Privacy

The Justice Srikrishna Committee’s report on data protection proposes a user-centric framework, emphasizing data portability and privacy by design. However, its approach to consent, applying product liability principles and creating a complex, multilayered consent framework, may be impractical and burdensome for businesses, particularly startups. These measures, while aiming to enhance privacy, could introduce additional friction for users and businesses, potentially exacerbating consent fatigue.

The US Supreme Court recemtly ruled that collecting cellphone location data without a warrant violated privacy. This case challenges the third-party doctrine, which states that shared personal information has reduced privacy expectations. The ruling highlights the difficulty of applying traditional legal principles to modern technology, particularly regarding data privacy. This case could guide Indian privacy law, emphasizing the need for clear legislative direction on data collection and privacy.

The General Data Protection Regulation (GDPR) came into force on 25 May, affecting entities worldwide that do business with EU citizens. While the regulation has stringent requirements for consent and high penalties for non-compliance, it may have unintended consequences. Large platforms can easily adapt, but smaller entities and start-ups may struggle with the complexity and cost of compliance, potentially leading to a consolidation towards large data platforms and a chilling effect on new ventures.

The draft Digital Information Security in Healthcare Act aims to regulate the use of digital health data, emphasizing patient consent and privacy. It allows anonymized data for public health research but restricts commercial use. However, its timing is questionable, as it precedes the anticipated overarching national data protection framework, potentially leading to inconsistencies in privacy regulations across sectors.

There is no need for India to adopt GDPR-like data protection laws as it will hinder local innovation. Historically speaking countries took their time to arrive at a standardised approach to IP law and we need to follow a similar approach - taking a tailored approach to data regulation that balances protection with fostering its burgeoning data industry.

That consent to the Facebook privacy policy could be used as a defence against the consequences of the Cambridge Analytica incident is an indication that consent cannot be our primary safeguard. The accountability framework is the only effective alternative to consent.

In early 1800s America, credit was based on personal familiarity. Lewis Tappan revolutionized this by selling credit ratings, leading to the birth of credit reporting agencies. Today, these agencies hold extensive personal data, influencing major life decisions. India, formulating its first privacy legislation, faces a similar choice: regulate data collectors or empower individuals to control their data usage.

The RBI Committee on Household Finance recommends the use of fintech to build the customisable, scalable solutions we need to benefit households.

The Supreme Court of India’s decision in Puttuswamy v. Union of India affirmed the fundamental right to privacy, resolving inconsistencies in previous rulings. While the judgment is celebrated for its nuance, I am concerned that the consent-based framework might hinder the benefits of modern technology.

We rely on technology for daily tasks - from timely reminders to personalized entertainment suggestions. While this personalization offers convenience and informed decision-making, it raises privacy concerns. The proposed privacy law shifts responsibility from individual consent to data controllers, ensuring no harm from data processing. This includes financial, reputational, or choice-related harms, especially from biased machine learning algorithms. The law suggests regular data audits by learned intermediaries, moving towards privacy compliance through incentives rather than penalties.