Quick Update: We have submitted our response on 30 January 2018. You can find it on this link
It is widely known that the amount of data generated daily worldwide is rising at an incredibly exponential rate. Yet, what remains shrouded is how this data, particularly those data types concerning or generated by us, as individuals, are being used and stored by both the public and private sector. As we move into a data-driven world, it is crucial that the laws developed around Data center on the premise of both empowering and protecting the individual. In fact, the main purpose of the 4th layer of India Stack, the “consent layer”, is just this: to provide for a set of tools and utilities, as part of the Data Empowerment and Protection Architecture (DEPA), that empower citizens to assert control over their data.
The Justice Srikrishna led committee of experts has released a White Paper articulating their provisional thoughts on the Data Protection Framework, and are seeking public comments on the subject. iSPIRT will be submitting a formal response to the White Paper. This blog post lays out our current views regarding Data Protection and we seek suggestions and comments from the larger iSPIRT community as we finalize these into iSPIRT views.
|We want the community members who are keen to contribute on the topic. If you have any feedback or you’re interested in contributing to the response, please reach out to us at [email protected]
Restoring balance between the individual and data controller
From social media platforms to online loan applications, to ride-sharing apps, many of the services we access regularly require mandatory data collection from the individual to the data controller, either on a one-time but often on a recurring basis. Data collected by data controllers often gets used in ways far outside the stated purpose. This in turn automatically places the individual at a data-disadvantage, so to speak. We believe that this current industry practice is an anomaly and data collected must be used only for the purpose it was collected for and nothing else. The law should work towards enforcing this principle and aim to restore balance across all elements of the privacy construct i.e consent, notice, choice, etc.
In addition, the use cases for data are also rapidly evolving. Without empowering the individual, in addition to restoring the balance, a data protection law cannot be considered complete; bringing us to the second core principle.
Data should be used to empower and not for harm
Indians will be data rich before they are economically rich. They must be empowered to use their data for their own benefit. For example, I must have access to a secure mechanism to share my financial information with a personal finance application such that I may easily track my spending and get intelligent recommendations on where to invest.
Progress in the area of data sharing is evident as in February 2017, the Digital Locker Framework was proposed as a national standard for aggregation. Along with it, an Electronic Consent Framework for enabling consent for sharing of data has also been released.
Yet, what about the vast amounts of personal data that have already been collected under various legal frameworks? Under new norms, individuals can be empowered by being given an option to “opt-out.” Where this is not feasible, the law should favour the rights of the individual, placing the higher onus on the data collector.
Individuals have Rights over their Data
When consent models were first implemented in the 1980s, data was largely static in nature. The opposite is true today with data being tracked, processed, and correlated in a multitude of forms, from the trends of our online shopping choices to the timing of our financial transactions. This transformation calls for a move away from the antiquated “consent-based model” to a “rights-based model” for data protection. The proposed rights model can be guided by three principles: accountability, autonomy, and security. Together these principles will ensure that individuals are provided a right to fair treatment, right to information, right against processing, and right to the security of his/her data. For additional information on the rights-based model, the Takshashila Institution has released a Discussion Document on this very paradigm.
The White Paper stays away from the word ‘ownership’ completely and instead opts to create rights which are always with the individual. The individual has a right to each piece of data that relates to her, and she can exercise this right to accomplish everything all that she needs. The data controller does not have any rights to this data other than those granted by the individual. We (iSPIRT) need to come to a conclusion as to whether this language is sufficient from our perspective.
Data controllers must be accountable
Data controllers are typically organisations (including non-profits, governments) and hence much more powerful than individuals. While consent is important from an empowerment standpoint, we are also aware of the practical shortcomings of this approach. Many users do not or can not know enough to make a truly ‘informed’ choice. The data controller, on the other hand, has been entrusted this data by the user for a specific purpose – it is a very conscious act, and they must be held responsible for how this data is used. This is a fiduciary responsibility, and the controller must keep the data secure, ensuring that the user does not come to any harm from their possession or handling of the data.
This accountability needs to be enabled and enforced by multi-dimensional checks & balances through an independent Data Protection Authority and appropriate adjudication process that will process dispute resolution when situations involving privacy harms have occurred.
Times of disruptive change require agile regulators
Successful businesses today must have the ability to evolve rapidly. Operating in this environment will require regulators to be agile and provide timely intervention. The law must also recognise that these changes are accelerating and that it will be impossible, at this time, to cover everything. Thus the law should empower regulators by providing a framework with a set of principles which are timeless, along with a mechanism that can change with the times and a context to provide suitable intervention.
Leveraging technology for enforcement
Data is no longer the imperative of a few industries, but fast becoming a utility across industries. Therefore, unlike other regulators for Savings, Lending, Banking or Telecom, the Data regulator will have to deal with at least 10,000x the number of entities. Every company deals with the data of its employees, shareholders, customers, vendors, etc., which may fall under the supervision of this regulator. In such an operating environment, it makes it imperative for the enforcement of the law on data to leverage modern technology tools to drive compliance, investigation, etc.
For example, the authority could create a technological framework for enforcement (such as data audits, logging, etc.) to minimise the effort required and only needs to regulate the exceptions or data breach notification could have the objective of helping mitigate the consequences of a breach and to serve as notice for an incident.
Balancing India’s needs for privacy, transparency, and development
Balance is a universal aspiration in all aspects of life and an essential requirement for smooth, sustained and predictable growth. If the balance between privacy and development is not maintained, we may end up with a scenario where an individual may not be able to use their personal data, sitting with one data controller (say tax authority) for a beneficial service from another authority (eg new loan). Similarly, the balance between privacy and transparency is also essential, especially for scenarios involving the utilisation of public resources i.e. a PDS shop refuses to provide details of beneficiary it services under the garb of privacy and is thus able to misuse the system to create ghost beneficiaries.
The law should encourage concepts such as anonymised open datasets and democratised access to other datasets that serve the public interest, paving the way for data to become a public good. The UK’s Biobank & RBI’s effort to create a Public Credit Registry are good examples of data becoming a public good.
There is also a need for balance in the efforts and action of the state and private organisation on surveillance and related activities. With newer technologies making access to data easier and cheaper, it becomes even more important to tread the path of balance more carefully. History has proven, time and again, how surveillance will be misused for personal benefit. Therefore, the law should explicitly call out principles to prevent misuse of surveillance.
In addition, the new law must harmonise various existing laws, particularly, the Information Technology Act, 2000, Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, and Right to Information Act, 2005, which directly or indirectly touch upon the issue of data protection.
Overall, the law should strive to create a balance between protecting personal privacy, providing transparency and accountability for institutions (including government), and ensuring development, growth, and empowerment for the individual and other market participants.
Innovations: Trust Score & Consent Dashboard
It is refreshing to see the White Paper bring out new concepts for consideration like the Trust Score and Consent Dashboard.
The innovation of a Trust Score could also provide a means to empower users by assigning every data controller a score based on the robustness of their data protection and data use practices. At a minimum, this would create a red-flag in the mind of the user, versus the black-box that users currently manage, prior to sharing personal information.
Having said that, the actual design of the Trust Score will be critical. It is easy to understand that the score will punish past incidents of data misuse, but we must also decide what behaviour to reward. Should the score be decided by a centralized authority or through decentralized feedback from end-users, audit agencies, etc.? iSPIRT welcomes views on designing such a Trust Score.
A Consent Dashboard could help individuals easily view to which organisations they have provided consent to process their personal information and how that information has been used.
The Consent Collector entity, part of MeitY’s Electronic Consent Framework, may be extended to perform the function of a Consent Dashboard. Through the consent dashboard, businesses may capture and log user consent, provide users with the ability to see what data has been collected, give users the ability to revoke their consent and erase their data, be able to notify users in a timely manner in the event of a data breach, and most importantly give users the ability to easily port their data to another data controller.
The Consent Dashboard could be designed in a manner such that it only generates and tracks an individual’s consent for collection and sharing of data. However, the data could be directly sent from the Data Provider to the Data Controller (and Data Processor) without passing through the Consent Dashboard. In this way, the Consent Dashboard could just be a registered entity, not a regulated entity, and be maintained by a third party instead of the government.
We request your thought/comments on the principles above, and in helping to add/subtract to the list. The final principles will guide and inform iSPIRT’s response to the Sri Krishna Committee White Paper. If you wish to engage more deeply on this topic of Data Empowerment & Protection and help us frame the response, please let us know by reaching out at [email protected]. The feedback submission on the White Paper is Jan. 31st 2018, thus we request all responses by Jan. 20th 2018 to receive consideration.
Update : We have submitted our response. You can find it on this link.
This post has been co-authored by Shrikant Karwa and Sarika Mendu.