Wednesday, November 02, 2016

Towards a privacy framework for India in the age of the internet

by Vrinda Bhandari and Renuka Sane.

The Supreme Court order during the Aadhaar hearings in August 2015, that raised the question of whether privacy is even a fundamental right under Part III of the Indian Constitution, brought the debate on the right to privacy at the forefront in India. More recently, the Laksh Vir Singh Yadav v UOI case pending in front of the Delhi High Court has led to discussion on the merits and demerits of the right to be forgotten. The Delhi High Court, has in this case, reportedly asked the Centre and Google on whether the right to privacy includes the right to delink irrelevant information from the internet.

What separates these two cases is the different nature of the parties involved. The first is largely related to the dangers of unfettered surveillance by the State. The second is related to the immense power wielded by private actors such as Google and Facebook in the new-age digital economy. What is common between the two, however, is that they open up the question on the right of privacy of personal information.

How should we think about the right to privacy? Who do we need privacy from? What are the consequences of inadequate privacy protections? What principles should underlie a privacy law? A lot of work has been done on the examination of the state of law of privacy in India (CRID, 2006; CIS, 2011; Justice Shah Report, 2012). In a recent paper, Towards a privacy framework for India in the age of the internet, we contribute to the debate on privacy in India in two ways. First, we conceptualise the right to privacy in the context of the State and private actors in the age of the internet and big data. Second, using globally accepted privacy principles, we propose a privacy framework on the basis of which to evaluate any future privacy law.

Privacy from whom and why?


Privacy from the state

Traditionally, we thought of privacy as privacy from surveillance by the State. Governments' wield enormous influence and have coercive powers including those related to law enforcement and criminal justice. This made citizens wary about the invasion of their privacy by the State.

The government's surveillance capabilities have vastly improved over the last couple of decades. The emergence of new technologies comes with the possibility of misuse, especially considering the relatively low level of effective oversight and awareness about such programmes. The right of privacy against the State is thus premised on the idea of personal freedom in a liberal democracy, and primarily focused on surveillance and information gathering.

Privacy from private actors

Private actors were never really the focus of the privacy debate. This has, however, changed with the rise of big-data and of global corporations such as Google, Facebook, and Amazon, whose business model relies on the collection, storage, and use of customer data. It has also been aided by the increasing popularity of social media, which encourages people to share more information about themselves.

The right to privacy against private actors is founded on principles of contract law, most prominently involving notice and consent. It is focused on the collection, storage, processing, transfer, and use of personal data of customers for business purpose.

Would simple disclosure policies be enough to prevent any privacy violation? We think, not. This is because of what is seen as a privacy paradox, where users profess to, and are indeed, concerned about their right to privacy, but their behaviour does not reflect their apprehensions. In fact, very often, not only do individuals fail to understand the fine print of privacy policies, we see that individuals often view such policies as guarantees of data protection, instead of liability disclaimers for firms.

With the ease of tracking our movements through geo-location and wifi on smartphones, and the data sharing requests sent by the Government to these corporations, the difference in the privacy protections sought against the State and private entities is slowly disappearing.

Consequences of loss of privacy 

Inadequate privacy protection can have significant consequences - ranging from identity theft, and increased profiling and discrimination of individuals, to a loss in free speech due to an ensuing ``chilling effect''. Privacy protections are thus required not only from the State but also from the private sector. In fact, a recent Nasscom-DSCI survey showed that inadequate data protection frameworks were causing losses worth billions of dollars to the Indian IT-BPO sector, in part because India's data protection regime was not considered adequate by the EU.

Framework for a privacy law


A privacy law has to inevitably deal with two competing concerns. The first is that of national security vis-a-vis privacy. The second is that of the big data's multitude of benefits vis-a-vis the costs of the loss of privacy. The design of a law, therefore, is a not a simple question of enacting a law where privacy trumps every other consideration - be it security or big data benefits - every time. We use the nine principles enumerated by the Justice Shah Report (2012) as the basis for a national privacy legislation in India.

We propose certain design elements that can be a part of a national privacy legislation. These are:

  1. Objective of the privacy law
  2. Value of personal data
  3. Scope and ambit of the law
  4. Coverage
  5. Principles governing collection and retention of data
  6. Principles governing use and processing of data
  7. Principles governing sharing and transferring of data
  8. Rights of users
  9. Supervision and redress mechanisms 

Conclusion


In India, in the absence of an over-arching law, our regulatory surveillance architecture is heavily weighted in favour of the State. This is extremely problematic as mass surveillance is being carried out in a legal vacuum, with little regard for the effect on individuals' rights to privacy. In such a situation, regardless of whether the Supreme Court of India considers privacy as a fundamental right, the State must define the circumstances in which it may intervene with an individual's rights. Similarly, law must define how private sector entities deal with user data.

An important limitation of our framework is that it does not deal with traditional modes of surveillance and information gathering. Further, while privacy is understood variously as being linked to decisional autonomy, secrecy, and freedom from intrusion, both in the physical and information data sphere, we focus primarily on data privacy and the privacy of personal information. Finally, it is important to bear in mind that any law on privacy will have the un-enviable task of keeping pace with the development of technology.

References


CIS (2011). Privacy in India - Country Report. Centre for Internet Society, Privacy India, Privacy International, Society in Action Group.

CRID, University of Namur (2006). First Analysis of the Personal Data protection Law in India. Report delivered in the framework of contract JLS/C4/2005/15 between CRID, the EU Directorate General Justice, Freedom, and Security.

Justice Shah Report (2012). Report of the Group of Experts on Privacy. Government of India, Planning Commission.

Moore, Adam (2008). Defining Privacy. In: J. of Soc. Phil. 39.3, pp. 411–428.



Vrinda Bhandari is a practicing advocate in Delhi. Renuka Sane is a researcher at the Indian Statistical Institute, Delhi.

1 comment:

  1. Is this legislation discussion limited to privacy of non-state individual information?

    Is the state discretionary right of hiding its own information from non-state individuals out of the scope?

    In both the cases, the popular logic for asymmetry (governmet/individual information is confidentil/non-confidential) is mostly cited as national interest

    ReplyDelete

Please note: Comments are moderated. Only civilised conversation is permitted on this blog. Criticism is perfectly okay; uncivilised language is not. We delete any comment which is spam, has personal attacks against anyone, or uses foul language. We delete any comment which does not contribute to the intellectual discussion about the blog article in question.

LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.