Privacy

The Justice Srikrishna Committee’s data protection framework aims to balance individual privacy with the growth of the digital economy, distinct from models in the US, EU, and China. But the committee missed opportunities to encourage de-identified data use and set impractical standards for anonymization. Concerns arise from the draft law’s definition of harm, potentially hindering AI and machine learning applications in social contexts by categorizing service denial based on evaluative decisions as harmful, which could restrict beneficial financial and social inclusion technologies.

The Srikrishna Committee report on India’s new privacy framework has been criticized for seemingly granting the government latitude in state surveillance, including national security exemptions. While similar exemptions are common in global data protection laws, concerns arise from the report’s failure to address practical concerns and the draft Bill’s inability to hold the government accountable for privacy violations. The penalties, designed with private entities in mind, may leave government data fiduciaries without fear of consequence.

The Justice Srikrishna Committee’s report on data protection proposes a user-centric framework, emphasizing data portability and privacy by design. However, its approach to consent, applying product liability principles and creating a complex, multilayered consent framework, may be impractical and burdensome for businesses, particularly startups. These measures, while aiming to enhance privacy, could introduce additional friction for users and businesses, potentially exacerbating consent fatigue.

The US Supreme Court recemtly ruled that collecting cellphone location data without a warrant violated privacy. This case challenges the third-party doctrine, which states that shared personal information has reduced privacy expectations. The ruling highlights the difficulty of applying traditional legal principles to modern technology, particularly regarding data privacy. This case could guide Indian privacy law, emphasizing the need for clear legislative direction on data collection and privacy.

The General Data Protection Regulation (GDPR) came into force on 25 May, affecting entities worldwide that do business with EU citizens. While the regulation has stringent requirements for consent and high penalties for non-compliance, it may have unintended consequences. Large platforms can easily adapt, but smaller entities and start-ups may struggle with the complexity and cost of compliance, potentially leading to a consolidation towards large data platforms and a chilling effect on new ventures.

The draft Digital Information Security in Healthcare Act aims to regulate the use of digital health data, emphasizing patient consent and privacy. It allows anonymized data for public health research but restricts commercial use. However, its timing is questionable, as it precedes the anticipated overarching national data protection framework, potentially leading to inconsistencies in privacy regulations across sectors.

There is no need for India to adopt GDPR-like data protection laws as it will hinder local innovation. Historically speaking countries took their time to arrive at a standardised approach to IP law and we need to follow a similar approach - taking a tailored approach to data regulation that balances protection with fostering its burgeoning data industry.

That consent to the Facebook privacy policy could be used as a defence against the consequences of the Cambridge Analytica incident is an indication that consent cannot be our primary safeguard. The accountability framework is the only effective alternative to consent.

In early 1800s America, credit was based on personal familiarity. Lewis Tappan revolutionized this by selling credit ratings, leading to the birth of credit reporting agencies. Today, these agencies hold extensive personal data, influencing major life decisions. India, formulating its first privacy legislation, faces a similar choice: regulate data collectors or empower individuals to control their data usage.

The RBI Committee on Household Finance recommends the use of fintech to build the customisable, scalable solutions we need to benefit households.