This year marked a significant shift in global privacy regulation, with the enforcement of Europe’s GDPR and similar laws in other regions. While focusing on consent, the inadequacy of this approach was exposed by tech companies’ practices. In India, the privacy debate intensified with court decisions on Aadhaar and the release of the Justice Srikrishna Committee’s draft bill.
The modern internet has become centralized and controlled by a few powerful corporations, deviating from its original vision of an open and decentralized platform. Tim Berners-Lee, the founding father of the internet, is working on a project called Solid to restore power to users by allowing them to store personal information in personal data stores (PDS) under their control. That said, universally accepted standards for electronic consent and true social graph portability might be a more effective way to balance convenience and data protection.
The recent Supreme Court judgment on Aadhaar has left confusion and dissatisfaction among various stakeholders. While the court upheld the identity scheme, it restricted its scope, leading to uncertainty over the role of the private sector in Aadhaar’s infrastructure. The judgment’s implications on government services and subsidies, many of which rely on private sector authentication, remain unclear, raising concerns about potential negative impacts on pensioners, migrant workers, and microfinance beneficiaries.
The draft Personal Data Protection Bill in India aims to protect children’s online privacy through age verification and parental consent. However, these measures raise concerns about the loss of internet anonymity and practical issues with the age threshold. The Bill’s approach may inadvertently expose children to privacy risks, including those stemming from well-intentioned parental actions, and fails to consider children’s ability to make decisions about their privacy before reaching the age of majority.
Justice Brandeis’ dissent in the matter of Roy Olmstead, emphasises the dangers of unchecked government surveillance and the need for privacy laws to evolve with technology, remains highly relevant, especially in discussions about government exemptions in privacy laws and the balance between using technology for social good and protecting civil liberties.
The Justice Srikrishna Committee’s data protection framework aims to balance individual privacy with the growth of the digital economy, distinct from models in the US, EU, and China. But the committee missed opportunities to encourage de-identified data use and set impractical standards for anonymization. Concerns arise from the draft law’s definition of harm, potentially hindering AI and machine learning applications in social contexts by categorizing service denial based on evaluative decisions as harmful, which could restrict beneficial financial and social inclusion technologies.
The Srikrishna Committee report on India’s new privacy framework has been criticized for seemingly granting the government latitude in state surveillance, including national security exemptions. While similar exemptions are common in global data protection laws, concerns arise from the report’s failure to address practical concerns and the draft Bill’s inability to hold the government accountable for privacy violations. The penalties, designed with private entities in mind, may leave government data fiduciaries without fear of consequence.
The Justice Srikrishna Committee’s report on data protection proposes a user-centric framework, emphasizing data portability and privacy by design. However, its approach to consent, applying product liability principles and creating a complex, multilayered consent framework, may be impractical and burdensome for businesses, particularly startups. These measures, while aiming to enhance privacy, could introduce additional friction for users and businesses, potentially exacerbating consent fatigue.
The US Supreme Court recemtly ruled that collecting cellphone location data without a warrant violated privacy. This case challenges the third-party doctrine, which states that shared personal information has reduced privacy expectations. The ruling highlights the difficulty of applying traditional legal principles to modern technology, particularly regarding data privacy. This case could guide Indian privacy law, emphasizing the need for clear legislative direction on data collection and privacy.
The General Data Protection Regulation (GDPR) came into force on 25 May, affecting entities worldwide that do business with EU citizens. While the regulation has stringent requirements for consent and high penalties for non-compliance, it may have unintended consequences. Large platforms can easily adapt, but smaller entities and start-ups may struggle with the complexity and cost of compliance, potentially leading to a consolidation towards large data platforms and a chilling effect on new ventures.
