India should make clear laws on data collection

The US Supreme Court recemtly ruled that collecting cellphone location data without a warrant violated privacy. This case challenges the third-party doctrine, which states that shared personal information has reduced privacy expectations. The ruling highlights the difficulty of applying traditional legal principles to modern technology, particularly regarding data privacy. This case could guide Indian privacy law, emphasizing the need for clear legislative direction on data collection and privacy.

This article was first published in The Mint. You can read the original at this link.

Last week, the US Supreme Court delivered its long-awaited judgement in the case of Carpenter v. United States, a decision that will, hereafter, influence the way we think about privacy and surveillance anywhere in the connected world. While the judgement largely addresses the peculiarities of US privacy jurisprudence, the issues that it deals with carry a broader message about the problems with trying to regulate modern technology using traditional principles of law.

The case involved a cellphone burglar named Timothy Carpenter who, in December 2010, carried out a series of robberies targeting a number of T-Mobile and RadioShack stores across Michigan and Ohio. For someone whose speciality was purloining mobile devices, it is deeply ironic that Carpenter was eventually caught and convicted on the evidence of his own smartphone. The Federal Bureau of Investigation (FBI) used the information it gathered from various mobile towers that his cellphone pinged over a period in excess of 100 days, using the location data they collected to place him in the vicinity of the stores that had been burgled. Instead of getting a warrant, they procured this data under the Stored Communications Act, a US statute that allowed the government to compel the disclosure of certain telecommunications records when there were reasonable grounds to believe that they were relevant and material to a criminal investigation.

Carpenter appealed against this use of his data, arguing that the collection of his personal location data without a warrant was an unacceptable violation of personal privacy. The US Court of Appeals disagreed, relying on the third-party doctrine to state that Carpenter had no reasonable expectation of privacy in the data once he shared that information with his telecom service provider. This issue was referred on appeal to the US Supreme Court and, in a narrow 5-4 verdict, the court held that Carpenter’s privacy had, in fact, been violated.

The primary issue is the conflict between two different lines of privacy cases in America. On one hand, the extended tracking of location information is clearly understood to be a violation of personal privacy. However, at the same time, there is another series of cases that laid down the third-party doctrine that states that if an individual has shared his personal information with someone else, he has a reduced expectation of privacy over that information. Thus, even though the collection of location data without a warrant was a violation of Carpenter’s privacy, the fact that he had shared this data with his telecom company meant that he could no longer expect to enjoy the same level of privacy in it.

Even though this issue is very uniquely American in its nuance, the case is a perfect example of one of the most significant challenges with technology regulation generally. As new technologies come on stream, they make it difficult to apply traditional jurisprudential principles. The third-party doctrine had been developed in the context of collecting personal information about a customer that had been shared with the bank. It made it clear that just because this financial data had been given to the bank, the customer could no longer expect it to be treated as private. This means that law-enforcement agencies could procure this information without violation of the personal privacy of the customer.

The privacy risk posed by collecting this sort of information is quantitatively different from that which results from collecting location data from the modern mobile phone. Today’s phones ping their towers multiple times a minute—even when the phone is not being used. Unlike bank transactions, of which there are hardly likely to be more than a few in a day, triangulated data from cellular phone towers generate a near constant stream of location information that can accurately pinpoint the location of a person throughout the day.

Given the volume and granularity of information that can be generated and collected by various players in the digital ecosystem, the third-party doctrine has clearly outlived its utility. Thanks to the explosion of cloud services, vast amounts of our data is even now being stored on some platform or the other. Similarly, with the rise in [[Internet of Things]] devices and wearable computing, more and more of our personal information is collected, analysed and shared by third-party services from whom this information can easily be collected and used. To say that we have no right to privacy in that data would be deeply troubling.

Indian courts have yet to engage with these nuances of privacy law even though the Puttaswamy judgement does refer to the challenges we can expect in the age of connected devices. I can see how law enforcement agencies in India will be keen to apply the third-party doctrine wherever they can in order to leverage the vast amount of data that could potentially be available to them. Even though our jurisprudence is, at present, significantly different from the US, the Carpenter judgement well be able to provide guidance as to how these issues of personal privacy ought to be addressed.

It should not be up to the Indian courts to formulate these rules. Instead, now that we know how other countries deal with these issues, our Parliament should take it upon itself to enact suitable legislations that make clear what can and cannot be collected. Maybe we could even include this in our forthcoming privacy law.