When privacy, the word of the year, came into its own

This year marked a significant shift in global privacy regulation, with the enforcement of Europe’s GDPR and similar laws in other regions. While focusing on consent, the inadequacy of this approach was exposed by tech companies’ practices. In India, the privacy debate intensified with court decisions on Aadhaar and the release of the Justice Srikrishna Committee’s draft bill.

This article was first published in The Mint. You can read the original at this link.

It’s that time of the year when it seems incumbent on us columnists to look back at the eighteen score days gone by and reflect on the year that was. In the two years that I’ve been writing this column, I have resisted the urge to make the last article of the year a retrospective. However, this year has been an exceptional one for privacy and it would be remiss of a writer who focuses on the impact of law and technology on society not to reflect on the year that privacy came into its own.

It was during this year that the world’s most advanced data protection regulation came into force, resetting standards of privacy the world over. Provisions in Europe’s new General Data Protection Regulation (GDPR) require European companies to only engage with other companies that have adequate level of privacy protection and, additionally, requires companies outside the Union to meet the strict compliance obligations of the European data protection law if their business extends to the Union. As if to endorse this uniquely European approach, within the same year, California also enacted a privacy law that appears to have drawn heavily from GDPR principles. Several other countries seem to be keen to follow suit.

At the heart of the European privacy framework is the notion of consent—a concept that has been central to the global privacy jurisprudence for decades. However, just as GDPR was re-affirming this concept and elevating it to new heights, various big tech companies proved just how inadequate an over-reliance on consent could be in the context of modern technologies. Ever since the Cambridge Analytica story first broke, it seems that every month there has been some news story or the other about the callous manner in which companies around the world deal with data. This was the year in which many of them were exposed as having indulged in questionable practices for a long time to the point where it is now quite clear that few, if any of them, ever really had any actual control over the petabytes of customer data under their care.

Back in India, this year has been the one in which the privacy debate reached its crescendo. During the first half, the highest court in the land heard arguments on Aadhaar, the world’s most ambitious identity project that many believed was nothing more than a sophisticated tool for state surveillance. In a split decision, the court upheld the constitutional validity of the project, but at the same time, struck down various critical features in the way private parties use its authentication functionality. What has survived is a shadow of what the Aadhaar project could have been.

At about the same time, the Justice Srikrishna Committee released its report making recommendations as to what India’s new privacy law should look like and attaching a draft bill that the Parliament could consider directly enacting. The structure of the draft bill follows along the lines of the European framework, focusing on consent as the main safeguard against violation of personal privacy but at the same time introducing many new concepts that are heartening.

Significant among these is the novel re-framing of the relationship between the data subject from whom data is collected and the data controller who processes it. Rather than sticking with the current nomenclature that seems to suggest that the person whose data is collected is somehow inferior to the collector, the Personal Data Protection Bill calls her the data principal, elevating her to a position of primacy, while at the same time, referring to the data controller as a data fiduciary suggesting that any data collected must be treated with fiduciary responsibility.

That said, there are many things about the bill that are not praiseworthy. The proposed law makes a strong case for data localisation stating that critical data that can only ever be processed within the country and that all data fiduciaries must ensure that a serving copy of data collected by them is maintained in India. The bill has also introduced age-verification mechanisms to ensure that data fiduciaries dealing with children’s data applied a higher standard of care to their operations. In doing so, the law has inadvertently introduced an identity verification layer into the online world thereby fundamentally undermining the way in which the internet functions today.

These measures, while addressing an understandable government need, have little precedent around the world and are likely to do more harm than good.

That said, as we look towards 2019, I have hope that the world will finally come to terms with the fact that they have to find a new way to think about personal privacy—that the notice and consent model that has served us well for so long finally needs to be overhauled. I hope that this will spur the nations of the world to think up new ways in which to re-design privacy regulations so as to adequately address recent advances in technology such as artificial intelligence, the Internet of Things and neural networks, and find new ways to reduce their influence on our personal privacy. Despite the fact that the Srikrishna committee seems to have cleaved closely to the European framework, I still have hope that it will be India that leads the way in re-imagining privacy for the digital world. As the world’s largest democracy, we have more at stake than any other nation in the world to actually get this right.