India is in the midst of establishing a robust data governance framework, which will impact the rights and liabilities of all key stakeholders – the government, private entities, and citizens at large. As a parliamentary committee debates its first personal data protection legislation (‘PDPB 2019’), proposals for the regulation of non-personal data and a data empowerment and protection architecture are already underway.
As data processing capabilities continue to evolve at a feverish pace, basic data protection regulations like the PDPB 2019 might not be sufficient to address new challenges. For example, big data analytics renders traditional notions of consent meaningless as users have no knowledge of how such algorithms behave and what determinations are made about them by such technology.
Creative data governance models, which are aimed at reversing the power dynamics in the larger data economy are the need of the hour. Recognising these challenges policymakers are driving the conversation on data governance in the right direction. However, they might be missing out on crucial experiments being run in other parts of the world.
As users of digital products and services increasingly lose control over data flows, various new models of data governance are being recommended for example, data trusts, data cooperatives, and data commons. Out of these, one of the most promising new models of data governance is – data trusts.
(For the purposes of this blog post, I’ll be using the phrase data processors as an umbrella term to cover data fiduciaries/controllers and data processors in the legal sense. The word users is meant to include all data principals/subjects.)
What are data trusts?
Though there are various definitions of data trusts, one which is helpful in understanding the concept is – ‘data trusts are intermediaries that aggregate user interests and represent them more effectively vis-à-vis data processors.’
To solve the information asymmetries and power imbalances between users and data processors, data trusts will act as facilitators of data flow between the two parties, but on the terms of the users. Data trusts will act in fiduciary duty and in the best interests of its members. They will have the requisite legal and technical knowledge to act on behalf of users. Instead of users making potentially ill-informed decisions over data processing, data trusts will make such decisions on their behalf, based on pre-decided factors like a bar on third-party sharing, and in their best interests. For example, data trusts to users can be what mutual fund managers are to potential investors in capital markets.
Currently, in a typical transaction in the data economy, if users wish to use a particular digital service, neither do they have the knowledge to understand the possible privacy risks nor the negotiation powers for change. Data trusts with a fiduciary responsibility towards users, specialised knowledge, and multiple members might be successful in tilting back the power dynamics in favour of users. Data trusts might be relevant from the perspective of both the protection and controlled sharing of personal as well as non-personal data.
(MeitY’s Non-Personal Data Governance Framework introduces the concept of data trustees and data trusts in India’s larger data governance and regulatory framework. But, this applies only to the governance of ‘non-personal data’ and not personal data, as being recommended here. CCG’s comments on MeitY’s Non-Personal Data Governance Framework, can be accessed – here)
Challenges with data trusts
Though creative solutions like data trusts seem promising in theory, they must be thoroughly tested and experimented with before wide-scale implementation. Firstly, such a new form of trusts, where the subject matter of the trust is data, is not envisaged by Indian law (see section 8 of the Indian Trusts Act, 1882, which provides for only property to be the subject matter of a trust). Current and even proposed regulatory structures don’t account for the regulation of institutions like data trusts (the non-personal data governance framework proposes data trusts, but only as data sharing institutions and not as data managers or data stewards, as being suggested here). Thus, data trusts will need to be codified into Indian law to be an operative model.
Secondly, data processors might not embrace the notion of data trusts, as it may result in loss of market power. Larger tech companies, who have existing stores of data on numerous users may not be sufficiently incentivised to engage with models of data trusts. Structures will need to be built in a way that data processors are incentivised to participate in such novel data governance models.
Thirdly, the business or operational models for data trusts will need to be aligned to their members i.e. users. Data trusts will require money to operate – for profit entities may not have the best interests of users in mind. Subscription based models, whether for profit or not, might fail as users are habitual to free services. Donation based models might need to be monitored closely for added transparency and accountability.
Lastly, other issues like creation of technical specifications for data sharing and security, contours of consent, and whether data trusts will help in data sharing with the government, will need to be accounted for.
Privacy centric data governance models
At this early stage of developing data governance frameworks suited to Indian needs, policymakers are at a crucial juncture of experimenting with different models. These models must be centred around the protection and preservation of privacy rights of Indians, both from private and public entities. Privacy must also be read in its expansive definition as provided by the Supreme Court in JusticeK.S. Puttaswamy vs. Union of India. The autonomy, choice, and control over informational privacy are crucial to the Supreme Court’s interpretation of privacy.
(CCG’s privacy law database that tracks privacy jurisprudence globally and currently contains information from India and Europe, can be accessed – here)
The Centre’s Non Personal Data Report proposes a policy framework to regulate the use of anonymised data used by Big Tech companies. The question now is: how well do its recommendations meet up to the challenges of regulating non-personal data, amidst a regulatory lacuna for the same? Shashank Mohan of the Centre for Communication Governance explores how concepts of collective privacy and data trusts lie at the forefront of India’s future frameworks for digital governance.
By Shashank Mohan
This post first appeared on The Bastion on September 13, 2020
In the past few years, it has become common knowledge that Big Tech companies like Facebook, Google, and Amazon rely on the exploitation of user data to offer seemingly free services. These companies typically use business models that rely on third party advertising to profit off this data. In exchange for their services, we hand over our data without much control or choice in the transaction.
In response to the privacy threats posed by such business models, countries around the world have been strengthening and enacting data privacy laws. India is currently debating its own personal data protection law, which is loosely based on the benchmark EU data protection law–the General Data Protection Regulation (GDPR). More recently, attention has shifted to the regulation of non-personal data as well. The Indian Government recently released a report on the Non-Personal Data Governance Framework (NPD Report).
But, why do we need to regulate non-personal data?
While progress on the regulation of personal data is necessary and laudable, in the era of Big Data and machine learning, tech companies no longer need to solely rely on processing our personally identifiable data (personal data) to profile or track users. With newer developments in data analytics, they can find patterns and target us using seemingly innocuous data that may be aggregated or anonymised, but doesn’t need to be identifiable.
For example, they only need to know that I am a brown male in the age range of 25-35, from New Delhi, looking for shoes, and not necessarily my name or my phone number. All of this is “non-personal” data as it’s not linked to my personal identity.
Clearly, tech companies extract value from their service offerings using advanced data analytics and machine learning algorithms which rummage through both personal and non-personal data. This shift to harnessing non-identifiable/anonymised/aggregated data creates a lacuna in the governance of data, as traditionally, data protection laws like the GDPR have focused on identifiable data and giving an individual control over their personal data.
So, among other economic proposals, the NPD Report proposes a policy framework to regulate such anonymised data, to fill this lacuna. The question now is: how well do its recommendations meet up to the challenges of regulating non-personal data?
How Does The Government Define Non-Personal Data?
The NPD Report proposes the regulation of non-personal data, which it defines as data that is never related to an identifiable person, such as data on weather conditions, or personal (identifiable) data which has been rendered anonymous by applying certain technological techniques (such as data anonymisation). The report also recommends the mandatory cross-sharing of this non-personal data between companies, communities of individuals, and the government. The purpose for which this data may be mandated to be shared falls under three broad buckets: national security, community benefit, and promoting market competition.
However, if such data is not related to an identifiable individual, then how can it be protected under personal data privacy laws?
To address these challenges in part, the report introduces two key concepts: collective privacy and data trusts.
The NPD Report defines collective privacy as a right emanating from a community or group of people that are bound by common interests and purposes. It recommends that communities or a group of people exercise control over their non-personal data–which is distinct from an individual exercising control of their personal data–and do so via an appropriate nominee called a data trustee, who would exercise their privacy rights on behalf of the entire community. These two interconnected concepts of collective privacy and data trusteeship merit deeper exploration, due to their significant impact on how we view privacy rights in the digital age.
What is Collective Privacy and How Shall We Protect It?
The concept of collective privacy shifts the focus from an individual controlling their privacy rights, to a group or a community having data rights as a whole. In the age of Big Data analytics, the NPD Report does well to discuss the risks of collective privacy harms to groups of people or communities. It is essential to look beyond traditional notions of privacy centered around an individual, as Big Data analytical tools rarely focus on individuals, but on drawing insights at the group level, or on “the crowd” of technology users.
In a revealing example from 2013, data processors who accessed New York City’s taxi trip data (including trip dates and times) were able to infer with a degree of accuracy whether a taxi driver was a devout Muslim or not, even though data on the taxi licenses and medallion numbers had been anonymised. Data processors linked pauses in taxi trips with adherence to regularly timed prayer timings to arrive at their conclusion. Such findings and classifications may result in heightened surveillance or discrimination for such groups or communities as a whole.
An example of such a community in the report itself is of people suffering from a socially stigmatised disease who happen to reside in a particular locality in a city. It might be in the interest of such a community to keep details about their ailment and residence private, as even anonymised data pointing to their general whereabouts could lead to harassment and the violation of their privacy.
In such cases, harms arise not specifically to an individual, but to a group or community as a whole. Even if data is anonymised (and rendered completely un-identifiable), insights drawn at a group level help decipher patterns and enable profiling at the macro level.
However, the community suffering from the disease might also see some value in sharing limited, anonymised data on themselves with certain third parties; for example, with experts conducting medical research to find a cure to the disease. Such a group may nominate a data trustee–as envisioned by the NPD Report–who facilitates the exchange of non-personal data on their behalf, and takes their privacy interests into account with relevant data processors.
This model of data trusteeship is thus clearly envisioned as a novel intermediary relationship–distinct from traditional notions of a legal trust or trustee for the management of property–between users and data trustees to facilitate the proper exchange of data, and protect users against privacy harms like large-scale profiling and behavioral manipulation.
But, what makes data trusts unique?
Are Data Trusts the New ‘Mutual Funds’?
Currently, data processors process a wide-range of data–both personal and non-personal–about users, without providing them accessible information about how they use or collect it. These users, if they wish to use services offered by data processors, do not have any negotiating powers over the collection or processing of their data. This results in information asymmetries and power imbalances between both parties, without much recourse to users–especially in terms of non-personal data which is not covered by personal data protection laws like the GDPR, or India’s Draft Personal Data Protection Bill.
Data trusts can help solve the challenges arising during everyday data transactions taking place on the Internet. Acting as experts on behalf of users, they may be in a better position to negotiate for privacy-respecting practices as compared to individual users. By standardising data sharing practices like data anonymisation and demanding transparency in data usage, data trusts may also be better placed to protect collective privacy rights as compared to an unstructured community. One of the first recommendations to establish data trusts in the public fora came from the UK Government’s independent report from 2017, ‘Growing the artificial intelligence industry in the UK’, which recommended the establishment of data trusts for increased access to data for AI systems.
Simply put: data trusts might be akin to mutual fund managers, as they facilitate complex investments on behalf of and in the best interests of their individual investors.
The Fault in Our Data Sarkaar
Since data trusts are still untested at a large scale, certain challenges need to be anticipated at the time of their conceptualisation, which the NPD Report does not take account of.
For example, in some cases, the report suggests that the role of the data trustee could be assumed by an arm of the government. The Ministry of Health and Family Welfare, for instance, could act as a trustee for all data on diabetes for Indian citizens.
However, the government acting as a data trustee raises important questions of conflict of interest–after all, government agencies might utilise relevant non-personal data for the profiling of citizens. The NPD Report doesn’t provide solutions for such challenges.
Additionally, the NPD Report doesn’t clarify the ambiguity in the relationship between data trusts and data trustees, adding to the complexity of its recommendations. While the report envisions data trusts as institutional structures purely for the sharing of given data sets, it defines data trustees as agents of ‘predetermined’ communities who are tasked with protecting their data rights.
Broadly, this is just like how commodities (like stocks or gold) are traded over an exchange (such as data trusts) while agents such as stockbrokers (or data trustees) assist investors in making their investments. This is distinct from how Indian law treats traditional conceptions of trusts and trustees, and might require fresh law for its creation.
In terms of the exchange of non-personal data, possibly both these tasks–that is, facilitating data sharing and protecting data rights of communities/groups–can be delegated to just one entity: data trusts. Individuals who do not form part of any ‘predetermined’ community–and thus may not find themselves represented by an appropriate trustee–may also benefit from such hybrid data trusts for the protection of their data rights.
Clearly, multiple cautionary steps need to be in place for data trusts to work, and for the privacy of millions to be protected–steps yet to be fully disclosed in the Report.
Firstly, there is a need for legal and regulatory mechanisms that will ensure that these trusts genuinely represent the best interests of their members. Without a strong alignment with regulatory policies, data trusts might enable the further exploitation of data, rather than bringing about reforms in data governance. Borrowing from traditional laws on trusts, a genuine representation of interests can be ensured by placing a legal obligation–in the form of an enforceable trust deed– on the trust of a fiduciary duty (or duty of care) towards its members.
Secondly, data trusts will require money to operate, and developing funding models that ensure the independence of trusts and also serve their members’ best interests. Various models will need to be tested before implementation, including government funded data trusts and user-subscription based systems.
Thirdly, big questions about the transparency of data trusts remain. As these institutions may be the focal point of data exchange in India, ensuring their independence and accountability will be crucial. Auditing, continuous reviews, and reporting mechanisms will need to be enmeshed in future regulation to ensure the accountability of data trusts.
Privacy Rights Must Be Paramount
As the law tries to keep pace with technology in India, recognising new spheres which require immediate attention, like the challenges of collective privacy, becomes pertinent for policymakers. The NPD Report takes momentous strides in recognising some of these challenges which require swift redressal, but fails to take into consideration emerging scholarship on the autonomy, transparency, and strength of its proposed data trusts.
For example, large data processors will need to be incentivised to engage with data trusts. Smaller businesses may engage with data trusts easily considering the newfound easy access to large amounts of data. But, it might be difficult to incentivise Big Tech companies to engage with such structures, due to their existing stores of wide-scale data on millions of users. This is where the government will need to go back to the drawing board and engage with multiple stakeholders to ensure that innovation goes hand in hand with a privacy respecting data governance framework. Novel solutions like data trusts should be tested with pilot projects, before being baked into formal policy or law.
More than three years after India’s Supreme Court reaffirmed the right to privacy as intrinsic to human existence and a guarantee under the Indian Constitution, government policy continues to treat data–whether personal or non-personal–as a resource to be ‘mined’. In this atmosphere, to meaningfully recognise the right to privacy and self-determination, the government must lay down a data governance framework which seeks to protect the rights of users (or data providers), lays down principles of transparency and accountability, and establishes strong institutions for enforcement of the law.
(This post is in context of the report released by the Committee of Experts on Personal Data Governance Framework, as constituted by the Ministry of Electronics and Information Technology. CCG’s comments on the report can be accessed here)
Health experts warn that contact tracing works best in situations where infection rates are low and there is widespread testing.
By Shashank Mohan
This post first appeared on Scroll.in on May 12, 2020
Publicity material for Aarogya Setu | @AarogyaSetu via Twitter
On May 1, the Ministry of Home Affairs extended India’s lockdown by two weeks as part of its strategy to contaib the spread of the novel coronavirus. Since March 25, the government has made use of discretionary powers under The Disaster Management Act, 2005 to impose a nationwide lockdown.
One of the government’s key strategies against Covid-19 has been the adoption of contact tracing methods. This involves identifying, listing and monitoring people who have come in contact with infected persons to limit the spread of the coronavirus. Since April 2, the government has been enhancing its contact tracing capabilities by making use of data collected via a mobile phone app called Aarogya Setu.
Built by the Ministry of Electronics and Information Technology and some volunteer groups under the guidance of the National Informatics Centre, the Aarogya Setu app uses GPS data and Bluetooth technology to determine the location of users and others they come in contact with. It collects personal data such as age, gender, name, health status, travel history, and the user’s contact list to assess the risk status of users and help health authorities manage the break out of the infection.
By Monday, the app had 98 million downloads, supposedly making it one of the fastest downloaded apps of all time.
Voluntary vs mandatory
Touted as a voluntary app, the government has steadily pushed for mandatory usage of the service. In the May 1 order extending the lockdown until May 17, the government has mandated 100% coverage of the Aarogya Setu app within containment zones and for both public- and private-sector employees, making the heads of private organisations liable for non-compliance.
Recently, the Government made the app a pre- condition for bringing back stranded Indians abroad and latest reports suggest it is now considering mandating the Aarogya Setu app for all future air travel. Authorities in Noida have made its use compulsory for all its residents. This is a dramatic and potentially unconstitutional shift from voluntary to mandatory.
Though India does not yet have a comprehensive data privacy framework, in 2017, the Supreme Court in a landmark judgment (K.S. Puttaswamy v. Union of India) reaffirmed the right to privacy as a fundamental right. This grants protection against privacy abuses by the state.
Valid arguments may be made that during a pandemic, emergency measures like mandatory usage of an app might be in the public interest. But there are legal and practical challenges to this line of argument that must be considered.
Privacy by law
It is an established position in India’s constitutional law that fundamental rights are not absolute. The state may, with appropriate safeguards, limit these rights in times of need. For privacy limitations, the Supreme Court in Puttaswamy laid down a four-step test.
If the government wishes to collect and process the personal data of Indians, without their consent, it must show:
That there is a law backing its demand
The measure adopted is necessary for achieving a legitimate state aim and is not arbitrary
That the measure is proportionate to the object of the law
There are procedural guarantees against the abuse of such limitations.
In response to public criticism , yesterday, MeitY released the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 , (the Protocol). The Protocol seeks to provide certain procedural guidelines/ safeguards or the data collection activities under Aarogya Setu and permits sharing of data between various Government departments and third parties to implement appropriate health responses.
The Protocol is effectively issued under orders of the National Disaster Management Authority under the Disaster Management Act, 2005, which does not specifically allow for the collection and processing of personal data as envisioned by the Aarogya Setu app. Thus, it will be far-fetched to say that the Protocol provides sufficient legal backing to Aarogya Setu.
While the Protocol limits data collection by the Government to what is necessary and proportionate, it fails to explain as to why such mandatory collection of data is necessary to achieve the aim of disease prevention. Are such digital contact tracing methods the only and best way possible to manage Covid-19? Is the collection of demographic data such as name, mobile number, age and gender alongside contact data absolutely necessary to fight the epidemic?
The Government could have gone a step ahead and provided answers to such questions in the protocol, which could have demonstrated the necessity of mandating Aarogya Setu. Coming to the proportionality test, a key requirement of which is to exhibit that the method imposed is the least restrictive, the protocol does not illustrate how digital contact tracing through centralised mobile apps is the least privacy intruding method of exposure notification and disease management. Aren’t other decentralized data collection solutions such as DP3T or PEPP-PT more privacy friendly
The Protocol does not have legislative backing as it is born purely out of executive action and comes more than a month after the launch of the Aarogya Setu app. Though, it comes with a sunset clause of six months, reviewed periodically, there is no legislative or judicial determination for its continuance beyond the initial period, skipping essential guarantees against potential abuse of such powers (a slew of petitions have been filed before the Kerala High Court, challenging the mandatory usage of the Aarogya Setu app).
Tech-solutionism and surveillance
Beyond the legal hurdles, the practical failures of the Aarogya Setu app have been widely discussed. For the app to generate reliable results, 60% more of the population must download it. But smartphone penetration in India stood at only 24% in 2019, according to a survey by the Pew Research Centre. Besides, the app can generate false positives and false negatives, it does not take into account people on separate floors or other physical barriers or the possibility of battery drainage; and security failures that could allow unscrupulous parties to collect app IDs, severely hurting user privacy.
Though the Indian government claims that data collected by the Aarogya Setu app gets deleted in cycles of 30, 45, and 60 days, the risk of mass surveillance cannot be ignored, particularly since the app has not been open for public audit and stores data on a centralised server. (Reports suggest that the data might be currently stored on an Amazon Web Services server, raising doubts about the security and privity of the health data of millions of Indians.)
Merging the data collected through Aarogya Setu with other government databases such as the Aadhaar database or integrated databases such as the CMS or NATGRID could result in mass profiling of Indian citizens.
While Indian law does permit the government to conduct targeted surveillance through the Indian Telegraph Act, 1885, and the Information Technology Act, 2000, it does not sanction mass surveillance activities. In light of the push for mandatory use of Aarogya Setu, it is pertinent to mention that with rising digitisation, India is in a dire need of surveillance reform.
Doubts about usefulness
Numerous countries around the world, as well as Apple and Google, are experimenting with contact tracing apps like the Aarogya Setu. But questions remain about the usefulness of contact tracing apps.
Health experts warn that contact tracing works best in situations where infection rates are low and there is widespread testing. Considering most cities in India are red zones, it may not be very useful to notify people about possible exposure when the infection is everywhere.
In addition, an over-reliance on contact tracing apps carries with it the grave risk of impeding peoples’ right to movement and participate in social life. If exposure certification on apps (India is mulling e-passes using Aarogya Setu) is made mandatory for people to move around (for example, to use public transport), the error rates inherent in such technology could give rise to widespread exclusion.
Protecting civil liberties
However, it could be possible to carry out digital contact tracing without violating the fundamental rights of citizens. First and foremost, the Indian government should share the source code of the Aarogya Setu app in accordance with its open-source policy for independent experts to verify its security (as Singapore has done).
Next, the government should pass an ordinance for the collection and processing of data for the purposes of contact tracing, as the continuation of such an ordinance shall be determined by Parliament and ensures separation of powers between different organs of the State. An independent quasi-judicial forum must be set-up by the government to address grievances arising from using the app. Aarogya Setu must strictly be a voluntary service, with clear options to withdraw consent and have personal data deleted permanently.
A good example of enabling user autonomy over personal data comes from a recent Kerala High Court matter. In its order, the court directed the government of Kerala to ensure that specific user consent should be obtained before sharing health data of citizens with third party service providers and that the data needs to be anonymised before handing it to third party service providers.
Since Aarogya Setu has been developed under a public-private partership model and reports suggest the involvement of volunteer groups in its creation, it is essential for the government to maintain complete transparency on the identity and affiliation of each private player with due regard to the process of selection.
It is vital to protect civil liberties like the right to privacy in times of global emergencies like the coronavirus pandemic because invasive state action has a tendency to expand beyond its initial purpose, severely diluting our rights in the long term.
Governments adopting digital contact tracing technology must necessarily warn users about the limitations of such mobile apps. If apps like Aarogya Setu are hailed as silver bullets in the management of a health crisis, it will shift focus away from proven mitigations strategies such as increasing the capacity of healthcare infrastructure, public awareness campaigns, and citizen-centric solutions like mask wearing and physical distancing.
The CCG Blog 