To share personal data or not? It’s time India came clean on its privacy laws

While the idea of 'celebrating' the International Privacy Day on January 28 is fairly new to India, the public discourse around data privacy almost goes back a decade. Back then the talk was about amending the IT Act to include provisions for protecting privacy of data and now it is about enacting a strong 'Right to Privacy' legislation and little has changed since. However, most of the discussions seeking legal safeguards have not found it necessary to tell citizens why they are entitled to the privacy of their personal data.

Proliferation of applications

October 2015 saw us reach a billion mobile phone subscribers, with an active base of 902 million. Among these, there are about 300 million smart phone users that utilise their phones for tasks such as shopping, hailing cabs, ordering food as well as taking online educational courses and making payments. Smartphone usage is now a way of life, evident from the fact that users have an average of 32 applications per person.

As the smartphone market boomed and continues to grow exponentially in India, mobile apps platforms have been proliferated with new applications every day. They offer lucrative promotions for smartphone users to download their applications and utilise their services. A closer scrutiny of their business model reveals that the amount of money invested in promotions is way too high compared to the returns they get. It also explains why a lot them are yet to break even or make profits even after being in the market for more than five years.

It then becomes clear that the 'product' in this case is not the app but the data that the user is generating while using the app. Using complex algorithms, the patterns and preferences of the user are identified. The primary use of this processed data is for targeted advertisements. However, the user has little or no knowledge of what happens to this data beyond advertisements. It may be sold to the highest bidder for use in development of other apps or it may even be shared with law enforcement agencies for threat-profiling.

Data collection or data hoarding?

It's not just the matter of what can be done with the collected data, but also about what kind of data is collected, how much of it is collected, for how long it can be held, and who owns the data. The application owners have incentives here, so, it's in their best interest to get as much information as they can. The incentives come from the potential of data, which drives innovation in the market.

Even if we are to get specific laws that aim to protect user data privacy, users would not know if and when their privacy has been violated unless app owners are 100% transparent with their collection and usage methods. Add to this, the phenomenon of data moving unhindered across geographical boundaries and it becomes hard even for the app developers to properly adhere to one country's privacy law. Quite clearly, there is a need for a cultural shift among application developers to move from data-centric approach to a consumer-trust centric approach. Privacy laws will work better only if we clearly differentiate who they will regulate and what they will protect.

The fault in our laws

Recently, the Supreme Court issued notices to WhatsApp over an appeal against the instant messaging service for not ensuring the privacy of its users and to the Centre for seeking regulations to protect personal information. This response of our courts is in stark difference with that of Germany's Commissioner for Data Protection and Freedom of Information, who ordered Facebook to cease collecting information of German WhatsApp users and asked it to delete all data that has been shared previously. It went on to state that Facebook and WhatsApp should act as independent companies and process user's data on separate terms and conditions. If we were to highlight main difference in the way the same issue was tackled by two different institutions, then it is clear that the order of the German authority is primarily focused on the entity that will be collecting the data, in this case, Facebook and protects the end user's interests. On the other hand, the last option for an Indian user who does not wish to share his personal information is to not use WhatsApp's service.

It is this differentiating treatment towards the same solution that warrants a close look at the data privacy laws in our country. In their present form, provisions in the Information Technology Act (2000) and subsequent amendments that try to address privacy concerns are piecemeal in nature. A 2012 report by the Justice Shah Commission mentions 57 existing legislations and policy guidelines that need to be amended to include privacy implications arising in future. This list includes some old laws like The Negotiable Instruments Act, (1881) as well as recent ones like the Right to Information Act, (2005).

The need for new Principles of Privacy

The same commission had also recommended the 'Privacy Principles' that are frequently quoted in literature around privacy issues in India. Most of these principles draw from privacy legislations in the Europe dating back to 1980s. While we have not even adopted any of these yet, adopting them now might even be counterproductive. We cannot apply the principles of 'notice' and 'consent' in an era where smart devices are monitoring heart beats. In the current data collection practices consent system is broken, and pointless. Legal jargon often entangles and confuses users.

Europe has been on the forefront of privacy legislation and recently the EU came out with draft 'Digital Single Market' plan that has a default 'opt-out' for data sharing by users, instead of a default 'opt-in' as is the case today. Similarly, Indian users should be given the option to opt out of specific features instead of a singular 'I Agree' button. End user agreements need to be simplified, made more specific and available in commonly understandable terms. Another way is to highlight exclusions (all data except for that mentioned in the exclusion list will be shared). Moreover, deletion of user data should be real time and not after a predefined timeline as seen with most messaging applications today.

We could also adopt the principle of "Datensparsamkeit" (roughly translates to data minimization) from the German privacy legislation. It advocates the idea of storing as much personal information as is absolutely required for the business or applicable laws. Following datensparsamkeit techniques even in jurisdictions where it is not legally mandated, can allow service providers to reduce the information they store. If they won't collect or store personal information, we won't need to worry about it been shared or used without user consent.

Citizen's entitlement to Privacy

As things stand today, the Indian government is fighting tooth and nail to justify that 'Right to Privacy' is not explicitly a part of 'Right to Life' in the Indian constitution. On the occasion of International Data Privacy Day, we can hope that the Supreme Court bench that is slated to hear this case makes the government reverse its stance.

It is either this or the government may as well openly declare that it is fine with its citizens handing over their personal data to multinational corporations that not only change the rules of the game but the game itself to suit their interests.

Puru Naidu is a research analyst with the Takshashila Institution. Ranjeet Rane leads the digital policy team at The Dialogue, an online policy analysis portal.