Safeguarding your privacy from government and the use of your data by companies without asking you or paying you explicitly, are current concerns, even in under developed India, where more than one half of the population remains effectively unhooked to the internet because of patchy service in low population density areas.
The proposed solutions are pretty humdrum. A committee constituted by government under B.N. Srikrishna ( a retired judge of the Supreme Court) has adopted a please-all stance. A new legislation with new government agencies and draconian provisions for imposing penalties, modeled along the European approach seems to be the best that we can come up with.
An institutional approach to data protection
A new Data Protection Authority (DPA) is to be created as an “independent regulator” for monitoring, enforcement, standard setting, adjudication and grievance handling. Will this regulator work when so many others have failed to deliver? Only time will tell. But it cannot worsen the present levels of data protection. It may cost a bit more. But it will also create additional “good” jobs. So, on the whole, we should probably go for it.
A regulatory pancake is undesirable
The committee also recommends, somewhat surprisingly, that the Unique Identification Authority of India (UIDAI), which has the mandate to issue Aadhaar and manage its database, should also be given regulatory functions, its autonomy enhanced with enforcement powers over those entities which, in turn, are authorised to access the Aadhaar information. In addition, UIDAI will also become a data fiduciary regulated by the proposed DPA, like any other data fiduciary – all this via amendments in the Aadhaar Act.
This is convoluted, but it preserves the existing Aadhaar Act while also bringing the UIDAI under the mandate of the DPA. Clearly, this device diffuses potential resistance. However, wouldn’t it be sufficient for the UIDAI to be regulated by the DPA? The issue of data privacy in Aadhaar using fiduciaries could be directly regulated by the DPA. Data privacy leaks happen not within the UIDAI database, but in agencies like banks or food distribution centres which are required by the law or by executive order to access the Aadhaar base.
No reciprocity between citizen and State rights
In the context of private data protection versus the State, the committee’s recommendations are fairly status quoist. The committee has ceded regulatory ground, near completely, by exempting all authorities controlled by the government, as defined in Article 12 of the Constitution, from the need to obtain the consent of individuals (termed data principals by the committee). The only restraint is the triple test laid down by the Supreme Court (Puttaswamy case 2017) — State rights limited to those permitted by law; the principles of “necessary” and “proportionate” restraint on privacy and finally restrain only to promote a legitimate interest, such as the “security of the state”.
Trawling Big Data for security of the State
Civil society is almost certain to be unhappy that better and more explicit safeguards haven’t been suggested over public agencies to curb the practise of gathering “intelligence” or exercising “surveillance” in the manner of a “fishing expedition” — casting the net wide to gather all possible information.
The safeguard today is that approvals for interception, under the Telegraph Act 1885, are given by a three-person committee of top bureaucrats. The number of requests — around 8,000 per month — are huge. The secretary-level committee can only hope that their junior staff has sifted the requests carefully. A similar architecture exists in state governments. Under the Information Technology Act 2000, private information stored in computers can be similarly accessed for reasons of state, including crime prevention and detection.
The committee suggests that a new law is needed to exercise better oversight over intelligence-gathering, including wider parliamentary and judicial participation. That will take time. An earlier bill to regulate the functioning of the intelligence agencies had lapsed in 2011.
Cynicism on intra-State mechanisms to check abuse of data privacy are misplaced
Surely, even within the existing laws, there is much scope for improvement. Enhancing the capacity and willingness of government agencies to adopt a minimalist approach to data use is one such. Why not use artificial intelligence to handle the huge workload of identifying unreasonable requests or those drafted without proper application of mind? Why not empower the committee of top government officials to discipline line agencies submitting unreasonable requests? Further, can these high officials themselves not be disciplined if they fail in exercising due care? Why not have a group of ministers exercise regular and specific oversight over them? It is the minister, after all, who is answerable in Parliament.
Consider that the most egregious cases of privacy intrusion relate to the use of state power. A new law to improve state functioning is a narrow and time-intensive approach to the problem. It ignores the fact that “gold standard” laws in a poor, developing country, with massive functional illiteracy, does not really work.
Data is valuable “property”. Harness it to pay “data principals” for its use
The recommendations with respect to safeguarding privacy versus business interests are broadly aligned with the “gold standard” of the European Union General Data Protection Regulations of May 2018. We have a fatal instinct for legislating for gold, but settling finally for results equivalent to baser metals.
The committee has sought inspiration from the Directive Principles of the Constitution. Article 39(b) and (c) enjoin the State to work towards redistribution of the material resources of the community for the common good and to avoid the concentration of wealth and means of production. These are non-justiciable segments of the Constitution meant to guide lawmakers. It is worrying when the judiciary starts second-guessing the lawmakers.
Consider that applying these principles bluntly could mean, at an extreme , that data aggregation should be reserved for the public sector to avoid the concentration of wealth which private data aggregators like Amazon have achieved. This could kill the goose which lays the golden eggs. Reducing inequality is a legitimate concern. But the worst way of going about it is to socialise either the means of production or value creation. More significantly, these ideological considerations are misplaced whilst thinking through what should be done to protect data without killing the value proposition embedded in its use.
Proposed restraints on business include stiff fines and draconian penal provisions
Businesses and bureaucrats will also view with considerable apprehension the recommendation that severe criminal liability should extend to incidents of “intentional or reckless” harm caused to data principals. That such offences should be “cognisable” — arrest by the police without a warrant and “non-bailable”. Experience shows in the case of criminal penalties, unlike in negotiations, the heavier the stick wielded, the lighter becomes its actual use. The low efficiency of our judicial system also needs to be considered. Such draconian provisions only serve to dissuade honest, lawful businesses, but do little to discipline criminal intent.
The direction for change recommended by the committee is positive, the narrative outstanding and the information collated impressive. An incremental, contextual approach and a near-term vision, would have helped earlier actualisation of its admirable intent.
Adapted from the author’s opinion piece in The Asian Age, August 3, 2018 http://www.asianage.com/opinion/columnists/040818/to-ensure-data-safety-a-better-vision-needed.html