India's moment in global privacy crisis

For a data protection law to work, it should contain a well-designed implementation framework that can truly safeguard our personal liberties from abuse by the state as well

The words “global crisis” tend to conjure up images of the financial meltdown of 2007-08 — failing firms, big bailouts and a slew of regulatory reforms. In The Big Short: Inside the doomsday machine, Michael Lewis talks of the spiralling effect of sub-prime lending by saying, “That was the problem with money: What people did with it had consequences, but they were so remote from the original action that the mind never connected the one with the other.” The story of personal data is very similar. Its rampant misuse has spurred a new kind of crisis, one that is centred around questions of autonomy, innovation and regulation of data use in a globally interconnected society.
 
Each day, millions of ostensibly informed users share their personal information with a range of data collectors. Passed from one entity to another, and combined with other pieces of information, this data can serve many ends. It can facilitate customised services, predictive analysis and targeted advertising. This forms the backbone of services like Google, Facebook, Amazon, Uber and their Indian counterparts. Yet, the same data can also become a formidable tool of discrimination, manipulation and surveillance. Sometimes these consequences are so remote from the original act of data collection that the mind rarely connects the two. Recent events have, however, forced us to start drawing these connections.
 

Illustration: Binay Sinha

The Snowden revelations of 2013 were, in some ways, the “Lehman Brothers moment” of the privacy crisis, sparking a global loss of faith in government surveillance systems. More recently, the Cambridge Analytica episode has illustrated how something as innocuous as taking a personality quiz on Facebook could become a tool for influencing political outcomes. These are not isolated incidents of a few rogue agents but examples of the unlucky few that got caught with their hands in the cookie jar. Since the benefits of indulging in data excesses clearly outweigh its regulatory, economic and political costs, it is only logical to expect such practices. This makes it unrealistic to rely on self-regulation or intermittent scrutiny following a detected violation to address the complexity of modern-day privacy concerns.
 
In India, the concept of “privacy” found its way into popular consciousness through the debates surrounding Aadhaar and the Supreme Court’s Puttaswamy verdict. The biometric nature of Aadhaar and its ubiquitous adoption across public and private services sparked concerns about the volume of data being amassed under the system and the threats to its safety. These concerns are magnified by the state’s incentives to gain deeper insights into the lives of citizens; the lack of transparency around surveillance practices in India; and its potential consequences for civil and political rights. As in the case of private data collectors, relying merely on the UIDAI to monitor how personal data is collected, managed and secured on its platform is not sufficient. Both cases call for a solution that is grounded in a robust data protection law, with mechanisms for independent oversight. The Justice Srikrishna Committee constituted by the government is in the process of drafting such a law, although we are yet to see its exact direction.
 
While our discussions on Aadhaar and data protection are necessarily local, these conversations are not taking place in isolation. Rather, they are being informed by equally spirited debates that are taking place in other parts of the world. The adoption of the General Data Protection Regulation (GDPR) in Europe, concerns around fake news and the economic implications of data localisation norms are some examples.
 
The GDPR, which comes into effect in a few days, creates a comprehensive framework to protect the personal data of European subjects. Its actual footprint is, however, likely to be much larger. First, many global businesses are responding to GDPR by tightening their worldwide privacy policies — this will mean better protections for individuals located outside Europe also. Second, the developments in EU are feeding into data protection discussions in other jurisdictions, including India. Third, the GDPR’s compliance norms will increase the cost of operations for smaller businesses, with implications for the data processing industry in India. At the same time, enhanced compliance requirements should fuel a new wave of RegTech solutions, using technological tools to facilitate regulatory compliance.
 
The constitution of the Justice Srikrishna Committee comes against the background of the Puttaswamy verdict, the Aadhaar challenge and questions about the Facebook-WhatsApp privacy policies before the Supreme Court. This gives hope that the work of this committee will not meet the fate of a similar exercise conducted by the Justice AP Shah Committee a few years earlier. This time, we have the momentum of the global privacy crisis to nudge policy makers towards a data protection law. The challenge, of course, would be to ensure that the law that is finally adopted does more than paying lip service to data privacy. A critical step towards this would be to open the draft law to public comments at an early stage. We need to build confidence and consensus towards a framework that can truly safeguard our personal liberties, from abuse by private actors and the state itself. The author is a technology policy researcher at the National Institute of Public Finance and Policy