This post first appeared in Deccan Herald on January 20, 2018
Last year, we heard about a data breach in ATM networks in India which affected nearly 3.2 million debit cards. This year, we have already seen multiple reports highlighting that the long-disputed Aadhaar project risks the privacy of enrolled individuals. In both situations, an effective data protection law would go a long way in mitigating the misuse of our information. The law would also help us understand what this could mean for us as individuals who may be affected, and how best we can fix the situation.
A Committee of Experts has been set up to recommend data protection laws in India. This committee has called for public inputs to help prepare its recommendations and is holding public consultation meetings across the country.
At the consultation in Delhi, the discussion largely revolved around issues that are typically hot-button issues for the technology industry — questions of whether personal data held by companies in India can be transferred abroad, and how we can ensure that law doesn’t ‘stifle’ innovation and increase costs for industry. That felt like putting the cart before the horse.
As people working within several stakeholder groups activists, researchers, lawyers, industry members are scrambling to prepare responses to the 200-plus questions raised by the committee, it is important that we understand the foundations of data protection law — what are we trying to protect, who should be subject to the law, and principles the law should incorporate.
Last year, the Supreme Court ruled that the right to privacy is a fundamental right. Informational privacy is an integral part of this right. Any law that provides a framework for the protection of personal data should then work towards protecting this right. The first step towards putting together this law is identifying what qualifies as personal information.
Personal information is, at the basic level, understood to be any information that relates to a person. This includes a wide range of data. Traditional data such as names, phone numbers, biometric information, medical information and, at the other end of the spectrum, components of our digital footprint, including IP addresses and search histories.
A look at the history of how this has been dealt with in India shows why we don’t currently have a comprehensive data protection law. The few existing rules we have lack clarity on the nature of data they help protect. The rules under the Information Technology Act, 2000 the closest thing we have to a data protection law define personal information. However, the rules are so ambiguous that they undo any good that such a definition may do. In the financial and medical sectors, data protection considerations are typically limited to a generic obligation to maintain confidentiality, without going into what it means.
The law that the committee proposes will apply across industries and organisations that deal with varying types of data about employees, customers, and other individuals. Any definition we adopt must be wide and protect information that identifies a person in any manner direct or indirect. A look at standard definitions accepted internationally shows that typically, in addition to information that identifies a person, any information that is capable of identifying a person is also considered personal information. This is based on research that shows that even if data is used in an anonymous form it can, in most cases, be used to identify individuals.
A wide definition of personal information helps ensure that as many instances of use of our personal information as possible fall within the ambit of the law. However, it also puts us in a situation where the use of data on both ends of the spectrum is regulated by the same law. Does an anonymous dataset require the same level of regulation as data such as names and fingerprints?
Traditionally, this has been dealt with by defining a set of ‘sensitive’ information, such as medical, biometric and financial information. The use of these kinds of data is subject to stricter regulation. Other jurisdictions that adopt this approach, such as the European Union, typically include information the use of which poses risks to fundamental rights in such a category.
Over the past few years, scholars have also suggested different models to deal with this, for example, designing the law to allow categorisation of data within the spectrum, and selectively apply certain rules depending on where any particular set of data falls. If the data being dealt with can identify a person but doesn’t directly do so, the requirements of notifying individuals to whom it relates wouldn’t apply until the individual is identified. Adopting both these approaches in a considered manner is important.
The data protection law will serve more than just the tech industry. Our data is constantly collected and/or used by several entities, including employers, doctors, hospitals, researchers, and the government and public-sector agencies/companies. Not all of these organisations engage in Big Data analysis. Yet, the scope for misuse of personal information always exists whether in the form of caste or gender discrimination by an employer, or monetisation and sale of data without permission. While some of these issues can be addressed in sector-specific laws, or in anti-discrimination laws applicable to employers, any data protection law we adopt needs to be comprehensive and ensure that these protections are not undone, rather they are enhanced.