M.U.H 27/03/2018 1697
Written By Amba Kak
When you order through a food delivery app on your phone, it might retain your address without your explicit consent, so that the next time they know where to send your order. The app might also send discount coupons to the same address without fresh consent. So far so good.
But what if your food delivery history, and location data has also been tracked via your mobile so that it’s possible to identify what times and locations you’re most likely to make large purchases. That data is then shared with an e-commerce website and suddenly you can’t figure out why you see a higher quote for the same product as compared to your friend.
And what if the food delivery app shares your consumption preferences with your health insurance company. They conclude that your excessive intake of fast food indicates high likelihood of certain diseases, and therefore more expensive premiums.
Maybe you were ordering pizzas for your office, and so it’s an inaccurate inference. But you might never have the opportunity to challenge it.
Of course the privacy settings of the delivery app had an “opt out” to thirdparty data sharing. But you never went so deep. You were just ordering pizza.
In the wake of the Cambridge Analytica scandal the cry has gone out that “something” must be done. The Indian government has joined the chorus, and Union minister Ravi Shankar Prasad has wagged a finger at Facebook CEO Mark Zuckerberg warning that there would be “stringent action” if his company was found complicit in the “theft” of Indian people’s data.
Despite these allegations, this is not a story of unforeseen hacks or breaches. Much like the food delivery example, it is about an entirely foreseeable problem that flows from a lack of accountability through the chain of entities that process vast amounts of personal data, and a failure to ensure informed consent.
If ever there was a moment to recognise that the market for personal data will not correct itself, it is now. What we need more than a summons to Zuckerberg, is a strong data protection law.
In May this year the General Data Protection Regulation (GDPR) is set to come into force in Europe, with variations in several other Asian countries. These already give us the right language to call out the problem, and some tools with which to tackle it.
Here is what we would need to start with: Purpose limitation: We need the legal principle of “purpose limitation” to restrict unbridled access to personal data. The app economy is fuelled by data sharing – for example, maps that use your location, or communication apps that access your contact list, which may be acceptable. But app developers should only be permitted to collect data that they can demonstrate as proportionate and necessary for the stated purpose of their service.
Consent: As the collective outrage to the Cambridge Analytica revelations demonstrates, people were shocked at the permissive settings on their own Facebook accounts. Default opt-in, what is termed “consent based on silence”, seemed unjustifiable.
India’s privacy law needs clear standards for consent. The European GDPR mandates that this must be freely given, specific, informed and unambiguous. It clarifies that language should be clear and plain, use no unfair terms, and must allow separate consent to be given for different data processing operations. It should be possible to consent to one but refuse it to another. (South Korean law in fact requires active opt-in to any marketing uses of personal data.) Even-if consent: The fine-print cannot be viewed as a contract that encapsulates the sum total of our rights. Our rights to privacy emanate from the Constitution, and the Supreme Court’s landmark privacy judgment recently reminded us that any interference into privacy must be necessary and proportionate.
Regardless of the user’s consent there must be obligations to fulfil fairness and proportionality. For example, consent should never legitimise the collection of data in excess of a specified purpose.
Legitimate interests of the business: India’s law will need clear standards for what businesses claim to be “legitimate interests”, offered as an alternative to consent. If individuals could not reasonably expect their data to be used in certain ways, or if it would cause a violation of their right to meaningful opt-out, then that should override the business interest. Combining distinct databases, where data was initially collected in other contexts, and for other purposes, and which create complex profiles of individuals without their knowledge, is not legitimate, proportionate or necessary.
The Cambridge Analytica episode demonstrates that enforcing the substance and spirit of privacy law might be a challenge. However, this pessimism should only get us to stronger regulation. A toothless regulator is far easier to ignore – both at the stage of enforcement but even at the prior stage of compliance.
A strong data protection authority with clear standards and punitive powers will have tremendous influence over the legal risk calculus of companies providing services to Indians.
Summoning Mark Zuckerberg may not.
Imambara Ghufranmaab
Add : Maulana Kalbe Husain Road, Chowk, Lucknow-3 (INDIA)