Regulating data is not an easy task. Certainly, Not!
It is not an easy task because the data generated over the last two years is more than what was generated in the previous 5,000 years! More worrisome is that we will end up creating even more data than this in 2017 – in one single year!
The task is an uphill one also due to the type, size and pace of data expansion across a wider range of sectors such as Automotive, Consumer Electronics, Energy, Entertainment, Gaming, Healthcare, Manufacturing, Security, Social Media, Space, Telecom and so on.
The Supreme Court of India, which came out with a landmark judgement ruling Privacy as a Fundamental Right of citizens on August 24, 2017, did not hide its concerns on Data Handling while dealing with the topic of privacy and argued for striking a balance between data regulation and individual privacy as it raises complex issues requiring delicate balance between the legitimate concerns of the state and individual interest in the protection of Privacy.
“Technology has made it possible to enter a citizen’s house without knocking at his/her door and this is equally possible both by the State and non-State actors. It is an individual’s choice as to who enters his house, how he lives and in what relationship. The privacy of the home must protect the family, marriage, procreation and sexual orientation which are all important aspects of dignity. If the individual permits someone to enter the house it does not mean that others can enter the house”, is how Justice Sanjay Kaul of the 9-judge bench of the Supreme Court states his views on citizen’s right to Privacy.
Four other judges who penned a judgement under Chief Justice of India J S Khehar observed that “data mining processes together with knowledge discovery can be combined to create facts about individuals. Metadata and the internet of things (IoT) have the ability to redefine human existence in ways which are yet fully to be perceived.”
These words clearly demonstrated that the four judges truly and seriously dealt with the details and understood the gravity of the situation – as it stands and as it could emerge. They could foresee how the future would unfold with petabytes and exabytes of data getting generated day by day. The challenge is for the policy makers to put in place regulations to deal with the data without compromising individual freedom, liberty and privacy, while keeping supreme control with the state. And, the media has also written at length about the issues.
This raises another question. Does it give the State a right to carry out surveillance?
Here again the judgement of the four judges noted (with references to Yvonne McDermott’s 2017 paper ‘Conceptualizing the right to data protection in an era of Big Data’ in the Big Data and Society journal) that “the contemporary age has been aptly regarded as “an era of ubiquitous dataveillance or the systematic monitoring of citizen’s communications or actions through the use of information technology.” It is also an age of “big data” or the collection of data sets. These data sets are capable of being searched; they have linkages with other data sets; and are marked by their exhaustive scope and the permanency of collection.
The four judges had no hesitation in reflecting that the challenges posed by Big Data to Privacy interests emanated from State and non-State entities equally. They said the users of wearable devices and social media networks may not perceive themselves as having volunteered data, but their activities of use and engagement result in the generation of vast amounts of data about individual lifestyles, choices and preferences.
The judges observed (with references to the 2012 paper of Christina P. Moniodis, “Moving from Nixon to NASA: Privacy’s Second Strand – A Right to Informational Privacy” in the Yale Journal of Law and Technology) that businesses and governments often aggregate a variety of information fragments, including pieces of information which may not be viewed as private in isolation to create a detailed portrait of personalities and behaviour of individuals. Yet, it is now a universally accepted fact that information and data flow are “increasingly central to social and economic ordering.”
There is not even an iota of doubt that individuals today are identified through a series of identities – their ID numbers and user IDs – right from the social security, financial transactions, taxation, citizenship details, voting rights, utility services access for power, fuel, water, mobile phone, data, property services and so on and so forth. All of these IDs exposes personal data to third parties including governments.
Therefore, the judges noted that, apart from safeguarding Privacy, data protection regimes seek to protect the autonomy of the individual. “This is evident from the emphasis in the European data protection regime on the centrality of consent. Related to the issue of consent is the requirement of transparency which requires a disclosure by the data recipient of information pertaining to data transfer and use,” they noted.
Quoting the EU Regulation of 2016 and that of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, Justice Kaul said “the State must ensure that information is not used without the consent of users and that it is used for the purpose and to the extent it was disclosed. Thus, for e.g., if the posting on social media websites is meant only for a certain audience, which is possible to achieve with available tools, then it cannot be said that all and sundry in public have a right to somehow access that information and make use of it.”
A dangerous path of data management was aptly picked up by the 4-judge verdict when it noted that “another aspect which data protection regimes seek to safeguard is the principle of non-discrimination which ensures that the collection of data should be carried out in a manner which does not discriminate on the basis of racial or ethnic origin, political or religious beliefs, genetic or health status or sexual orientation.” However, the judgement reinforced the right of the State to collect data of the citizens legitimately for legitimate use and purposes.
But the golden rule is control.
“Data mining with the object of ensuring that resources are properly to legitimate beneficiaries is a valid ground for the State to insist on the collection of authentic data. But, the data which the State has collected has to be utilized for legitimate purposes of the State and ought not to be utilized unauthorized for extraneous purposes. This will ensure that the legitimate concerns of the State are duly safeguarded while, at the same time, protecting privacy concerns. Prevention and investigation of crime and protection of the revenue are among the legitimate aims of the State. Digital platforms are a vital tool of ensuring good governance in a social welfare state.” the judges said.
This was echoed by Justice Sanjay Kaul in his judgement as well. Apart from national security, the State may have justifiable reasons for the collection and storage of data. In a social welfare state, the government embarks upon programs which provide benefits to impoverished and marginalized sections of society. There is a vital State interest in ensuring that scarce public resources are not dissipated by the diversion of resources to persons who do not qualify as recipients. Allocation of resources for human development is coupled with a legitimate concern that the utilization of resources should not be siphoned away for extraneous purposes. Data mining with the object of ensuring that resources are properly deployed to legitimate beneficiaries is a valid ground for the state to insist on the collection of authentic data.
But, the data which the State has collected has to be utilized for legitimate purposes of the State and ought not to be utilized unauthorized for extraneous purposes. This will ensure that the legitimate concerns of the State are duly safeguarded while, at the same time, protecting privacy concerns.
The apex court also went into the area of medical data collection as to how the State can lay hands on medical records and how it can be put to use. It said, “an unauthorized parting of the medical records of an individual which have been furnished to a hospital will amount to an invasion of privacy. On the other hand, the State may assert a legitimate interest in analyzing data borne from hospital records to understand and deal with a public health epidemic such as malaria or dengue to obviate a serious impact on the population. If the State preserves the anonymity of the individual it could legitimately assert a valid state interest in the preservation of public health to design appropriate policy interventions on the basis of the data available.”
Exploring all these complexities, the judges suggested that formulation of a regime for data protection is a complex exercise which needs to be undertaken by the State through careful balancing of the requirements of privacy coupled with other values which the protection of data sub-serves together with the legitimate concerns of the State. It said one of the chief concerns which the formulation of a data protection regime has to take into account is that while the web is a source of lawful activity – both personal and commercial concerns of national security intervene since the seamless structure of the web can be exploited by terrorists to wreak havoc and destruction on civilized societies.
Commending the Government for putting in place a robust regime for data protection, the Court said the creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state. “The legitimate aims of the state would include for instance protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits. These are matters of policy to be considered by the government while designing a carefully structured regime for the protection of the data”.
The 547-page verdict has set broad contours for the Government appointed Justice B N Srikrishna Committee to draft the Data Protection Framework and the proposed Data Protection Bill. Now the ball of data protection and regulation is in the court of Justice Srikrishna.
(The author is a public affairs and communication expert and is currently Senior Director at IBM. Big data and data protection are key areas that the author is concerned with. The opinions shared here are his own and the publication may not necesarily hold the same views).