The Privacy Paradox

Photo by Jason Dent on Unsplash

When the way we work, we socialise and we live has be disrupted by the pandemic; when one of the most populous country in the world is undergoing massive internet and data penetration; leaving digital privacy to dot-com era regulations cannot be acceptable any further.

Back in 2019 a joint parliamentary committee proposed THE PERSONAL DATA PROTECTION BILL, 2019 (lets call it PDPA) which is been regarded, by many, as India's GDPR. Globally, EU General Data Protection Regulation is considered as a hallmark of data-regulation which truly aims to foster privacy for its citizens. India, which is globally seen as a "third-world country", was never expected to frame anything close to GDPR, but when it is making bold steps towards implementing something similar, global corporations are not pleased with the move. This article will not be a critical analysis to the proposed regulation; rather we aim to glide over some of the nuances which we found interesting and in a way counter-intuitive to the notion of privacy.

In the recent past, citizen's privacy got gigantic support from a 2017 ruling by the Supreme Court of India, when it was engraved as a constitutional-right.

On the crux, the regulation (of PDPA) treats the data generated by Indian citizens as a national asset hence it needs to be stored and guarded within national boundaries; and thereby reserve the right to use that data to safeguard its defence and strategic interests.

Let us dive little deep:

Whenever a data principle (/an Indian citizen) browses the internet or consumes online-media or any form of digital interaction with a data fiduciary (/a website) that data will be classified into 3 major categories:

1. Critical data includes information that the government stipulates from time to time as extraordinarily important, such as military or national security data.
2. Sensitive data includes information on financials, health, sexual orientation, genetics, transgender status, caste, and religious belief.
3. The third is a general category, which is not defined but contains the remaining data.

Depending on these categories, there are restrictions imposed:

1. Critical data cannot be taken out of the country at any cost.
2. Sensitive data may be processed outside, but must be brought back to India for storage.
3. There are no restrictions for general data.

But even before you start creating any data-trail, it is the responsibility of the data fiduciary (includes individual, Company and even State) to seek your confirmation to the following:

1. collection of data (and type of data collected)
2. processing of data (by itself or by any third-party, data processor)
3. seeking correction
4. and most importantly erasure of data, whenever consent is withdrawn

What is means for you? Unusually long privacy statements before you enter any new website over the internet (similar to the ones which we don't care to read, yet religiously Accept while installing an application in our phone).

Source courtesy: https://fiuce.com/ui-design/

But this time you might see few toggle switches which would allow you to select or deselect some options regarding YOUR privacy. So this time please be little serious about what you accept.

But what is the Paradox?

Let us talk about the elephant in the room, Data PRIVACY. To what extent has privacy been kept the central theme of the Bill and what are the way arounds. So the simple question is what are the exceptions to the law?

To begin with, there is NO regulation on any anonymised data. See, there is no intention of us to confuse you, it is what stated in the Bill. As per the bill, “anonymisation” in relation to personal data, means such irreversible process
of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority.

In simple words, if authority prescribed data sanitation is done and that data (apparently) cannot be traced back to you then data-privacy laws are not applicable.

Fair enough…. what's next?

This law, as mentioned before, treat citizens’ data as a national asset, i.e., laws similar to control over citizens’ physical properties are applicable to citizen's data. When responding to the security of the state, detection of any unlawful activity or fraud, and epidemic and medical emergencies, entities of the government (of India) will not require individuals’ consent to obtain their personal data. This means whenever the government demands its citizens’ data, digital companies would have to abide and assist the Indian government’s defence policy.

Now… are you OKAY with the above?

This is very much subjective matter and surely it will be looked upon with serious scrutiny in the future. But at first we must have something in place, thereafter we can seek for amendments.

But this is not it… What if you are asked to link your Aadhaar to Facebook?

The Bill (as per section 28[3]) requires intermediaries to extend to users the voluntary option to verify their accounts, and verified accounts are to be provided a mark that shall be visible to all users. Basically there would be 3 categories of social media users:

1. Users who have verified their registration and display real names;
2. users who have a verified registration but have kept their names anonymous; and
3. users that have not verified registration.

This would be a first regulation of its kind in global social media.

The Tax Angle:

There is another implications which might be on the global digital companies which have been allegedly evading taxes from India's Income-Tax deprtment. We believe that, with data-localisation the Indian authority will have more leverage to collect tax on the digital multi-national companies.

This is just the beginning:

The Indian government is very serious about the entire gambit of digital activities and this is just one part of the numerous steps that are been taken in this front. For example, there will be regulations on internet-influencers on their promotional activities, formalisation of gig-workers and a policy on healthcare data of its citizen. These are all stories to be discussed another day, for now please take a glance on this historic bill that's going to shape the Digital India of tomorrow.