Technology has penetrated our daily lives in a quiet unobtrusive fashion. We don’t blink, when the search engine in our computer suggests relevant searches, or the online market place already knows our favourite colognes and other shopping preferences, or when our phones type the next anticipated words, the tablets are commanded through voice recognition, and the TV commercial enlightens us, on how to activate our air conditioner using a mobile device, so that we reach home to an ambient temperature.
When computer systems clone human intelligence and are able to visualise, and perform speech recognition we enter the arena of artificial intelligence (AI)—a stream of computer science wherein computers are engineered to reason, and thereafter process decisions, like human beings.
The fight between man and machine is time immemorial and with each technological advance there are benefits and costs, whether it’s jobs or the loss of privacy.
How prepared is India—the architect of the technological boom—in terms of legislation to combat the ubiquitous technology giants? Recent news reports suggest that a behemoth search engine tracks our offline activity to increase their digital advertising, as the sales on the basis of debit/ credit cards helps them inform brick and mortar merchants whether their advertisements convert into sales at stores.
What then is the impact of this remote monitoring of our digital movements? What is the protection afforded to the privacy of our preferences and what is the onus on the technology industry to ensure no misuse?
The UK relies on the Data Protection Act, 1998, whereas the US relies on a collection of federal privacy-related/broad consumer-related laws that regulate the collection and use of personal data, preventing unfair or deceptive practices involving the disclosure of personal information.
While, India still does not have any dedicated legislation on the subject nevertheless, our courts have been vigilant in protecting the right to privacy through several instances by interpreting “data protection” within the ambits of “Right to Privacy” as implicit in Article 21 of the Constitution.
In the case of R Rajagopal versus State of Tamil Nadu, 1994 SCC (6) 632, the Supreme Court of India held that the right to privacy as an independent and distinctive concept, originated in the field of Tort law, under which a new cause of action for damages results from unlawful invasion of privacy. The Court interalia held that this right has two aspects, which are but two faces of the same coin (1) the general law of privacy which affords a tort action for damages resulting from an unlawful invasion of privacy and (2) the constitutional recognition given to the right to privacy which protects personal privacy against unlawful governmental invasion. The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a “right to be let alone”. A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child bearing and education among other matters. This law will further evolve, when the larger Constitution bench of the Supreme Court decides if the pervasiveness of the Aadhaar is an infringement of peoples’ right to life, liberty and privacy as protected through our fundamental rights.
The other bulwark of privacy protection in India is “The Information Technology Act” 2000, amended in 2008, which vide Section 43A prescribes damages, if a body corporate is negligent in implementing/maintaining reasonable security measures when dealing with any sensitive personal data on a computer controlled by it, resulting in wrongful loss/wrongful gain to any person. Further, Section 72A provides for punishment/fine for wrongful disclosure of data.
Our sensitive personal data such as passwords; financial information, credit/ debit card details; sexual orientation, medical records; biometric information; information received by body corporate under lawful contract or otherwise; user details as provided at the time of registration ; are now protected under the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information)(SPDI) Rules, 2011.
These rules require prior consent for use of SDPI and can be used only for lawful purposes. More important, the information provider should be aware of the intended recipients and the details of the information collector.
However, the above falls short of the degree of protection that is required. AI is the next level of how technology will shape and determine human preferences. Privacy and data protection means that data about individuals should not automatically become available to others, and this will require the legislators to put obligations on the software industry to incorporate appropriate safeguards, protecting against omnibus absorption of our personal details, which is bound to be collected as part of the voluminous information collected by robots and the like in the coming days.
A comprehensive, dedicated data privacy legislation is the need of the hour, before we become hostage to data collectors, legitimate or otherwise.
The author, Sayali Pathak is an Independent counsel