Wednesday, April 12, 2017

Emerging themes around privacy and data protection

by Vrinda Bhandari, Amba Kak, Smriti Parsheera and Renuka Sane.

Issues of data protection and privacy have become the subject of intense discussion and debate, in India as in the rest of the world. In this post, we identify certain key themes that arise in the context of these issues, that can augment our understanding of privacy and data protection and help towards forging safeguards in the form of a privacy law. Many of these were discussed recently at a round table organised at NIPFP on 24th March 2017. The key themes that emerged are summarised below.

What do we understand by privacy?

The term privacy has many connotations, takes different forms in different contexts and is viewed differently depending on the individuals own subjectivity. Defining it has been a challenge, with many scholars leaning towards more conceptual, and less rigid formulations. In philosophical debates, privacy can be characterised in terms of defining a sphere of private life that is separate from political activity and government interference. The sociological argument traces its roots in the fundamental haracteristics of social life - social context determines what is considered private in different circumstances. Others, like Solove 2006), however, move away from these conceptual discussions to identify specific privacy harms that have been recognised by society. His taxonomy of privacy encompasses four aspects - first, information collection (through surveillance and interrogation); second, information processing (through aggregation, identification etc.); third, information dissemination (through disclosure, exposure, breach of confidentiality etc.); and fourth, invasion (through intrusion and decisional interference).

Taking a slightly broader view, Calo (2011) speaks about privacy through the boundaries of subjective and objective harms. A subjective harm is internal to the person harmed, and is caused by unwanted observation. This encompasses, for instance, the knowledge or perception that some negative information about oneself is out there, which leads to distress and anxiety. Conversely, objective harm is external to the person harmed, when coerced or unanticipated information about oneself is used by other persons. Understanding of the potential harms is extremely important for the design of a policy response.

Another debate that emerges is whether privacy should be viewed as a right, an interest, or a property? Interestingly, the early parameters of what is now regarded as privacy evolved in the context of property rights. In 1890 Warren and Brandeis argued in a seminal paper that the right to privacy goes much beyond the concept of personal property rights, and must be recognised as such (to include for instance, the principle of an inviolate personality). By now most countries view privacy through a rights lens, because property, by its very nature, once bought, can be destroyed, transacted, and shared without the consent of the original owner. The economic dimensions of private data in the digital age have, however, once again triggered these rights versus property debates focused around the concept of "propertarian privacy".

Discussions on privacy also raise the question of privacy from whom. Traditionally, privacy was viewed in the context of the surveillance and law enforcement powers of the State. However, with the rise in big data and the explosion of social media, we now have to think of privacy from private actors as well, whether in the context of data mining, data retention, or data sharing arrangements. Surveillance, in this context, includes what Roger Clarke terms dataveillance - systematic monitoring of actions or communications using information technology.

Do people in India really value privacy?

While a lot has been written about the value of privacy (for example, Westin (1968)), it is often argued that people do not really know how to gauge the value of their own privacy. Many view the debates on privacy protection as the privilege of the elite who do not have to worry about accessing basic services, or as refuge for those who have "something to hide".

It is, however, important to remember that privacy is context specific. It is not always about what one may have to hide, but also what one may have to lose. These considerations vary across class, gender, caste, age and are often be different for different intersections of these categories. For each person, there are aspects of their life that are "personal", that they do not wish to be revealed to the public at large- and the control over which is integral to their sense of autonomy. In the digital context, the oft-heard lament is that privacy does not seem to be valued enough perhaps because people either don't know or feel ambivalent about how much data they are sharing (unwittingly), to which entities and the picture of themselves that their data is able to generate to these entities.

For awareness to be effective it must move from the risks to the harm. Sunil Abraham offers a useful analogy of tobacco use. Most smokers are well aware of the risks of smoking, but do not bother to stop, until they face a health crisis. Similarly, most people, while well aware of the privacy risks associated with their activities, for instance careless use of social media, do not take any remedial action until and unless they face a data breach. Therefore, just as health policy workers have tried to change the attitudes of smokers by scaring them through the inclusion of graphic images on the cigarette packs, it might be useful to alert people to the harms caused by the loss of privacy.

"Privacy by design" holds important lessons

The principles of Privacy by Design (PBD) developed by Ann Cavoukian are worth emphasising. The approach highlights that measures to protect privacy should be proactive and preventive, and not remedial. Privacy should be the default setting, embedded into design of technologies and services.

This overcomes many of the problems associated with choice/consent based regimes although adoption still depends on voluntary buy-in from businesses and users. So far, businesses in India are said to find an unwillingness among users to pay for privacy. For this reason, most privacy-enhancing technologies (PET) based solutions are B2B rather than B2C, and even these are far and few. We, in India, need to think of innovative ways to bring about a regime of data protection. A law on the subject and privacy-enhancing design elements are both part of the solution.

Issues of surveillance

Perhaps the most contentious of all issues is the one on where to draw the line between privacy and security, which often requires the use of various surveillance tools by the state. The PBD framework calls for "full functionality" in this context, i.e. it seeks to accommodate all legitimate interests in a positive-sum manner. Instead of a dated zero-sum approach with unnecessary trade offs of privacy vs. security, PBD says that it is possible, and far more desirable, to have both.

Yet, in reality there remains no consensus on a) the extent to which the state is engaging in surveillance, b) the extent to which Aadhaar and other big data techniques are being deployed, and c) the relationship between national security and privacy (is balance the appropriate metaphor? what is the trade-off, if any). The State claims that surveillance fears are misguided and overstated, while civil society argues that surveillance is broad based, and inadequate checks and balances leave citizens vulnerable. Given that both national security and privacy remain nebulous terms, there is no clarity on when one gives way to the other, and it is undeniably the rhetoric of national security that invariably overwhelms privacy. This issue requires unpacking and principles-based resolution as unchecked intrusions by the State can damage the very essence of what it means to be a liberal democracy.

Problems of Aadhaar

Given the pervasiveness of Aadhaar in our lives today, a debate on data protection cannot be complete without evaluating the legal framework surrounding it. The current legal framework of Aadhaar is weak. The Act delegates a number of core functions to be specified by the regulations, and these regulations further defer these functions as matters 'to be specified' by the UIDAI in some undefined future. This suggests that Aadhaar is currently functioning in some sort of a legal vacuum in terms of the nuts and bolts of important issues such as enrollment, storage, and sharing of data.

The regulations that have been issued by UIDAI did not go though a rigorous consultative process - both while preparing the draft, and in seeking comments from the public. The UIDAI should voluntarily opt for greater transparency on issues that have implications for privacy and data protection.

There is a case for a horizontal law

In India, the Supreme Court is yet to decide, what was until recently regarded a settled position - whether the right to privacy constitutes a fundamental right under Part III of our Constitution. While this is being debated, we have sector specific frameworks, like Section 43A of the IT Act, for protection of personal information and data security. More recently, the Ministry of Electronics and Information Technology (MeitY) has released the draft Information Technology (Security of Prepaid Payment Instruments) Rules 2017 for public comments. The draft rules aim to ensure the integrity, security and confidentiality of electronic payments through prepaid instruments, although amid concerns over the scope of the draft rules, MeitY's jurisdiction, and overlaps and conflicts with existing laws. Several other regulators such as the RBI, telecom authorities and health departments also have, or are in the process of developing, privacy/data protection norms pertaining to their jurisdictions.

These are all notable moves, but in the absence of a horizontal law, they will lead to the development of certain pockets of protection in certain sectors, while many other facets of private data will remain unprotected. Another concern is that the current legal framework does not hold meta data to the same standards as data in privacy and data protection debates.

There is a case for a comprehensive, principles-based, horizontal privacy law with basic minimum standards of privacy. These standards can then be tuned further to meet the requirements of different sectors. Thus, regardless of whether the Supreme Court of India considers privacy as a fundamental right, the State must define the circumstances in which it, as well as other private sector entities, may intervene with an individual's rights. Work on the draft privacy bill which began a few years back needs to be pursued with haste.


Vrinda Bhandari is a practicing advocate in Delhi. Amba Kak, Smriti Parsheera and Renuka Sane are researchers at the National Institute of Public Finance & Policy. We thank all participants at the round table on privacy and data protection organised by NIPFP on 24th March, 2017 for their contributions. Any omissions are our own.

No comments:

Post a Comment

Please note: Comments are moderated. Only civilised conversation is permitted on this blog. Criticism is perfectly okay; uncivilised language is not. We delete any comment which is spam, has personal attacks against anyone, or uses foul language. We delete any comment which does not contribute to the intellectual discussion about the blog article in question.

LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.