The accountability framework

June 29, 2016

The consent-based model of data protection is outdated and ineffective in the modern, interconnected world. We need to shift from focusing on obtaining consent to holding organizations accountable for the data they control. India, lacking a formal privacy law, has a unique opportunity to develop a modern privacy law centered on accountability, which could serve as a model for the rest of the world.

This article was first published in The Mint. You can read the original at this link.

Hardly a day goes by when I don’t meet someone who is looking to build a business that seeks to either leverage the Aadhaar infrastructure or otherwise looks to tap the vast volumes of personal data available online today. Early on in those meetings, the discussion moves to the privacy impact of the business. Which is when the conversation flounders.

India has no formal privacy law. Instead, it has eight Privacy Rules (a set of discombobulated regulations enacted, in my view, in excess of the government’s executive authority) under the Information Technology Act, 2000. These rules attempt to protect individual privacy by erecting a barricade of consent-based regulations around personal data. Businesses that collect personal data must first obtain the permission of the subject and must continue to rely on informed consent through the various stages of processing and transfer of that data.

In adopting this form of consent-based regulation, India is, by no means, an outlier. Ever since the European Database Directive was issued in 1984, prior consent has been one of the cornerstones of privacy laws around the world. In the 1980s, this was a good idea. Given the smaller volumes of data that companies needed to deal with, making prior permission a pre-condition to collection was eminently workable. However, the Internet has since grown into a vast borderless network that is so ubiquitous that it has been elevated to an essential utility in many countries. In this connected world, any requirement to preface all online interactions with prior consent is an inconvenient bottleneck. What’s more, given the sheer volume of data that passes through the modern Internet every second, I would question whether any consent that we actually obtain is meaningful.

If you layer on top of this technologies like the Internet of Things, Cognitive Computing, augmented reality and big data, all of which are fast entering the mainstream, it rapidly becomes clear how woefully under-equipped the prior consent privacy model is. We are already surrounded by connected devices and online services that collect our personal data in real-time and pass it on to neural networks and big data algorithms to process, package and act on. Even if all these technologies actually procure consent before collecting our data, given the exponentially escalating combinations in which they can be interlinked, it will be impossible to determine who obtained consent and for what original purpose.

There is yet another troubling consequence of these new technologies and that has to do with data metamorphosis. Privacy laws only apply to categories of data that are capable of identifying you (broadly referred to as “personal data"). If the data is not capable of identifying you, it falls outside the purview of the data protection law and can be collected freely. However, when multiple devices collect individually Non-Personal Data and then pool them together, it is possible—likely even—that all those separate anonymous tit-bits of data could be combined to create an accurate personal profile of you. This transformation of data from a piece of innocuous and anonymous information into clearly identifiable personal, sensitive data is the truly worrisome aspect of connected computing.

It is clear to me that the consent-based model of data protection is dead. We need to accept that the machines we rely on to make our lives easier will collect our personal data without our consent and for purposes other than what was originally intended. It is futile to try to control this data using tools that used to work in an earlier, less data-intensive world. We need, instead, to shift our regulatory focus to data accountability.

This means worrying less about whether the technologies that collect data took our permission before collection, and instead looking to make organizations behind these technologies more accountable for the data that they control, regardless of who collected the data or where it resides. Data controllers should be able to demonstrate that they have analysed and understood the risk that their practices pose for data subjects and to explain how their processes include meaningful privacy safeguards. And they should be held accountable for the failure of these processes to prevent a breach of privacy.

While I have publicly bemoaned the fact that India does not yet have a privacy statute, it does in fact place us in the unique position of being able to leapfrog conventional wisdom and ignore the traditional consent-based model in favour of accountability. While the rest of the world grapples with how to adapt their old laws to become more relevant to the modern age, bereft of any such baggage, we have the opportunity to develop a modern privacy law that can be a model for the rest of the world.