There is an inherent tension between the growth of India’s digital economy and the protection of personal data, says the Justice Srikrishna committee report on data protection. At the heart of this tension is the quantity of data that entities — companies like Facebook, Google, Amazon and even the government — collect from users and the reasons for which they do so.
These entities, driven by their demand for more and more data, often determine the purpose of the data much after it has been collected. Also, individual users behind their anonymised data may be able to get re-identified.
That’s why the committee has identified two pillars as key to the protection of an individual’s autonomy: “Data minimisation” (the entity should collect only that much data as is needed) and “purpose specification” (it should disclose the purpose why data is being collected). And made three suggestions:
* Forbid re-identifying individuals amongst anonymised data.
* Allow big data processing that improves services or purposes which are “reasonably expected” by the individual.
* Narrow big data processing to ensure that there is no significant harm to the individual; no decision is specific to or an action directed at an individual and, if the action is specific to an individual, companies must seek explicit consent.
“It may be argued that seeking such consent may be un-implementable. We do not see why this must be the case — if an individual can be targeted precisely for the purpose of showing her an advertisement or a particular communication, surely, she can be targeted for seeking consent before such action. The final call on how the consent should be obtained should be left to the determination of the DPA (data protection authority),” the committee said.
The report suggests legally treating consent as a product, since consent agreements are usually one-sided without any bargain between the individual and the data entity.
Big data usually implies the use of machine-learning algorithms — the decisions of which fill news feeds, personalised recommendations, and online advertisements.
These algorithms collect vast amounts of data about individual behaviour and determine patterns within that data to predict results considered relevant or useful.
The committee makes a distinction between this and manual processors of limited amounts of personal data, saying the latter should not be subject to the same legal duties.
The report also emphasises the law’s jurisdiction on companies that have a “significant economic presence in India” or those who carry out business in the country.
Also read | Right to be forgotten comes with riders
Both personal data processed by Indian companies, even if the processing occurs abroad, as well as personal data processed by foreign companies in India must be protected, the report states.
If foreign websites access India data in a way that is “neither large-scale nor capable of causing significant harm”, the Indian law should not apply, the report says.