Digital data is a subset of the many kinds of information about an individual that, when made public, would violate that individual’s fundamental right to privacy, inherent in a combination of the fundamental rights specifically guaranteed by the Constitution, as affirmed by the Supreme Court in its famous 2017 Puttaswamy judgment. It would make sense for the government to first codify the right to privacy; its scope and limits; the conditions and extent to which it can be breached under certain circumstances; the proper procedure for such breach; and procedures for holding the executive to account for such breach of privacy. Once we have a statute on privacy, it would become easier to fashion a law on data protection that protects privacy.
Some of the most controversial provisions of the bill that has now been withdrawn relate to the extent of individual data subjects’ ownership over their own data; the government’s access to individual data without the data subject’s consent; the statutory autonomy or lack of it of the proposed data protection authority; and lack of clarity on what exactly constitutes non-personal data and localization of data storage. Regulation of social media platforms and reporting of data breaches are related issues, too.
Last week, Alphabet’s savvy buy in London, the artificial intelligence company DeepMind, announced that researchers around the world have used its AI program AlphaFold to predict the three-dimensional structures of 200 million proteins, each of which is made up of 20 amino acids in different permutations and combinations. Artificial Intelligence (AI) is fast becoming a major factor in scientific and technological advance, besides in business competitiveness. AI is based on availability of data. Should the data protection bill consider making data available for training AI or for other applications?
Data privacy advocates are aghast at the notion that data availability for non-personal purposes such as the collective good of humanity should be a consideration while framing laws on data protection. We are not. Depersonalised data should be available for creating large data sets for further use in science and commerce. But for that, depersonalisation should be truly effective, beyond the ability of hacking nerds to trace datasets back to their individual origins. The standards for this should be specified in the rules to the law, while non-traceability back to individual data subjects should be part of the statute.
You might also like
Does RBI policy need the attention it gets?
Pelosi’s Taiwan visit presents an opportunity for India
How is tax calculated on sale of apartment?
India’s oldest wealth portal grew 7 times in 2 years
Once this is done, it would be possible to override personal autonomy over data to make data available for legitimate purposes. Take rare diseases, which afflict some 6% of Indians. There are 7,000 or so identified worldwide, while India recognizes 450, seven alone of which are curable, while the rest have to be content with medication for symptomatic relief. Suppose every sufferer of a rare disease, say Gaucher, in which fat deposits build up in assorted organs to cause serious, painful dysfunction, decides their individual privacy is more important than the prospect of data on their condition and treatment delivering a future cure. That would rule out the possibility of a future cure. We regulate gambling and the use of mind-altering drugs, because we accept that individuals are not always the best judges of their own interest. Why should there be an asymmetric view on individual judgment on making anonymized data available? Credit scores would be impossible, for example, if absolute individual data sovereignty were to be instituted and loan agreements precluded from sharing information on debt servicing with the likes of CIBIL. The bottom line is that personalized data should not be accessed without the data subject’s consent—except when there are valid considerations.
The Supreme Court has outlined conditions such as necessity, purpose, proportionality and due process for accessing an individual’s data without their consent. Suppose law enforcement detects a terror plot and decides to surveil some key suspects, monitoring their voice and data transmissions and physical movements. In a situation in which the selection of suspects is fair, few would quibble over granting the requisite permission.
This brings us to the tricky question of the state’s access to private data. The bill that has been junked gave the state sweeping powers to access personal data. This must be stopped. The conditions of necessity, purpose, proportionality and due process must be met, while the state acquires the right to breach any individual’s personal data. Due process must be a judicial order, obtained from a high court. Due process must include subsequent accountability to a committee of the legislature. The present practice of spooks deciding to surveil anyone of their choice for any length of time, without disclosure to anyone and without accountability for the results of such surveillance, should not be allowed to continue.
The data protection authority should be appointed the way the Comptroller and Auditor General is appointed, and should be accountable to a committee of the legislature, rather than to the executive.
Data localization has its merits. It should not be the case that Indian authorities cannot access data on Indian citizens when criminal or financial investigation calls for it. If Neerav Modi’s data is stored in some Caribbean island, he might more effectively elude justice than otherwise. If their data is stored in other jurisdictions such access can be blocked or delayed. But the current insistence of the government that data on Indians should be stored only in India is excessive. While data on Indian citizens should be stored in India, there is no reason why such data cannot be mirrored abroad, in jurisdictions that maintain the data protection standards that India adopts for itself.
India needs a comprehensive new law on data protection, preceded by and compliant with, a code on privacy—the sooner, the better.
Elsewhere in Mint
In Opinion, Manu Joseph replies to free-speech warriors. Mythili Bhusnurmath says MPC is out on a wing and a prayer. Long Story has a cheeky take on the jargon of stock market.
