“ Privacy and Innovation – Balancing the market towards better growth “
What a year it has been for Privacy in India !
The GDPR Compliance deadline in May 2018, followed by the very comprehensive Data Protection Bill in August, Privacy being declared as a separate Constitutional Fundamental Right and not just merely a part of the Right to Life in the Puttuswamy Judgement, The Right to die being declared as a part of the Right to Life by the Supreme Court paving way to Assisted Dying or Advanced Medical Directive and now the Notification naming government agencies that have a right to intercept, monitor and decrypt information / communication. All this has left us quite breathless!
Clearly, India is on the cusp of building a robust framework for protecting Privacy of its citizens and at the same time ensuring that the framework is not too tight to stifle innovation and economic growth. Despite the stated desire for privacy, the reality is that many of the things we love about the digital world wouldn’t work without a high degree of data sharing. Take, for example, Uber. To enable those services, we need to share our location information and where we want to go, but those services also rely on customers and drivers ranking each other so that good behavior on both sides is rewarded and encouraged.
The exchange of data for better services is the basis on which the platforms have developed and hence the popular argument is that over-regulation in Privacy will be detrimental to Innovation.But with increasing awareness in consumers about Privacy and how much of personally identifiable data is really required for innovation the narrative now has to change from “Privacy or Innovation to Privacy and Innovation”.
Let us have a quick look at how that the concept of Privacy developed in India through various judicial pronouncements. Understanding an all encompassing definition of Privacy by businesses as well as consumers will facilitate Privacy by design and further the narrative of Privacy and Innovation .
Supreme Court in various cases over the years upheld the Right to Privacy as an intrinsic part of the Constitutional Right to Life and one can see from these judgments that Privacy expectations of an individual are multidimensional. Bodily privacy, where law enforces social norms to protect against unwanted physical contact including assault; territorial privacy where law enforces property rights including protection against dispossession without following due process of law; communication privacy, where law protects all private communications from being tapped or from unauthorized interceptions; information privacy as it can lead to the identification of a person and Location privacy is safeguarded by laws that criminalize stalking and even cyber stalking but majorly violated by GPS tracking systems and cell tower triangulation.Privacy is also different from intimacy and secrecy. What is intimate is private but the converse may not be true. Privacy is also confused with secrecy at times. For eg a state’s nuclear program details are secret but not
In the Puttuswamy Judgement in September 2018 , the right to privacy was established as a separate Fundamental right and recognized that this right includes autonomy over personal decisions, right against State interference , bodily integrity, a right to refuse medical treatment, the right to consume beef and the right to display symbols of religion in one’s personal appearance , as well as the protection of personal information. On this basis, the Judges held that there was a need to introduce a data protection regime in India. The Court also recognized that the right was not absolute but allowed for restriction where this was provided by law, corresponded to a legitimate aim of the State and was proportionate to the objective it sought to achieve
Alongside the Puttuswamy Judgement the key considerations in the Data Protection Bill are
1. The concept of a Data Fiduciary and Data Principal
2. Data Processing Principles and the Principle of consent
3. Right to Forget or de-identification
4. Privacy by design – Transparency & Accountability
Privacy is based on trust . The words “Fiduciary” and “Privacy by Design” , “Transparency and accountability” all indicate a relationship of trust between providers of information and consumers of information. In my opinion, any regulation that enhances trust will also redirect innovation toward privacy-protecting practices. Positioning privacy regulation as an impediment for data-driven innovation, fundamentally misinterprets the notion of privacy. Informational privacy does not mean curtailment of access to personal data. Instead, it provides complete control to the individual about how her data is used. Regulation is now forcing businesses to respect the multidimensional expectation of Privacy of a Individual and build trust. It is one of the rare instances that regulation is driving innovation.
Hence data privacy is not just a principle that should be met, but is a key driver for innovation. Quite simply, many users would only share their data if they feel confident that a business would manage it effectively. The innovation economy will be denied valuable data if it cannot gain people’s confidence.
We have already witnesses some innovations driven by privacy requirements such as
· Synthetic data generation using machine learning systems to help data scientists access personal data anonymously
· Identity management fuelled by Blockchain techniques, allowing to verify identities without exposing personal data
· Personal data monetization allowing individuals to get value from sharing their personal data
I feel, successful organizations will be those who can see beyond the regulatory constraint and use it as a catalyst for digital transformation.
To conclude, let me give some examples that blatantly violated Privacy norms and hence had to bite the dust.
1. The smart doll Cayla – the conversations that Cayla records are sent to servers at a company called Genesis, which makes the doll, and to another company called Nuance, which makes voice-recognition software for this any many other products. Nuance also has a database used by law enforcement and military and intelligence agencies that matches voiceprints.
2. The Aristotle was an AI assistant that would sing lullabies to babies and teach them their ABCs. Aristotle combined the smart speaker and digital assistant functionality of Amazon’s Echo with a connected camera that acted as a baby monitor. Aristotle was off the shelf after an uproar regarding Privacy violations
It is therefore evidentthat a business models which depend on intrusive and opaque collection of user data and will generally resist Privacy regulation and their days are numbered. Transparency and accountability are the key drivers leading to a win-win situation.Secondly to conform to data privacy needs, professionals in all industries working with big data need to take out identifying details before processing the information. After all, data is needed to train algorithms, not to expose specific individuals. Individual privacy need not be sacrificed under the guise of innovation.
The author is a Technology Lawyer