Privacy

The public credit registry (PCR), a centralized credit information system, would improve data quality and help borrowers build reputational collateral. However, a PCR alone isn’t sufficient; lenders also need information on borrowers’ financial assets. The Reserve Bank of India’s account aggregator infrastructure addresses this by allowing borrowers to share financial asset information securely and with consent. While this system limits data misuse, it requires robust legal frameworks to ensure data is used only for intended purposes.

Mobile phones provide opportunities to obtain real-time movement information, aiding in crisis management like tracking disease spread. However, the balance between utilizing this data and ensuring privacy is complex. Current anonymization methods are inadequate, and conscientious use obligations may be a more effective approach to protect privacy.

This year marked a significant shift in global privacy regulation, with the enforcement of Europe’s GDPR and similar laws in other regions. While focusing on consent, the inadequacy of this approach was exposed by tech companies’ practices. In India, the privacy debate intensified with court decisions on Aadhaar and the release of the Justice Srikrishna Committee’s draft bill.

The modern internet has become centralized and controlled by a few powerful corporations, deviating from its original vision of an open and decentralized platform. Tim Berners-Lee, the founding father of the internet, is working on a project called Solid to restore power to users by allowing them to store personal information in personal data stores (PDS) under their control. That said, universally accepted standards for electronic consent and true social graph portability might be a more effective way to balance convenience and data protection.

The recent Supreme Court judgment on Aadhaar has left confusion and dissatisfaction among various stakeholders. While the court upheld the identity scheme, it restricted its scope, leading to uncertainty over the role of the private sector in Aadhaar’s infrastructure. The judgment’s implications on government services and subsidies, many of which rely on private sector authentication, remain unclear, raising concerns about potential negative impacts on pensioners, migrant workers, and microfinance beneficiaries.

The draft Personal Data Protection Bill in India aims to protect children’s online privacy through age verification and parental consent. However, these measures raise concerns about the loss of internet anonymity and practical issues with the age threshold. The Bill’s approach may inadvertently expose children to privacy risks, including those stemming from well-intentioned parental actions, and fails to consider children’s ability to make decisions about their privacy before reaching the age of majority.

Justice Brandeis’ dissent in the matter of Roy Olmstead, emphasises the dangers of unchecked government surveillance and the need for privacy laws to evolve with technology, remains highly relevant, especially in discussions about government exemptions in privacy laws and the balance between using technology for social good and protecting civil liberties.

The Justice Srikrishna Committee’s data protection framework aims to balance individual privacy with the growth of the digital economy, distinct from models in the US, EU, and China. But the committee missed opportunities to encourage de-identified data use and set impractical standards for anonymization. Concerns arise from the draft law’s definition of harm, potentially hindering AI and machine learning applications in social contexts by categorizing service denial based on evaluative decisions as harmful, which could restrict beneficial financial and social inclusion technologies.

The Srikrishna Committee report on India’s new privacy framework has been criticized for seemingly granting the government latitude in state surveillance, including national security exemptions. While similar exemptions are common in global data protection laws, concerns arise from the report’s failure to address practical concerns and the draft Bill’s inability to hold the government accountable for privacy violations. The penalties, designed with private entities in mind, may leave government data fiduciaries without fear of consequence.

The Justice Srikrishna Committee’s report on data protection proposes a user-centric framework, emphasizing data portability and privacy by design. However, its approach to consent, applying product liability principles and creating a complex, multilayered consent framework, may be impractical and burdensome for businesses, particularly startups. These measures, while aiming to enhance privacy, could introduce additional friction for users and businesses, potentially exacerbating consent fatigue.