India is at a crossroads of a major debate around technology and privacy. The historic Puttaswamy judgment last year, passed by a nine-judge constitution bench of the Supreme Court, emphatically held that the right to privacy is fundamental, and recognized the urgent need for a data-protection law.
The nine-judge bench convened after the government argued in an Aadhaar-related case that privacy was not a fundamental right under the Indian constitution. Aadhaar is an ambitious project to issue a digital identity to every resident of India. The Supreme Court overturned past judgments by stating unanimously that privacy was indeed a fundamental right, as enshrined in the constitution.
The Ministry for Electronics and Information Technology (MeITy) set up a committee headed by former judge, B N Srikrishna, to address the growing clamor for privacy protections at a time when projects like Aadhaar pose major risks of mass surveillance. However, that proposed data-protection law will be only the first step in what needs to be done to ensure a robust privacy regime in India. The Srikrishna Committee is in the process of providing its input, which will go on to inform India’s data-protection law.
A working data-protection system would comprise a strong law, an assertive regulatory authority, data controllers committed to compliance, market incentives to comply, a vigilant and activist citizenry and use of privacy-enhancing technologies.
Many data-protection frameworks in other countries go back to the late Columbia University professor Alan Westin’s idea of privacy as the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others. Westin was one of the world’s first scholars to study the importance of privacy in societies and his work is regarded as pioneering in an area that was barely discussed at that time.
As a result of his work, most robust data-protection frameworks follow this pattern – inform individuals what data you wish to collect or use, give them a choice, secure data with technologies and procedures, use data only for the purposes declared (purpose limitation) and be subject to enforcement if you fail to comply with these requirements.
The simplicity and elegance of this paradigm is that in one fell swoop, it seeks to ensure that consent is informed and free, and thereby also to implement an acceptable trade-off between privacy and competing concerns
The simplicity and elegance of this paradigm is that in one fell swoop, it seeks to ensure that consent is informed and free, and thereby also to implement an acceptable trade-off between privacy and competing concerns. This approach is also easy to enforce for both regulators and businesses. Data collectors and processors only need to ensure that they comply with their privacy policies, and theoretically, consumers have the information required to exercise choice.
However, in the past few months, there have been growing voices to move beyond the principle of consent.
In a recent discussion paper, Rahul Matthan, a technology lawyer, put forth the idea that we might want to look beyond consent while framing a privacy-law framework in India. His primary argument is that consent does not work in the age of big data. The notice-and-consent framework is often rendered meaningless by (a) long and complicated privacy notices that provide blanket consents to the data collectors, (b) ubiquity of data collection and sharing through online services, smartphones and Internet of Things devices, and (c) big-data-enabled analysis that brings together disparate data points to create an intimate picture of a data subject.
Having said the above, revisiting the principle of notice and consent needs to be a carefully calibrated exercise. While the consent framework has not worked well, proposals to discard consent are futile without a clear and viable alternative.
While Matthan makes a case for discarding consent in light of its inefficacy in protecting privacy, advocates of big data do so, arguing against the need for purpose specification. They claim it is an impediment to unlocking the benefits of big data by preventing actors from working with as much data as possible. This point of view has been termed big data exceptionalism by New York University professor Helen Nissenbaum.
First, it is important to recognize that the two competing interests may not be easily reconciled, and a policy decision clearly choosing the right to privacy over the economic incentive of unregulated access to data needs to be made by those drafting privacy law. Privacy is a human right and as such must be independent of financial circumstances. No economic interests can justify or outbalance the individual’s right to privacy. This is especially important in light of the assertions in a white paper issued by the Srikrishna Committee as a discussion point about the need to balance privacy with innovation.
Second, the twin elements of notice and consent do provide some degree of control to individuals, even one compromised greatly. The appropriate response to this issue has to be in terms of providing greater rights to data subjects through more meaningful consent, and not by further reducing what little choice and control is provided.
There is a disconnect between the information accessible to individuals through privacy notices and the actions they can take in order to protect their privacy. Instead of rejecting consent as an unworkable system, it may be more worthwhile to look at solutions that seek to fulfill the unrealized promise on informed consent – making the user more empowered.
Various emerging standards and good practices address issues such as timing of privacy notice, the format of privacy notices and issues such as overkill, length and opacity. For instance, some simplify privacy policies using the National Telecommunications and Information Administration’s code of conduct for standardized short-form privacy notices.
It is important to recognize that instead of a neoliberal framework that puts the onus entirely in the hands of the consumer to protect his or her rights, privacy is viewed as a social good important enough to warrant the creation of paternalistic practices to ensure that even data collectors licensed with broad consents from consumers must refrain from using cases that are detrimental to the privacy of the individual.
Some key proposals include the legitimate-interest condition, which mandates that governments can access some forms of data in the interest of governance. Other discussion points are data sovereignty and portability, and use of risk-assessment techniques.
It is worth mentioning that most of these proposals are still in the process of evolution, and it may be a while before India has comprehensive governance frameworks based upon them.
In the meantime, an incremental approach that, on the one hand, reconfigures consent into its most meaningful form instead of rejecting it, and at the same time, gradually introduces newer proposals, may be the need of the hour.
This is the first of a three-part series on privacy and data protection in India.