Privacy

The General Data Protection Regulation (GDPR) came into force on 25 May, affecting entities worldwide that do business with EU citizens. While the regulation has stringent requirements for consent and high penalties for non-compliance, it may have unintended consequences. Large platforms can easily adapt, but smaller entities and start-ups may struggle with the complexity and cost of compliance, potentially leading to a consolidation towards large data platforms and a chilling effect on new ventures.

The draft Digital Information Security in Healthcare Act aims to regulate the use of digital health data, emphasizing patient consent and privacy. It allows anonymized data for public health research but restricts commercial use. However, its timing is questionable, as it precedes the anticipated overarching national data protection framework, potentially leading to inconsistencies in privacy regulations across sectors.

There is no need for India to adopt GDPR-like data protection laws as it will hinder local innovation. Historically speaking countries took their time to arrive at a standardised approach to IP law and we need to follow a similar approach - taking a tailored approach to data regulation that balances protection with fostering its burgeoning data industry.

That consent to the Facebook privacy policy could be used as a defence against the consequences of the Cambridge Analytica incident is an indication that consent cannot be our primary safeguard. The accountability framework is the only effective alternative to consent.

In early 1800s America, credit was based on personal familiarity. Lewis Tappan revolutionized this by selling credit ratings, leading to the birth of credit reporting agencies. Today, these agencies hold extensive personal data, influencing major life decisions. India, formulating its first privacy legislation, faces a similar choice: regulate data collectors or empower individuals to control their data usage.

The RBI Committee on Household Finance recommends the use of fintech to build the customisable, scalable solutions we need to benefit households.

The Supreme Court of India’s decision in Puttuswamy v. Union of India affirmed the fundamental right to privacy, resolving inconsistencies in previous rulings. While the judgment is celebrated for its nuance, I am concerned that the consent-based framework might hinder the benefits of modern technology.

We rely on technology for daily tasks - from timely reminders to personalized entertainment suggestions. While this personalization offers convenience and informed decision-making, it raises privacy concerns. The proposed privacy law shifts responsibility from individual consent to data controllers, ensuring no harm from data processing. This includes financial, reputational, or choice-related harms, especially from biased machine learning algorithms. The law suggests regular data audits by learned intermediaries, moving towards privacy compliance through incentives rather than penalties.

In “Homo Deus”, Yuval Noah Harari suggests that Homo sapiens’ success is due to our unique ability to believe in myths, like nation-states, which unite individuals under a common identity. This concept is crucial in modern society, where identity systems like India’s Aadhaar balance social responsibilities with personal privacy, highlighting the need for privacy laws to maintain this equilibrium.

The Indian government’s recent mandate to link Aadhaar numbers with tax returns and mobile numbers highlights the urgent need for a privacy law. Current proposals suggest a law based on OECD principles, emphasizing consent. However, given the complexity of data use today, the responsibility should shift from individual consent to holding data controllers accountable, ensuring fair and non-discriminatory data processing. India has the chance to create a forward-thinking privacy framework suitable for today’s data-intensive world.