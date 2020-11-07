Privacy is an elusive ideal. It seeks to protect our decisional autonomy over intimate and private information, and consequently cannot always be simplified to a yes or no question of consent. The choices we make about whether to share information about ourselves, how much we reveal, to whom to share it to, and whether and how they can share it further is always contextual.

This can be very simply illustrated using healthcare information. Information about our health is sensitive and personal. We might share details of our health with spouses or family members, but often not with friends. We always share it with consulting doctors, although the doctors, unlike a spouse, might not reciprocate by sharing similar information about themselves. Under regular circumstances doctors would be required to keep this information confidential. However, in a situation where a patient is, say in a coma, and unable to decide for themselves, doctors may share this information with a family member at the hospital. If that patient’s regular doctor is not available at the hospital, the hospital might authorise another doctor to get access to the patient’s health records. In all these situations the rules that determine the privacy protections offered to the data are determined by the context of the information sharing. Privacy is elusive, because it’s not black and white in the way that consent is. It’s contextual.

Very recently, the government launched the National Digital Health Mission, which aims at creating a digital health database by linking people’s health records to a Health ID which can be accessed by doctors registered on the system, or health facilities, with the consent of the patient. Consent, when used in this manner, is simply a digital version of what was discussed earlier. So, what happens where there is a pressing need for the information to be shared with a person who would not ordinarily be allowed to access it? And how do we decide when such sharing is legal?

The Personal Data Protection Bill, 2019 (PDP Bill) does not go into these nuances and may not help us arrive at an appropriate decision with regard to the contextual aspects of privacy. But for us to truly realise a right to privacy, the laws that protect our privacy need to acknowledge that there are different contexts in which we share information. What the PDP Bill does, however, is provide a means by which we can explore such nuances through the regulatory sandbox provision in Section 40.

A sandbox is a space where a child can be left to play without fear that they will get hurt. A regulatory sandbox is a ring-fenced space within which legal and regulatory restrictions can be temporarily imposed or relaxed as appropriate to evaluate what the implications of such measures might be. By measuring the impact of regulations in a sandboxed environment it would be possible to have a better sense of its unintended consequences before releasing it into the wild. As it stands now, S.40 of the PDP is riddled with issues, however, if implemented properly, it can pave way for a better understanding of privacy.

In the UK developers in the sandbox consult the privacy regulatory body on how to adapt their products to bring them in line with the GDPR. The regulator uses the sandbox to understand what specific privacy regulations need to be applied in certain sectors or with certain types of data. For example, the current iteration of UK’s sandbox is accepting applications for products that involve use of children’s data – another context where consent is not black and white.

By allowing developers to experiment in a space where legal and regulatory barriers are minimised, we will encourage greater exploration in specific contexts –allowing information to flow in ways that would have otherwise been impossible. If regulators get practical insight into these uses of data they will be able to learn the various ways in which data might be deployed in different context. In the case of healthcare, a regulator would be able to understand situations in which a patient’s data were required to be accessed without their consent and assess whether such access was justified. These insights can then be used to draft privacy regulations in that context. By understanding the nuances of how information flows in different contexts, we thus move towards an understanding of privacy that mirrors our societal understandings of privacy in various contexts.

(Lakshmi T. Nambiar is a student of the National Law School of India University. The views expressed in the article are personal and do not reflect Mint's.)

