacy and hence is protected by relevant legislations that cater to these perceptions such as, ‘Art. 14’ of The Constitution and The Indian Penal Code. Privacy in India is not about informational privacy or data protection or about the economic value of that information.  A report published by the School of Computer Science at Carnegie Mellon University reiterates the difference between UK and India’s perception of privacy. Ponnurangan , et al., (2005) . As per the said survey Indians responded to questions on privacy stating that ‘privacy for me is my personal territory’ and ‘personal privacy.’The report conforms that Indians are more concerned with a different dimension of privacy and so it cannot be concluded that Indians value privacy lesser that its western counterparts.

The magnitude of information generation, its collection, use , storage , processing and sharing due to technology and the way it is being used in decision making has changed the way in which the world does business. Trans-border exchange of data either under a contractual obligation such as outsourcing contracts or otherwise, across countries have naturally raised a concern about its protection as two diverse concepts of privacy and the perception of risk associated with the collection, use and disclosure of personal information have to be addressed on some common ground. Basu, 2010

Since India does not have a legislative or judicial history of Informational privacy, understood as data protection in the digital environment, it is seen as an economic issue that needs to be addressed if India wants to continue reaping the benefits of the outsourcing market and trans-border data flow and exchange. Due to these market forces the IT Act 2000 underwent an amendment in year 2008 to include provisions for protection of sensitive personal information


With increasing inter country dependencies and cross border flow of information, it is imperative for collaborating countries to agree on a common understanding that will protect the interests of all the stakeholders. Cultural differences and risk attitudes will play a major role in articulating this common understanding when stakeholder countries are making genuine attempts to come arrive at a solution. Though a country with more economic stability will have an upper hand while working out a solution, any inequitable understanding will not be as effective as it is required to be, if the cultural and societal attitudes and risk perceptions of all stakeholder countries are not considered. If India does not have any cultural or legal background of protection of personal information or of informational privacy, any amount of ‘borrowed’ legislation will not harmonize with the mindset of the legislators, judiciary or the executive.   However if a country like India wants to derive economic benefits out of cross border cyberspace transactions and also secure its own cyberspace, an alternative machinery is required to be developed which may include industry standards, contractual obligations, arbitration procedures and understanding between countries for effective execution and enforcement of arbitral awards. On the other hand international cooperation in building awareness on cyber security and information sharing on best practices for cyber security and information assurance will accelerate the learning process of the stakeholder countries to build a safe and secure cyberspace.


Lori L. Heise, Alanagh Raikes, Charlotte H. Watts, Anthony B. Zwi (1994) ‘Violence against women : A neglected public health issue in less developed countries ‘ Science Direct – Social Sciene and Medicine  39(9) PP 1165-1179 [online] Available at : (Accessed : 30.4.2014)

India. The Criminal Law (amendment) Act 2013 Act No 13 of 2013 (2014) [online] Available at :  (Accessed : 30.4.2014)

Breakwell, G.M 2009 ‘The Psychology of Risk’ UK: University Press Cambridge

Adams, John 1995 Risk and the Royal Society  UK: UCL Press

Bernstein, P.L 1996  Against the Gods. The remarkable story of Risk. USA: John Wiley and Sons

Douglas M (1986) Risk Acceptability according to social sciences. London : Routeledge and Kegan Paul

Naz Foundation (2009)[online] available at (Accessed on : 30.4.2014)

Monalisa (2013) Supreme Court upholds Sec 377 criminalizing homosexual sex livemint and Wall Street journal 05 May. Page –policy [online] available at on : 30.4.2014)

Bina Agarwal (2014) India :Whos law is it anyway ? 6 Jan 2014 [online] available at on : 30.4.2014)

Englander, T., Farago,K., Slovic,P. and Fischhoff, B. (1986) Comparative analysis of risk perception in Hungary and US Social Behaviour 1 55-66

Wildavsky, A (1993) The Comparative Study of Risk Perception: a beginning. N Bayerisohe Rnck (ed.) Risk is a construct (p 89-94) Munich:Knesebeck

Rohrmann, B (1991) A survey of social scientific research on risk perception. Studies on risk communication , 26 1-56

Sjoberg L 91995) explaining risk perception : An empirical and quantitative evaluation of cultural theory. RHIZIKON: Risk Research Report 22

Geert Hofstede, (2001)Culture’s Consequences: Comparing values, behaviours, institutions and organizations across nations 25-26

Sandra J Milberg (2000) Information Privacy:Corporate Management and National Regulation II Org SC, 35,39

Subhajit Basu (2010) Policy making , Technology and Privacy in India  The Journal of Law and Technology 6, 65-88 [online] available at (Accessed on :4.5.2014)

Ponnurangam, K., Lorrie F.C. and Elaine, N., (2005) The Privacy perceptions in India and the United States .An Interview study School of Computer Science, Carnegie Mellon University, Pittsburgh, Pennsylvania [online] available at i (Accessed on :4.5.2014)

Centre for Information Right Law (2010) History of Data Protection Legislation [online] available at : on :4.5.2014)

Douglas,M. and Wildavsky,A. (1983) Risk and Culture London:California Press Ltd

Kharak Singh vs The State Of U. P. & Others on 18 December, 1962. [ONLINE] Available at: [Accessed 5.5.14].