Threats to data privacy from non state actors
The government is keen to implement a more nuanced data privacy policy in the country soon. Currently the data privacy provisions under the Information Technology Act, 2008 (amended) under Sections 43-A and 72-A are the only legal framework under which an Indian citizen can seek remedy in case of breach of ‘sensitive data’ (even though what accounts for sensitive data has not been defined clearly).
There are no provisions for regulating data stored and mined by non-State actors as well as the data sharing agreement they enter with third parties, leaving no recourse to a customer unwilling to share their personal information.
Ravi Shankar Prasad, Minister of Law & Justice and Electronics and Information Technology has reiterated that the government is committed to protecting the privacy of Indian citizens, albeit also ensuring that it does not throttle digital innovation and progress. Calling the Indian digital economy worth $1 trillion, he stressed that India must not lose out on the digital revolution.
However, India’s Attorney General Mukul Rohatgi in July this year maintained in the Supreme Court with reference to the Aadhar scheme that the Right to Privacy is not a fundamental right and was not conceived as such by the makers of the Constitution.
Additionally he had argued that it flows from one right to the other and there cannot be a question of violation of these rights since they do not exist in the first place.
Referring the issue of ascertaining whether the Right to Privacy is a fundamental right, the SC referred the matter to a nine-judge Constitution bench for deliberating on the matter. The SC judgement on declaring the Right to Privacy a fundamental right has upset judicial precedent on this which did not consider right to privacy as a separate right guaranteed under the Constitution.
It ia important to note that when Justice D.Y. Chandrachud in his judgement on the Right to Privacy wrote that it emerges from “the liberties guaranteed by Article 19 and from the protection of life and personal liberty under Article 21,” he also observed that the threat to privacy in terms of personal information and data may emerge not just from the state but also non-state actors.
With the recent judgement, the contours of the debate on the Right to Privacy has expanded and has implications for the biometric data collected by the State, the protection of the right to sexual orientation and Section 377, consumption of meat and alcohol, termination of life, religious conversion, and data protection, among others.
Prior to the SC’s verdict on privacy as a fundamental right protected by the Indian Constitution, most discussions and debates with my students in and around data and informational privacy would pivot around firstly, the lack of any legal language to argue against the collection of personal data by non-State actors, the collection, mining and storage of such data, and the use or misuse by way of selling this data to other non-State actors.
The discussion would inevitably veer towards safe-guarding our personal information by being more careful with our use of technology and digital applications.
Secondly the key issue we discussed was that while private corporations are collecting, managing and maintaining big data, there is no public discussion on the implication of this practice: privacy did not exist by default but either had to be voluntarily adopted or paid for.1
Thirdly, many of my students also argued that privacy to them is an elitist concern, thought of and practised by a privileged few, and was of little or no concern to those struggling to make ends meet. Chief Justice J.S. Khehar and Justices R.K. Agrawal, D.Y. Chandrachud and S.A. Nazeer dismissed this notion when they wrote in their recent judgement that, “Every individual irrespective of social class or economic status is entitled to the intimacy and autonomy which privacy protects”.
And lastly, many students also argued that lack or loss of privacy is nothing but a minor trade-off for the conveniences received by using technology and specialised digital applications. Non-State actors, the hallmark of the international political economy, are global corporations that have an increasingly powerful role to play in international economies. These include, but are not limited to, the creators of digital applications and products used by an average Indian today such as Whatsapp, Facebook, Uber, Truecaller, Apple and Samsung, among many others.
As I have argued elsewhere, when we download an application on our phones, why do we have to surrender access to our camera, photos, our contact list, and our messages for the application to function? For instance, why is it that when we book our flight, our email provider stores our flight information and without our explicit consent syncs it with the email calendar reminding us of our flight a few hours before its departure?
And how is it that this data (on email and messages) is also available to third-parties, such as taxi and cab aggregators, who surge their prices precisely when we are scheduled to leave our homes for the airport?
At present India does not have any legislation around collection of this data by non-State actors for targeted advertising and consumer insight. Many potentially intrusive features also parade as technological innovations by big corporations, such as Facebook’s photo-sync feature which would automatically upload any new photographs taken from a user’s phone to a private album on their account which could be shared by the user at a later point.
While this particular feature was phased-out starting early 2016, the application still has access to the user’s photographs, sending a prompt every time new photographs are taken by a user from their phone.
Many smartphone manufacturers such as Apple and Samsung have also incorporated the fingerprint scanner on their phones, by way of which they are able to digitally store fingerprints of the users. In 2017 in the US it was reported that Uber tracked iPhones via virtual fingerprint even after the Uber application was deleted from the phone.
Thankfully many of these concerns have also been recognized by the SC. Justice Sanjay Kishan Kaul in paragraph 17 of his judgement has remarked that, “As we move towards becoming a digital economy and increase our reliance on internet based services, we are creating deeper and deeper digital footprints - passively and actively”. And may I add, knowingly and unknowingly.
KYC or Know Your Customer is an important link in the overall chain of marketing for non-State actors. This is helpful for businesses to understand their customer base, map their purchase patters, and plot their spending habits and buying behaviour for tailored and targeted advertising efforts.
However, this has given rise to data fetish, the commodification of consumer data through intrusive and undisclosed means of collection by non-State actors, violating customer privacy. The commercial exchange (buying and selling) of customer data collected through unscrupulous means has been going on in the absence of a regulatory framework in India due to opaque terms and conditions put forward by businesses.
Mukesh Ambani, the chairman of Reliance Industries and its telecom arm, Jio Infocomm, remarked in a leadership summit held in Mumbai this year that “... the fourth industrial revolution is connectivity and data. Data is a new natural resource. We are at the beginning of an era where data is the new oil.”
At the same summit, he also made a reference to the impending challenges of this data revolution, namely privacy, security and data theft.
The European Union has recently enacted the General Data Protection Regulation as part of their data privacy laws which expressly prohibit non-State actors from using customers’ data without their consent and permission. While technology has certainly made our lives easier, it has been at the cost of foregoing our privacy, our personal information, and intimate details about who we are and what we do.
Privacy doomsday was already spelled out by George Orwell in his seminal work 1984 butmore recent popular culture representations present a data-driven and invasive dystopia with irreverent nonchalance.
Black Mirror, an anthology series produced by Netflix, has individual episodes revolving around the darker side of life and technology, from people having a device implanted in them that records everything they see and hear to people using devices to block people they don’t want to hear or see to people ranking everyone they meet, leading to a national database of ranking that affects every aspect of the individual’s life, right from where they can live to where they can work or who they can be.
While these can be dismissed as flights of fiction and fantasy, the glaring reality of how technology is intertwined with our lives and how the connection is also getting deeper and more pervasive is indeed true.
In India we are still coming to terms with the idea of personal data, digital data and informational privacy. While the government has been advocating the use of unique identification for every citizen by the use of Aadhar for efficient governance and delivery of welfare, non-State actors such as mobile network providers are compelling existing customers to link their mobile phone numbers with their Aadhar numbers, failing which the services may be disrupted.
In this year alone there have been 21 leaks and incidences of Aadhar biometric data breach.While the government has pushed this linking of Aadhar with mobile phones to weed out fake subscribers, how does the government plan to develop a mechanism to regulate the use of this data by non-State actors such as mobile network operators?
What is the data sharing agreement between the government and the operators? Are there any limitations on the network operators in terms of sharing this information with third parties? None of this has been clarified yet.
This leads to the obvious questions of who are the real custodians of this data. Ideally customers should have a right over the data being extracted, stored, mined and used by non-State actors. The absence of a legal framework which allows for lack of maximum disclosure by corporations when it comes to use of customer data is a dangerous development. The government, however, plans to enact data protection laws by October 2017 and is keen to protect personal details shared by people on online platforms.
The Justice Srikrishna Committee set up on July 31st 2017 under the Ministry of Electronics and IT is tasked with the unenviable responsibility of reconciling commercial interests and business innovation with the rights of citizens with respect to their personal data which includes but is not limited to, their geospatial location, their purchasing decisions, their online activities, their messages and photographs.
The mandate before the committee, among many other things, is to spell out what is informational privacy and recognize the need for consumer privacy, mandatory safeguards in handling consumer data, scope of use, voluntary and informed consent and maximum disclosure to address the growing concerns of gross collection and misuse of consumer data in the future.
Note
1 For instance, while registering a domain name in India, the registrant has to pay an additional cost to safeguard their private information being disclosed to other who might want to know the person under whose name the domain is registered. The settings of applications or websites such as Facebook for Advert Preference (the way users’ information is provided to other advertisers on Facebook) are by default not private (this includes data on other websites and applications used by the user, the social actions of users and their friends etc.)
Aakriti Kohli is a research scholar and teaches media and cultural studies at the University of Delhi