At the halfway point of our Brainstorm on Data Protection, we sum up some key insights.
Since we began this Brainstorm over a month ago, huge developments have taken place. The most recent is the White Paper of the Committee of Experts under the Chairmanship of Justice B N Srikrishna, bringing us a step closer to imagining what India’s data protection law should look like. As technologists, lawyers and academics all over the nation huddle together to answer the questions in this White Paper, we hope that they find some guidance in the posts from our Brainstorm.
Malavika, Rahul, Saurabh and Nikhil give us a whole range of issues to think about. Kicking off the discussion, Malavika’s post emphasised how any data protection law is only effective if it takes into account ground realities. It is easy to regulate data protection from within shielded ivory towers – but as with any wholesome policy, the regulation must be able to survive implementation. Malavika makes a case for the 70% of Indian population for whom data protection is an alien concept:
I worry that we are developing a blind spot at an important moment for law-making in this area, one that fails to see the wide spectrum of Indians using information and communications technology (ICT). They are not the smartphone-wielding, app-devouring, multiplex-audience-style poster children of modern middle-class India. They are the ones reduced to attractive statistics on slides about the growth of the Indian ‘market’. These Indians form our real mainstream—likely to be part of one of the 67% of Indian households that earn less than Rs 10,000 a month, share a phone among family members, and be first-time users of data-driven services and the internet.
Malavika’s post is grounding, a sharp realisation of what any data law would have to look like to live up to every Indian’s expectation. In her survey, Malavika notes,the average non-English speaking Indian places a lot of trust in the government’s collection of data although they may not know the nitty-gritties of what a law about this would look like. She emphasises how a data protection law must “must take cues from these insights and marry them with the strong academic work that is emerging from regulatory thinkers on data protection.”
As Malavika underscores the responsibility of the government, Rahul offers a novel idea: a data protection regulation that is not shackled by consent. Rahul argues that the notion of consent fails in the data economy in the face of deep information asymmetry:
The reason we are in this anomalous situation is the information asymmetry inherent in the data economy. Between the data subject and the data collector, it is the latter who is more likely to understand how the data being collected will be processed and used, and who will have the ability to control how this data will be used. Data subjects will always provide their consent based on a limited understanding of the facts and the situation. If we are to devise a framework that truly protects personal privacy, it stands to reason that the entity principally responsible for ensuring that privacy is protected is not the data subject but the data controller. We will need to find a mechanism to hold data controllers liable for what they do with the data – particularly when that use results in harm to the data subject.
Instead, the focus should be on accountability. Irrespective of whether the data subject has provided their consent, the controller harnessing all this information must be held accountable for any harm occurring to the subject. Having said that, the data subject’s right to autonomy would continue to be essential to any data protection regulation. Rahul makes a nuanced distinction between the average data subject’s free will and the concept of consent, used as a shield.
Saurabh disagrees with Rahul. He argues that the “addition of such heavy regulation in a sunrise industry would stifle innovation.” As any member of the brooding breed of academics would agree, regulation and innovation are inversely proportional. Regulation is often a scary entry barrier to new players (or ‘disruptors’, as we now venerate them), mostly as it runs the risk of overregulating something too soon. Saurabh’s piece voices this concern:
This is a global world. Imagine how this would disadvantage Indian startups vs US based startups that would simply make their services unavailable in India. Once some of those startups become big, they would create special versions of their products available in India that are subject to Indian regulation. We get the eventual winners and will no longer be a laboratory where new experiments compete. In the process, we lose out on nurturing the next generation of businesses that will evolve in this data-rich world.
Offering a few ideas for informed decision-making, Saurabh proposes:
Segregate the rights that are being asked from a user and the liabilities being protected by the company. The rights that a user is giving up (consent in other words) should be right at the top and numbered. This list won’t be too big and will be comprehensible. The dense liability protection portion can follow… We also need to mandate some sensible defaults in agreements and in applications too. Data should be private by default and not public. Right to be forgotten should be implicit in an account deletion request. User generated content should belong to the user by default.
Solving for data protection on an ambiguous, umbrella scale might still be too simple a solution. Shouldn’t different sectors be plated with unique sectoral guidelines? Which sectors should receive special attention? Saurabh’s piece is helpful. He proposes that device makers, internet service providers and telecommunications companies be given special attention. Highlighting that data retention – a huge risk to personal privacy – is still legitimate in India, and that data breaches ought to be informed to the subject, Saurabh’s piece leaves us with a lot to think about.
Nikhil knocks it out of the park with his 8-point agenda for lawmakers working on data protection. From data generation to data disposal and even data classification, Nikhil charts out what a wholesome lifecycle of a data point looks like. Though beginning on a sobering realisation of how far we are from an ideal world where privacy is power, Nikhil ends his piece on a hopeful note:
The fatalistic attitude towards data, that I pointed towards at the beginning of this post, is misplaced: just because we’re living in an era where there’s massive data generation and collection, doesn’t mean that we can’t take steps towards fixing the situation. If anything, our past must inform our future. We need more tape, and not just on our webcams and microphones. Start with addressing data generation and collection.
The next round of this Brainstorm will be a series of rebuttals, or even stray follow-up thoughts on this subject.