Privacy

The effectiveness of consent in protecting privacy is diminishing in our data-rich world. A study found that companies’ privacy policies and actual data sharing practices are inconsistent, with technically sophisticated firms sharing less data. A digital consent framework, exemplified by India’s account aggregator system, could enhance privacy protection by allowing dynamic, informed consent, but it currently lacks features to fully ensure privacy, such as purpose limitation and data deletion upon consent revocation. Enhancements to this framework could restore faith in consent as a tool for privacy protection.

Given the extensive surveillance efforts by the US and UK governments, as revealed by Edward Snowden, there has been a push for data localization laws in various countries. We need to question the effectiveness of mass data collection in preventing terrorism since the growing volume of data may render such efforts futile. At the same time we need to question the approach of data localization, given the difficulty in extracting actionable intelligence from vast amounts of information.

Historically, privacy was a luxury for the wealthy, who could afford private spaces and crafted distinct social personas. As society’s economic well-being improved, privacy became a societal expectation. Today, however, the rise of data-driven businesses threatens this privacy. Since privacy is rooted in capitalist interests, its preservation now conflicts with the commercial benefits of exploiting personal data. To protect privacy, we must establish commercial disincentives that outweigh the financial benefits of exploiting personal data.

The public credit registry (PCR), a centralized credit information system, would improve data quality and help borrowers build reputational collateral. However, a PCR alone isn’t sufficient; lenders also need information on borrowers’ financial assets. The Reserve Bank of India’s account aggregator infrastructure addresses this by allowing borrowers to share financial asset information securely and with consent. While this system limits data misuse, it requires robust legal frameworks to ensure data is used only for intended purposes.

Mobile phones provide opportunities to obtain real-time movement information, aiding in crisis management like tracking disease spread. However, the balance between utilizing this data and ensuring privacy is complex. Current anonymization methods are inadequate, and conscientious use obligations may be a more effective approach to protect privacy.

This year marked a significant shift in global privacy regulation, with the enforcement of Europe’s GDPR and similar laws in other regions. While focusing on consent, the inadequacy of this approach was exposed by tech companies’ practices. In India, the privacy debate intensified with court decisions on Aadhaar and the release of the Justice Srikrishna Committee’s draft bill.

The modern internet has become centralized and controlled by a few powerful corporations, deviating from its original vision of an open and decentralized platform. Tim Berners-Lee, the founding father of the internet, is working on a project called Solid to restore power to users by allowing them to store personal information in personal data stores (PDS) under their control. That said, universally accepted standards for electronic consent and true social graph portability might be a more effective way to balance convenience and data protection.

The recent Supreme Court judgment on Aadhaar has left confusion and dissatisfaction among various stakeholders. While the court upheld the identity scheme, it restricted its scope, leading to uncertainty over the role of the private sector in Aadhaar’s infrastructure. The judgment’s implications on government services and subsidies, many of which rely on private sector authentication, remain unclear, raising concerns about potential negative impacts on pensioners, migrant workers, and microfinance beneficiaries.

The draft Personal Data Protection Bill in India aims to protect children’s online privacy through age verification and parental consent. However, these measures raise concerns about the loss of internet anonymity and practical issues with the age threshold. The Bill’s approach may inadvertently expose children to privacy risks, including those stemming from well-intentioned parental actions, and fails to consider children’s ability to make decisions about their privacy before reaching the age of majority.

Justice Brandeis’ dissent in the matter of Roy Olmstead, emphasises the dangers of unchecked government surveillance and the need for privacy laws to evolve with technology, remains highly relevant, especially in discussions about government exemptions in privacy laws and the balance between using technology for social good and protecting civil liberties.