Follow Us:
Tuesday, December 01, 2020

The private lives of others

Why data protection legislations cannot protect us if other individuals violate our privacy online

Updated: November 10, 2020 7:12:49 pm
Data Empowerment and Protection Architecture, Data Empowerment and Protection Architecture draft, DEPA, Niti Aayog, Niti Aayog Data Empowerment and Protection ArchitectureData protection is simply one facet of privacy. (File)

Written by Parv Kaushik

The Personal Data Protection Bill, 2019, is currently making its way through parliamentary procedure and is being scrutinised by the Joint Parliamentary Committee. If passed, it will be the first comprehensive data protection legislation in the country. In recent years, there has been increased concern regarding how our data is collected by platforms like Facebook, Google and Amazon. These concerns flow from the opacity with which these platforms collect our data, how much data they collect and with whom they share it. Data protection legislations are primarily aimed at regulating the activities of such platforms and hope to empower individuals in determining how their data is used. However, there is more to privacy than data protection. There are a set of actors beyond online platforms that perform similar acts and pose significant threats to privacy: Fellow humans.

We constantly collect personal data on others in the course of our interactions in society, through social media, and sometimes by simply listening into conversations happening around us. We have the ability to share this data in an instant across different platforms and can do this with limited or no obligations to pay heed to privacy concerns. The privacy concerns stemming from user-generated content on social media platforms are not recent but have existed since the emergence of these platforms, and have only been exacerbated with advances in technology. As far back as 2006, Google was sued for unlawfully processing personal data when a group of students uploaded a video revealing a child’s health conditions on Google Video. More recently, companies involved in facial recognition technology, such as Clearview AI, are known to have built their database of images by scraping through photos uploaded by users on social-media platforms. Even if an individual abstains from social media, content posted by other users may still result in violation of their privacy. Therefore, our ability to protect our privacy online is only as good as our ability to prevent others from posting content online.

I believe data protection legislations are incapable of addressing such unique privacy concerns that flow from user-generated content. Data protection legislations such as the PDP Bill, 2019 assign liability by determining whether the individual or company is a data fiduciary. While classifying the user who posted the privacy violating content as a data fiduciary may be consistent with its definition, it would be result in the knock-on effect of subjecting individuals to all obligations for data fiduciaries under the PDP Bill, many of which have been drafted assuming companies to be the obligor. It could lead to a floodgate of claims, seeking to enforce a variety of obligations ranging from those regarding data quality to the right to erasure. Addressing such privacy concerns through data protection legislations is unworkable due to the complexity involved in legally establishing an individual as a data fiduciary as well as the repercussion of casting the significant number of obligations that such legislations contain on day-to-day users of social media.

Peer-to-peer privacy violations are better addressed through specialised law. One alternative could be to recognise and codify the tort of misuse of private information. A tort specifically deals with a civil wrong inter se individuals, and is, therefore, better suited to tackle privacy harms arising from user-generated content on social media. An individual facing privacy harms due to content uploaded online is primarily concerned with the content being taken down and, perhaps, claiming damages for the distress caused. The tort provides for both remedies without involving the multifariousness of data protection legislations. All that is needed to be shown is that there is a reasonable expectation of privacy vis-à-vis the information that has been revealed. Having a specialised legislation to address peer-to-peer privacy violations simplifies the process of seeking remedy while also providing clarity on the scope of the PDP Bill.

Data protection is simply one facet of privacy. Issues of privacy go beyond collection of data by online platforms and are interwoven with acts of individual speech. There is a need for a wider ecosystem of legislation to address privacy concerns holistically.

The writer is a final-year law student at the National Law School of India University, Bangalore

📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines

For all the latest Opinion News, download Indian Express App.

0 Comment(s) *
* The moderation of comments is automated and not cleared manually by