Though the 10-member panel headed by Justice BN Srikrishna on recommending a framework for data protection is widely perceived to be related to the data collected by UIDAI for Aadhaar, it goes way beyond that—mostly because the Aadhaar Act itself provides for a lot of security to data collected by even third parties working on behalf of UIDAI; to the extent the Aadhaar Act has some gaps, the Srikrishna panel will address that. The need for a comprehensive look at all Indian laws and practices emerges from the fact that the laws are scattered and unclear—some laws provide for data protection, but only when the collection is done by private organisations, some include data collectors and users, some don’t. And, what is unique in the Indian case, the panel will have to resolve the seeming contradiction between the need for data protection/privacy and the need for transparency and third-party audits. Making public the details of how many days an individual worked on MGNREGA is certainly a violation of privacy, but in a country where half of rations/subsidies are purloined before they reach the intended beneficiary, such data is put out in the public domain so that individuals and third parties can audit the data—in a strict data protection environment, is the privacy to be assured by restricting access to third parties that will, in turn, have to agree to protect the data? Since there is so much data that is given to Google or Facebook or hundreds of other apps as part of our daily lives, this will probably be the first place the Srikrishna panel will begin with.
Should a cab aggregator, for instance, stop tracking consumer movements the moment they are out of the cab or can this carry on for a few minutes more and, either way, can this data be monetised by, say, targeting customers with location-based advertisement or even suggesting which restaurants to eat in? Should a Google maps be allowed to do this? Apart from the principle of how much data can be collected by different agencies, another principle will have to be laid out to specify how the data is to be used and to ensure it is used only for the purpose for which it was collected—given the menace of tele-marketing, it is difficult to believe mobile phone players are protecting customer data in the manner they should. Since each app collecting and monetising the data collected will be able to show user consent, the Srikrishna panel will have to put down rules on how user consent is to be acquired.
Long consent forms, and in fine print, that have to be agreed to for any app to be downloaded, surely, are not the way to go about getting this. While it may still make sense for a bank app to have access to your contacts—this makes it easier to transfer money to a contact—why do most apps need access to your address book and SMSs before they can function? By law, many organisations such as banks are required to keep data confidential, but this does not apply to everyone. According to a study by Vidhi Centre for Legal Policy, the provisions of the Information Technology Act that has stringent protection for data collected and how it is to be used, should apply to all personal data, not just ‘sensitive personal data’ and the rules should apply to individuals and governments also, not just to ‘body corporates’.
The data protection rules, in each case, have to apply to those collecting and processing such data—how do income tax data leak or get publicized if this applies to the income tax authorities? Are those in charge of rations to disclose any or part of the data they collect—this is the issue of transparency versus privacy. Though important from a competition law point of view, the Srikrishna panel needs to examine the concept propounded by Luigi Zingales and Guy Rolink in The New York Times on how individuals should be free to get back their ‘social graph’ from service providers—while Zingales and Rolink talk about a person porting from a Facebook to a “MyBook”, a person moving from one map app to another should, for instance, be able to port her entire travelling history, favourite places, etc.
Related to this is the issue raised by Nandan Nilekani (goo.gl/RHfrX6) on users having the right to get back all of their data from a Google or an Amazon or even the bank they use—this goes beyond the ‘right to be forgotten’ which, needless to say, is an important one. The right to privacy, it is obvious, is not the same as data protection, but the two are inextricably interlinked. And whether or not the Supreme Court rules in favour of the right to privacy being a fundamental right, it is clear you can’t have this without a strict framework/law on data protection and a data protection authority whose job it is to ensure this is followed by everyone. Even if the right to privacy is ruled to be a fundamental right, the state and other players have the right to ask citizens/users for certain types of information—in such a situation, data protection and privacy amount to really the same thing. It is, of course, a pity that the government is choosing to move on this so late in the day, and only after it looked as if SC ruling on privacy may hurt its work with Aadhaar.