Consent and privacy protection
New Delhi: Every service provider today, whether online or offline, collects and uses personal data in the course of providing us with goods and services. As a result, our data is collected, processed and consumed in ways too numerous to comprehensively enumerate. Our online activity is logged, our shopping preferences analysed and our social media activity designed to offer a real-time window into our personal lives. Every financial transaction we undertake is tracked and correlated, offering deep insights into our personality—sometimes beyond what even we are aware of.
Most countries have comprehensive laws relating to the use of personal data and insist that anyone collecting such information should first obtain the prior consent of the subject before collecting it. India does not, at present, have a full-fledged privacy law. As a result, apart from a few regulated industries that are obliged to comply with sector-specific regulations, most online service providers in India have no guidance as to what they need to do to secure the privacy of the data they collect from their customers.
Sunil Kulkarni, joint managing director of payment solutions provider Oxigen Services India Pvt. Ltd, said that while companies such as his are regulated and customer details kept in an encrypted form, privacy remains a matter of concern as far as the large number of other unregulated mobile applications are concerned. “There are audits, checks and balances from certified agencies when it comes to corporate entities which are formally regulated. However, there is no law to regulate applications which access messages, notifications and contacts without customers’ knowledge.” said Kulkarni.
Consent is the basis for privacy protection around the world. Data protection laws around the world secure the personal privacy of data subjects by insisting that anyone who collects or uses personal data must only do so with the express consent of the subject.
Most companies in India are mindful of the implications that their services could have on the privacy of their customers and, for that reason, try to obtain user consent before they use personal data. Almost every application that you download or service that you register for requires you to first agree to site-specific terms of service before signing up. “I accept”, “I do” and “Yes”—powerful words denoting acceptance—are becoming increasingly commonplace in our digital lives. They greet us at the beginning of each new relationship we enter into and signify our acceptance of every change to these terms and conditions. These terms and conditions list the various things that the service provider can do with the data they collect from us, and form the basis for every action that data controllers take.
These contracts, however, are dense and complex, making it difficult, if not impossible, to effectively assess the implications of agreeing to their terms. This, combined with the sheer number of contracts we end up signing, leads to consent fatigue and consequently to diminished consent as it becomes impossible for us to truly understand the full extent of the implications of consent on our privacy.
Alok Prasanna Kumar, policy expert and research fellow at Vidhi Centre for Legal Policy in New Delhi said that one problem with the consent provided through Internet-based (click-wrap) agreements is that there is no obligation on the companies that collect this data to explain the implications of collection to the consumer.
“The consent given here, when examined under the law for consent as it stands today (under the Indian Contract Act, 1872) could be vitiated on grounds of misrepresentation or for being against public policy at large. Some click-wrap agreements are never freely consented to, because they are of a take-it-or-leave-it nature, imposing unfair obligations,” said Kumar. This includes insisting that disputes will be decided by arbitration in some other jurisdiction.
What makes this situation even worse is the fact that databases today are designed to be interoperable, allowing them to interface with other datasets using application programming interfaces (APIs). Most privacy policies that we accept include provisions relating to such interchanges of personal data. If it was difficult to assess the impact of modern privacy policies on direct data collection and use, trying to assess the impact of interconnected datasets, where the insights gleaned are often unpredictable, is virtually impossible.
Jayant Saran, partner, forensic-financial advisory, Deloitte India, said that at present, consumers have no way of knowing which third party has access to the data collected from them by a service provider or how it is being put to use.
“A data protection law and a regulator with the teeth and mandate to review the entire process of data collection and use are the needs of the hour,” said Saran. The International Association of Privacy Professionals (IAPP, iapp.org), does “not believe that consent is the best or only way to empower individuals in this day and age”.
First, IAPP believes that consent has become “overused” and “over-relied” in practice. It points out that privacy policies and notices are too numerous, long and complex to result in valid consent. The solution, IAPP believes, will not simply be in developing shorter and better privacy policies in order to obtain more valid consent.
Second, IAPP notes that the context makes it impossible to obtain valid individual consent, such as where there is no direct interaction with individuals or individuals may not have a relationship with organizations that may touch their data in the context of an ecosystem of mobile devices and the Internet of things (IoT). Machine learning systems and artificial intelligence tools do not need explicit programming and can teach themselves from mountains of data.IoT is about billions of devices communicating and sharing data with each other over a network, primarily the Internet.
The context, IAAP points out, makes consent inappropriate, such as in fraud prevention or information systems and network security, where seeking consent would prejudice the very purpose of processing.
According to a May 2016 paper by the Policy and Research Group of the Office of the Privacy Commissioner of Canada, the consent model of personal information protection was conceived at a time when transactions had clearly defined moments at which information was exchanged. Individuals generally knew the identity of the organizations they were dealing with, the information being collected, and how the information would be used.
“Today, with cloud computing, big data and the Internet of things (IoT), the environment is radically different. Further, traditional point-to-point transfers of data are being replaced with data flows through distributed systems, making it difficult for individuals to know which organizations are processing their data and for what purposes,” the paper notes.
Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank, says a serious debate is needed on “informed consent”, given that in reality, people don’t understand the complex ways in which information intermediaries use consumers’ data. While it might be possible to require customers to sign up to terms and conditions and standard form privacy policies that purportedly safeguard consent, this consent has limited validity when customers are not fully informed about what they are signing up for or the implications of providing that consent.
Whichever way you look at it, it seems that consent as a means of safeguarding personal privacy seems to be increasingly irrelevant in the modern context.
As India begins to formulate the principles based on which its privacy law will operate, it would do well to heed the experience of countries around the world and develop a law based on principles that are relevant in its own context and responsive to the current state of technology.
A nine-judge Constitution bench of the Supreme Court is currently deliberating whether or not Indian citizens have the right to privacy. At the same time, the government has appointed a committee under the chairmanship of retired Supreme Court judge B.N. Srikrishna to formulate a data protection law for the country. Against this backdrop, a new discussion paper from the Takshashila Institute has proposed a model of privacy particularly suited for a data-intense world. Over the course of this week we will take a deeper look at that model and why we need a new paradigm for privacy. The fundamental basis for privacy protection in most data protection laws around the world, is consent. But when everything that we do is done digitally, we have to wonder whether consent is still an effective protection against privacy violation.
To read the first part in this series, click here.