Right To Privacy

[op-ed snap] Short on nuance


Mains Paper 2: Governance | Important aspects of governance, transparency & accountability

From the UPSC perspective, the following things are important:

Prelims level: B N Srikrishna committee, Draft data protection bill

Mains level: Concerns about data privacy and the role of government


Draft data protection bill

  1. B N Srikrishna committee’s draft data protection bill is expected to be tabled soon in Parliament after final touches
  2. However, the committee has failed to develop an effective vocabulary to deal with the complex subject
  3. A data protection framework is unlikely to be grounded in reality without first formulating a data usage policy — this has been the discourse’s major lacuna

Inclusive functioning approach 

  1. The committee’s inclusive functioning style and seeking a public opinion at all stages are commendable
  2. Its recommendations pertaining to user-centric design, setting up of an independent data protection authority, regulating the government along with the private sector and a new law for intelligence gathering for national security are steps in the right direction
  3. Also welcome is the suggestion that the Aadhaar Act requires several modifications and provisions for regulatory oversight
  4. So is the recognition the committee has accorded to data portability

Some aberrations

  1. There is a suggestion that the UIDAI be both the data fiduciary and the regulator for Aadhaar
  2. There is also the curious suggestion that even though personal data can be transferred outside India, data fiduciaries will be required to store a local copy. Does this benefit the individual or is it a surveillance requirement of the state?
  3. The concepts of fair and reasonable processing, purpose and collection limitation, notice and consent, data quality and data storage limitation have largely failed to prevent identity thefts, unethical profiling and other privacy violations
  4. Dictums such as “personal data shall be processed in a fair and reasonable manner” are non-specific and they do not adequately define the contours of the required regulatory actions
  5. Ex-post accountability and punitive measures of the kind the committee has recommended may be largely ineffective, as they have been elsewhere
  6. The committee has not explored the ex-ante preventive measures adequately

Areas of omission

  • A data protection framework is incomplete without an investigation of the nuances of digital identity, and guidelines for the various use cases of authentication, authorisation and accounting
  1. It is also incomplete without an analysis of the extent to which personal information needs to be revealed for conducting businesses, and during eKYC processes
  2. In addition, effective protection requires an understanding of the possible pathways of information leaks, comprehending the limits of anonymisation with provable guarantees against re-identification attacks and a knowledge of the various possibilities with virtual identities
  3. Also required is an analysis of the possibilities of privacy preserving tools, techniques and protocols from computer science including hash functions, symmetric and public key cryptography, trust as negotiable protocols, selective disclosures, k\-anonymity, unlinkability and untraceability, one-time anonymous and dynamic credentials, zero-knowledge protocols, and quantifying information leak about individuals using techniques of differential privacy
  • The committee discusses about artificial intelligence and big-data analytics but fails to define clear-cut guidelines for their safe use
  1. But it ends up vaguely suggesting that no processing of personal data should result in taking decisions about a person without consent, but does not provide guidelines about enforcement
  2. Most theories for improving state efficiency in the delivery of welfare and health services using personal data will have to consider improved data processing methods for targeting, epidemiology, econometrics, tax compliance, corruption control, analytics, and topic discovery
  3. This, in turn, will require digitisation, surveillance and processing of large-scale personal transactional data
  4. Acquisition, storage and processing of personal health data will be crucial to such systems
  5. There should be detailed analyses of how such surveillance — targeted towards improving the efficiency of the state’s service delivery — can be achieved without enabling undesirable mass surveillance that may threaten civil liberty and democracy
  6. The committee needs to balance the seemingly conflicting requirements of individual privacy and the benefits of large-scale data processing, and it is not obvious that a trade-off is inevitable
  • A data protection framework is incomplete without defining the requirements and standards of access control, and protection against both external and insider attacks in large data establishments, both technically and legally
  1. The computer science sub-areas of security and automatic verification will certainly have a lot to offer

Way forward

  1. Civil society’s participation in discussions on data protection has been exemplary
  2. The institutions engaged in economics, public policy and computer science have to now wake up and produce comprehensive studies and white papers on all aspects of data usage and data protection for the framework to be successful
Notify of
Inline Feedbacks
View all comments