Retaining Informational Privacy in the Age of Emerging Technology
The Joint Parliamentary Committee has recently published its report on the Personal Data Protection Bill, 2019 (PDP Bill 2019). Given the imminent introduction of a redrafted law on data protection before the Parliament, it is essential to take a critical look at the defining concepts introduced by the PDP Bill 2019.
The Center for Applied Law and Technology Research (ALTR) at Vidhi proposes to put out a series of working papers on various aspects of the PDP Bill 2019. The first working paper seeks to discuss the need for a regulatory framework to protect informational privacy specifically from the lens of emerging technologies such as AI and IoT devices.
Control and Informed Consent
The Supreme Court has recognised the right to privacy in the landmark case of Justice K Puttaswamyv Union of India. Within this, the Court recognised that the right to informational privacy included the right to control the use, or processing, of one’s personal information. This control, also known as informational autonomy, is currently realized through the notice-and-consent framework. An individual is provided a privacy policy or certain terms and conditions explaining the processing of their personal data, and thus actively consents to personal data being processed. This allows an individual to make an informed choice.
The paper contends that the widely used framework of notice-and-consent is inadequate in many aspects. The binary choice offered through standard form contracts, informational asymmetry, consent fatigue and dark patterns weaken the prospects of meaningful consent.
Emerging technology renders ‘notice-and-consent’ inadequate
In addition, there is growing adoption of emerging technologies such as artificial intelligence (AI) and the Internet of Things (IoT) that rely on extensive collection and processing of personal data. These operations raise unique concerns regarding a data principal’s autonomy over their personal data. Meaningful consent is recognised as a central facet of autonomy and the right to informational privacy.
However, the ubiquity of sensors and the person-agnostic manner of processing require data principals to exercise control beyond mere consent boxes. Emerging technologies require a nuanced take on informational privacy that extends throughout the period of processing personal data.
Regulatory approach for data protection and the PDP Bill, 2019
In this regard, the paper seeks to discuss the need for a regulatory framework comprising rights, obligations and enforcement measures to combat these concerns. The paper contends that data protection would involve a data principal’s access and control over personal data throughout the course of the data being processed, and not just at the time of collection. Further, the paper discusses that in addition to individual-centric actions to be taken within a rights-based framework on data privacy, there must also be certain baseline obligations and measures guaranteed by a central regulating entity. Without such a set of obligations and an enforcement mechanism, granting rights over personal data may be rendered meaningless.
Regulatory framework offered by PDP Bill, 2019
The paper looks at the provisions of the Personal Data Protection Bill, 2019 from the lens of how such provisions enable greater control and protection over personal data. The paper discusses the rights, obligations and remedies proposed by the PDP Bill, 2019. Additionally, it discusses innovations such as consent managers, sandboxing for emerging technology applications, and additional obligations such as data audits and data protection impact assessments for significant data fiduciaries.
It finally concludes by reviewing provisions where these protections fall short. The PDP Bill, 2019 has been justifiably criticized for creating backdoors that offer sweeping exemptions to government agencies. For example, the proposed Clause 35 allows the central government to exempt any agency from any or all of the provisions of the law. It is not immediately clear how obligations under the PDP Bill, 2019 to maintain recommended IT security standards or to maintain records, for example, hinder the agencies from conducting their functions.
The paper further seeks to contextualize these exemption provisions in light of AI and IoT systems deployed by central government agencies in recent years. These wide-ranging exemptions have been critiqued in the paper considering the vast amount of personal data processed by these systems. Given that agencies such as the Income Tax Authority and the UIDAI have already sought exemptions from the PDP Bill, 2019, the sweeping nature of these exemptions is inadvisable.
Filed Under
About the Authors
Dhruv was a Research Fellow with the Centre for Applied Law and Technology Research at Vidhi. He is interested in the interplay between law, technology and civil liberties. He graduated from the NALSAR University of Law, Hyderabad in 2019. Prior to joining Vidhi, he worked with Majmudar & Partners, Mumbai and has interned with the Centre for Communication Governance, NLU-Delhi, and the Centre for Internet and Society. He enjoys writing poetry, playing chess, and reading on Indian and world history in his spare time.
Ameen was a Senior Resident Fellow at Vidhi, and led the Centre for Applied Law and Technology Research (ALTR). His interest and research focus lies in AI ethics, and the governance of AI. Within ALTR, he has been leading the team's collaborative research on data trusts, and artificial intelligence. Ameen has also worked on the intersection of technology and the justice system, as a senior fellow working on the JALDI mission's engagement with the Supreme Court of India's AI and E-Courts' committees. Ameen has a formal educational background in social research methods and evidence-based policy. He completed his master’s programme from the Institute of Education (University College London), focusing on the use of research evidence in policy processes, and was awarded an MSc. with an overall distinction. Before this, he completed his undergraduate legal studies from the W.B. National University of Juridical Sciences [B.A. LL.B. (Hons.)] in 2012. Prior to Vidhi, Ameen worked at J. Sagar Associates, in the firm’s regulatory and policy team. He has practised in the Supreme Court of India, the Delhi High Court, and numerous tribunals.