We need a strong law on privacy: Amba Kak, lawyer & policy advisor, Mozilla

After the long set of Supreme Court hearings on issues with privacy and rights regarding the use of Aadhaar, the government is also moving on rules for data protection. The Srikrishna panel it set up last year on this issue is to soon give a report. Amba Kak, lawyer and policy advisor, Mozilla, to Mayank Jain on the subject. Edited excerpts:

What type of data protection law do we need in India, in terms of broad contour?

Three things. First, a law that guarantees rights to individuals and sets a high standard for meaningful user consent. Second, obligations on entities that handle personal data, to apply through the data lifecycle (collection, use, storage, deletion). Third, an empowered, independent and well-resourced data protection regulator. 

The key here is to have strong principles in law, paired with a strong regulator. It is neither required nor desirable to have all the details, for all possible contexts, addressed in the primary law in the first instance. Once the principles are in place, an empowered regulator can continue to issue rules and other regulators can offer own sector-specific guidance that builds off these principles.  

What are some of the major issues that the industry will be expecting the committee to tackle in its report?

I can’t really say. The stakeholder submissions to the Srikrishna committee haven’t been made public and very few businesses have voluntarily published their views. That said, many members of the industry have been vocal against the possibility of data localisation rules, which would require data to be stored within the borders of a given country. 

Aadhaar-based leaks are exploding even as there are concerns around the world on Facebook’s data mining but it made little to no noise in India.

Consumer activism is a good thing, of course. Yet, at the end of the day, we need a data privacy framework precisely because we cannot rely purely on individuals to understand and identify privacy violations. 

New threats to privacy don’t always fit the mould of the Orwellian surveillance state but instead often appear as ‘efficiencies’ or conveniences to be part of the digital economy. The fact that Indian users did not ‘delete Facebook’ in the numbers we saw abroad might be because of low awareness or because it is so integral to their social and economic lives. This cannot be used to argue that Indians do not want or need privacy safeguards. 

The committee is constituted of various experts from the techno-legal area. Is there a space for a socio-political perspective, which has been missing from the committee?

Politics, and ideology, is embedded in both technology and law. So, I do not think we can delineate it as a separate “perspective”. It goes without saying that diversity of stakeholder opinion is key to a law that is robust and has legitimacy. 

A comprehensive data protection law will not only impact the tech industry but apply across sectors, including offline contexts. It would apply to the government’s use of data, too, which significantly impacts the relationship between citizen and state. This law will also have impact on media and journalists, as well as right to information campaigns. These perspectives are also key to ensuring that the coming data protection framework is not misused to clamp on transparency. 

What is your biggest personal expectation from the committee report and their recommendations?

The approach outlined in the committee’s White Paper (position paper), drawing strongly on the recommendations developed by the  A P Shah committee of 2012 and the European Union’s General Data Protection Regulation is a strong one. The expectation is that we will see a principle-based legal framework, applying to government and private sector with equal strength. As well as an empowered and independent regulator to enforce the law and issue more specific guidance. 

However, as detailed in Mozilla’s open letter to the committee, there are some critical gaps in the White Paper, which will hopefully be rectified. For example, the draft proposal exempts biometric info from the definition of sensitive personal information that must be especially protected. The Paper also casts doubt on whether individuals should be allowed a right to object over how their data is processed. However, this is a core pillar of data protection — without a right to object, consent is not meaningful. 

Finally, we urgently need robust privacy safeguards to regulate government surveillance. The current legal standards are weak and, as a result, are regularly flouted. Standards of proportionality, as endorsed by the Supreme Court, must apply for government access to personal data. A clear and accountable process would mean companies will also be better empowered to deny government requests if they are overbroad or do not comply. 

There’s a whole lot of conversation around consent and what it means. Some say the reading of terms and conditions is so tedious that consent should be scrapped. Even as there are others who talk about making consent stronger, with information on how and where data is being used. Where lies the balance?

Consent is and should remain a critical component of how users’ privacy is protected. But, consent is only one part of the data protection chain. It includes additional links like privacy by design, storing and transmitting data securely, collection and purpose limitation, oversight by the data protection authority, data breach notification, etc. Of course, if the link of consent is weak or broken, the integrity of the rest of the chain is compromised. 

However, if businesses are relying on consent to legitimise their activities, it must be meaningful. The example of Europe’s ‘cookie banners’ regulation illustrates how even good intentions can go wrong. As part of the Electronic Privacy Directive, all websites in Europe have had to implement a notice to users that their site uses ‘cookies’ that allow for tracking. However, in practice, the user ‘consents’ by clicking on the banner or, in some implementations, consent is interpreted by scrolling down the page. However, they do not have a meaningful choice in the case that they object to the data collection processes and nor do they have real information about how many parties can access their data and for what purpose. 

Users must be given a real choice and not be forced into a ‘take it or leave it’ approach, where their only option is to accept a given service or site’s terms or not use it at all. 

In other words,  striving for meaningful consent is critical to empowering of users but entities should not be able to rely on consent as a way to evade accountability. Particularly where there is substantial imbalance of power between the individual and the entity, consent might not be meaningful and, therefore, would be an inappropriate basis for data processing.

There is a lot of talk about individual data privacy, the right to be forgotten, etc. What about those of us who are embedded into systems forever as part of huge groups, be it Aadhaar or a website’s cookie database which works as an identifier?

Rights are guaranteed at the individual level but they set in place accountability mechanisms that benefit society as a whole. Interestingly, in the aftermath of the Cambridge Analytica episode, we saw stronger calls to treat data privacy as a public or common good, similar to clean air or safe drinking water — and, therefore, requiring a collective response. 

Businesses and governments should no longer be able to rely on a meaningless ‘I accept’ to evade liability and, instead, be made to comply with the limits set in the law. An empowered regulator can hold these entities accountable, regardless of whether or not individuals make specific claims.

Business Standard is now on Telegram.
For insightful reports and views on business, markets, politics and other issues, subscribe to our official Telegram channel