Retaining Informational Privacy in the Age of Emerging Technology

The Joint Parliamentary Committee has recently published its report on the Personal Data Protection Bill, 2019 (PDP Bill 2019). Given the imminent introduction of a redrafted law on data protection before the Parliament, it is essential to take a critical look at the defining concepts introduced by the PDP Bill 2019.

The Center for Applied Law and Technology Research (ALTR) at Vidhi proposes to put out a series of working papers on various aspects of the PDP Bill 2019. The first working paper seeks to discuss the need for a regulatory framework to protect informational privacy specifically from the lens of emerging technologies such as AI and IoT devices.

Control and Informed Consent

The Supreme Court has recognised the right to privacy in the landmark case of Justice K Puttaswamyv Union of India. Within this, the Court recognised that the right to informational privacy included the right to control the use, or processing, of one’s personal information. This control, also known as informational autonomy, is currently realized through the notice-and-consent framework. An individual is provided a privacy policy or certain terms and conditions explaining the processing of their personal data, and thus actively consents to personal data being processed. This allows an individual to make an informed choice.

The paper contends that the widely used framework of notice-and-consent is inadequate in many aspects. The binary choice offered through standard form contracts, informational asymmetry, consent fatigue and dark patterns weaken the prospects of meaningful consent.

Emerging technology renders ‘notice-and-consent’ inadequate

In addition, there is growing adoption of emerging technologies such as artificial intelligence (AI) and the Internet of Things (IoT) that rely on extensive collection and processing of personal data.  These operations raise unique concerns regarding a data principal’s autonomy over their personal data.  Meaningful consent is recognised as a central facet of autonomy and the right to informational privacy.

However, the ubiquity of sensors and the person-agnostic manner of processing require data principals to exercise control beyond mere consent boxes. Emerging technologies require a nuanced take on informational privacy that extends throughout the period of processing personal data.

Regulatory approach for data protection and the PDP Bill, 2019

In this regard, the paper seeks to discuss the need for a regulatory framework comprising rights, obligations and enforcement measures to combat these concerns.  The paper contends that data protection would involve a data principal’s access and control over personal data throughout the course of the data being processed, and not just at the time of collection. Further, the paper discusses that in addition to individual-centric actions to be taken within a rights-based framework on data privacy, there must also be certain baseline obligations and measures guaranteed by a central regulating entity.  Without such a set of obligations and an enforcement mechanism, granting rights over personal data may be rendered meaningless.

Regulatory framework offered by PDP Bill, 2019

The paper looks at the provisions of the Personal Data Protection Bill, 2019 from the lens of how such provisions enable greater control and protection over personal data. The paper discusses the rights, obligations and remedies proposed by the PDP Bill, 2019.  Additionally, it discusses innovations such as consent managers, sandboxing for emerging technology applications, and additional obligations such as data audits and data protection impact assessments for significant data fiduciaries.

It finally concludes by reviewing provisions where these protections fall short. The PDP Bill, 2019 has been justifiably criticized for creating backdoors that offer sweeping exemptions to government agencies. For example, the proposed Clause 35 allows the central government to exempt any agency from any or all of the provisions of the law. It is not immediately clear how obligations under the PDP Bill, 2019 to maintain recommended IT security standards or to maintain records, for example, hinder the agencies from conducting their functions.

The paper further seeks to contextualize these exemption provisions in light of AI and IoT systems deployed by central government agencies in recent years. These wide-ranging exemptions have been critiqued in the paper considering the vast amount of personal data processed by these systems. Given that agencies such as the Income Tax Authority and the UIDAI have already sought exemptions from the PDP Bill, 2019, the sweeping nature of these exemptions is inadvisable.