A dedicated privacy law is being demanded vociferously in the country. In this context it is said that the data protection framework will need to treat privacy as a social and not just an individual need. Discuss.(150 W/ 10 M)

Mentors Comment:

Three key words are important in the question: Privacy Law, Individual need and Social. So the structure of the answer will follow the same direction.

In the intro tell the examiner why data protection is such a big word these days and cite recent examples of various incident like Cambridge Analytica fiasco, Aadhaar leaks and SC verdict on privacy. In the same discussion, mention the need for data protection framework.

Then move on to the second part of the answer which will deal with Individual’s role in this privacy law. What are the basic features of data laws that deal in individual capacity of the customer. (You remember the terms and conditions form that you click everytime you open an account on a social media platform or install a new software on your phone and computers. Those are individual aspects of privacy laws.) Then mention the challenges in regulating the individual needs in privacy laws (tough languages, digital illiteracy, role of metadata, combining different sets of data of an individual to track his/her activity or personality traits etc)

The third portion will be the way forward as well as the last aspect of the question: Social needs. You have to discuss that while maintaining and regulating privacy laws at individual level is cumbersome and has loopholes, the data protection laws should rather look privacy as a social need. One easy example is this: Your friend clicks of selfie with you. Now this the so called picture belongs to him/her and individual privacy law acts will subscribe upon him/her if someone uses that pick without his/her consent. But because you are also in the picture, the privacy part should address you also. So, rather than looking to go for individual protection alone, the upcoming law should also address society as a whole.

Briefly give a conclusion in three four sentences.


Model Answer:

Aadhaar leakage, Cambridge Analytica incident and lastly and the most important of them, the Supreme Court ruling on privacy have raised the talks of data privacy in India. A dedicated privacy law is being demanded vociferously in the country. In the age of information data is an asset. Business models use big data to identify the customer behaviour. Therefore with such commoditization of data, there is a need to have a data protection law.

Individual Privacy Approach:

  • The idea of “privacy as control” is what finds articulation in data protection policies across jurisdictions. This approach essentially involves the following steps:
  1. Data controllers are required to tell individuals what data they wish to collect and use and give them a choice to share the data.
  2. Upon sharing, the individuals have rights such as being granted access, and data controllers have obligations such as securing the data with appropriate technologies and procedures, and only using it for the purposes identified.
  • The objective in this approach is to make the individual empowered and allow them to weigh their own interests in exercising their consent.
  • This approach is also easy to enforce for both regulators and businesses.
  • Data collectors and processors only need to ensure that they comply with their privacy policies, and can thus reduce their liability while, theoretically, consumers have the information required to exercise choice.

But there challenges in this individual approach:

  • The emergence of big data, the Internet of Things and algorithmic decision-making has significantly compromised the notice and consent model.
  • Privacy notices often come in the form of long legal documents, much to the detriment of the readers’ ability to understand them.
  • These policies are long, complicated, full of jargon and change frequently.
  • Data is collected continuously with every use of online services, making it humanly impossible to exercise meaningful individual consent.
  • As the uses of data are so diverse, and often not identified at the beginning, individuals cannot imagine how their data will be processed and possibly used or reused.
  • While the regulatory framework is designed such that individuals are expected to engage in cost–benefit analysis of trading their data to avail services, this ecosystem makes such individual analysis impossible.

Treat privacy as a social need:

  • As long as privacy laws are framed from individual control perspective, data controllers will continue to engage in practices that compromise the ability to exercise choice.
  • There is a need to view privacy as a social good, and policymaking should ensure its preservation and enhancement.
  • The recognition of privacy as a social good deems it desirable by definition, and a legitimate goal of law and policy, rather than rely completely on market forces for its achievement.
  • Data that a person produces or has control over concerns both herself and others.
  • Individuals can be exposed not only because of their own actions and choices, but also made vulnerable because of others’ data about them.
  • This means is that protection of privacy requires not just individual action, but in a sense, requires group co-ordination.
  • In the absence of attention to the social good aspect of privacy, individual consumers are left to their own devices to negotiate their privacy trade-offs with large companies and governments and are significantly compromised.

As policymakers in India gear up for writing the country’s data protection law, they must acknowledge that their responsibility extends to creating norms and principles that will inform future data-driven platforms and regulatory technologies. Given the rising internet penetration and growing emphasis on Digital India, it is imperative to protect the sanctity of data generated by citizens. A legislative framework to address the growing concerns around data protection and privacy is the need of present day.