Mov­ing to­wards a user data rights regime

Mint ST - - VIEWS -

A sys­tem of user data rights will bal­ance the re­al­ity of new tech­nolo­gies and in­creased data pro­cess­ing

with the need to limit harms

The col­lec­tion and use of per­sonal data in or­der to de­liver pub­lic and com­mer­cial ser­vices is now rou­tine in In­dia. For a coun­try with large dig­i­tal am­bi­tions, one of the key ques­tions will be: How should we think about reg­u­lat­ing the use of In­di­ans’ per­sonal data?

We be­lieve that like rights to most goods, per­sonal data will be best pro­tected by a sys­tem of user data rights. The ob­jec­tive of such a regime would be dual: to em­power peo­ple to use their in­for­ma­tion as they de­sire and to pro­tect peo­ple from un­de­sir­able harms. Rights ju­rispru­dence stretches back sev­eral hun­dred years, but a pithy def­i­ni­tion en­cap­su­lat­ing our mod­ern un­der­stand­ing of rights is found in the Stan­ford En­cy­clopae­dia Of Phi­los­o­phy which de­fines rights as “en­ti­tle­ments (not) to per­form cer­tain ac­tions, or (not) to be in cer­tain states; or en­ti­tle­ments that oth­ers (not) per­form cer­tain ac­tions or (not) be in cer­tain states”. The un­der­ly­ing na­ture of this en­ti­tle­ment can be un­der­stood as free­dom of two kinds: free­dom to en­joy cer­tain con­di­tions (i.e. em­pow­er­ment) and free­dom from cer­tain con­di­tions (i.e. pro­tec­tions against harms).

The Supreme Court de­ci­sion in the K.S. Put­taswamy case (2017) sits squarely within this un­der­stand­ing. It de­clares pri­vacy to be a fun­da­men­tal hu­man right of In­dian ci­ti­zens— pro­tect­ing us from un­de­sir­able pri­vacy harms that re­sult from dis­clo­sure of our per­sonal de­tails and em­pow­er­ing us by re­it­er­at­ing our right to de­ter­mine what we dis­close about our­selves in dif­fer­ent as­pects of our lives. The core of a new data pro­tec­tion regime for In­dia must be built around a sys­tem of user data rights serv­ing th­ese dual ob­jec­tives. Such an ap­proach would trig­ger graded obli­ga­tions and li­a­bil­i­ties for en­ti­ties us­ing per­sonal data.

The im­plied premises of sev­eral ex­ist­ing ap­proaches to data pro­tec­tion are that of a “prop­erty-only” view that com­mod­i­fies data to give users the il­lu­sion of con­trol. This has led to the cre­ation of the fic­tion that when users are given a vo­lu­mi­nous le­gal no­tice and asked for con­sent through “I agree” but­tons, they are in ef­fect ex­er­cis­ing their prop­erty rights to sell or trade their data in ex­change for ser­vices. The lim­i­ta­tions of this “in­formed con­sent” or “no­tice and con­sent” model are well es­tab­lished. We know that users face cog­ni­tive con­straints in eval­u­at­ing the costs and ben­e­fits of con­sent­ing to data col­lec­tion and use, since the ben­e­fits to be had are im­me­di­ate and the costs of shar­ing per­sonal in­for­ma­tion are of­ten not ap­par­ent. This means we can­not rely solely on con­sent, but con­sider other user data rights to con­trol the flow of per­sonal data.

We pro­pose that the fo­cus of our fu­ture regime should be a sys­tem of user data rights. Th­ese rights should build in fea­tures from a range of le­gal par­a­digms to em­power and pro­tect in­di­vid­u­als. Prop­erty-like rights grant­ing “own­er­ship” over per­sonal data can only be a start­ing point. To avoid rein­vent­ing the (bro­ken) wheel, we must con­sider lessons from par­a­digms like in­tel­lec­tual prop­erty, moral rights and hu­man rights. In­tel­lec­tual prop­erty rights like copy­rights al­low hold­ers to grant li­cences for use for lim­ited pe­ri­ods—a de­vice which could have rel­e­vance to data shar­ing pro­to­cols. Moral rights, which give au­thors the right to stop mod­i­fi­ca­tions of their work that could harm their rep­u­ta­tions, could pro­vide par­al­lels when con­sid­er­ing the dis­tor­tion of per­sonal data. Hu­man rights par­a­digms have in­creased rel­e­vance with the grow­ing in­ter­ac­tion between our dig­i­tal and phys­i­cal selves, bind­ing us closer to our per­sonal in­for­ma­tion. The judge­ments in the Put­taswamy case em­bolden this view, plac­ing, as they do, cer­tain rights in re­la­tion to in­for­ma­tional pri­vacy within the realm of in­alien­able hu­man rights which in­di­vid­u­als even act­ing au­tonomously can­not dis­card or give up.

Bor­row­ing from the en­tire uni­verse of rights ju­rispru­dence would also help us think cre­atively about li­a­bil­ity frame­works and obli­ga­tions for en­ti­ties pro­cess­ing data. Con­sider, for ex­am­ple, the fi­nan­cial trans­ac­tions of a per­son pur­chas­ing med­i­ca­tion for a se­ri­ous ill­ness. She might be happy to have this trans­ac­tion his­tory stored with her bank, and used by the bank’s per­sonal fi­nance man­age­ment tool to rec­om­mend a monthly bud­get plan. This use could be dealt with through prop­erty-like data rights. How­ever, dis­clo­sure of th­ese de­tails to third par­ties or the pub­lic could have ter­ri­ble con­se­quences— from so­cial sham­ing to im­pli­ca­tions for fu­ture em­ploy­ment. This could trig­ger stronger sanc­tions and re­me­dial rights for the per­son un­der­pinned by moral or hu­man rights, es­pe­cially if it re­sults in pri­vacy vi­o­la­tions or dis­crim­i­na­tion.

In In­dia, we are at a de­ci­sive mo­ment for data pro­tec­tion reg­u­la­tion. The Supreme Court has rec­og­nized our fun­da­men­tal right to keep cer­tain in­for­ma­tion about our­selves pri­vate. A com­mit­tee on data pro­tec­tion chaired by Jus­tice B.N. Srikr­ishna is cur­rently work­ing on a frame­work for a wider law that will de­ter­mine the gran­u­lar data pro­tec­tions af­forded to in­di­vid­u­als. We be­lieve that a sys­tem of user data rights will bal­ance the re­al­ity of new tech­nolo­gies and in­creased data pro­cess­ing with the need to limit harms to in­di­vid­u­als and so­ci­ety. The law that en­shrines th­ese rights must be in line with users’ rea­son­able ex­pec­ta­tions about how their data will be used, and also iden­tify harms to be avoided. While de­sign­ing th­ese user data rights, we must cast the net wide to gain in­sights from a range of le­gal par­a­digms rather than de­fault­ing to the cur­rent, un­sat­is­fac­tory no­tice-and-con­sent-led model that nei­ther em­pow­ers nor pro­tects users.

Prop­erty-like rights grant­ing ‘own­er­ship’ over per­sonal data can only be a start­ing point

Com­ments are wel­come at

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.