Opinion Protecting people’s privacy is essential to maintaining democracy

The network effect is at the core of social media as we know it. It signifies the increase in the purported benefits to each user with the addition of more users. For instance, you are likely to join a platform that has a larger user-base to connect with more people and access more content. Such platforms will probably have better interactive features, and curation of services, shaped by analysis of a larger pool of users’ data. Enhanced collection of personal information makes business sense for social media platforms. Currently, it is practically impossible for an individual to know what information about them is being collected, discerned and used, and why.

With personal data, platforms can create astonishingly detailed profiles of users including not only relatively more discernible attributes like age, gender, location, but also the non-obvious ones such as likes, dislikes, ideological leanings and habits. Such data can then be monetised — by platforms or other entities scouring the data on platforms — by selling it or using it to offer services such as personalised ads and micro-targeting. For instance, after the 2016 presidential election in the US, consulting firm Cambridge Analytica claimed that it had 5,000 data points on each user, gleaned from millions of Facebook profiles, which it used to profile voters, micro-target ads and influence behaviour.

Political parties benefit from digital networks, including both social media and dedicated party-based apps with detailed information about supporters. These are useful for benevolent purposes like increasing awareness about their work and goals, and more insidious reasons such as targeting tailored content to influence groups on the basis of demographics and political leanings discerned from online activities. But where does this leave the people, whose privacy is invaded and whose data is used in opaque ways for commercial and political interests?

India’s data protection act has not yet come into force. Its critical flaws include absence of limitations on government’s powers to access data, lack of independence for the data protection board and absence of important actionable rights for individuals, such as the right to compensation. The imminent rules to guide the implementation of the act are an opportunity to mitigate the damage, and meaningfully protect privacy. Without the rules, there is still no data privacy framework — a particularly damaging situation as the country gears for elections. So they need to be implemented soon.

The limbo between the law being passed and enforced seems to have disadvantaged one stakeholder group in particular — the people. For instance, the Madhya Pradesh Chief Information Commissioner reportedly withheld information requested under the Right to Information Act, citing the Data Protection Act, which is in fact not in force. There is no Data Protection Board before which individuals can seek redress. Such instances exacerbate the harm to people’s privacy and right to information that the law must in fact serve to eliminate. The rules must prioritise the impact on people, who are at the centre of the information and data ecosystem but often get the short end of the stick.

The necessity for speed, however, ought not stamp out an inclusive and receptive consultation process. The Data Protection Act, which was rushed through Parliament without any debate, fails to incorporate the feedback of several stakeholders on effective protection of people’s rights and autonomy. It also seems to fall short of the best international regulatory practices. In the absence of meaningful amendments to the law — which, to be sure, should be the goal — the rules must apply correctives. Consultations must be a sustained process with opportunities for multi-stakeholder engagement.

The rules must provide for the independence of the Data Protection Board especially on how its members are appointed, and ensure strict checks and safeguards on the executive’s powers in this regard, even though this can fundamentally and reliably only be ensured through legislative changes. On data collection, storage and disclosure, the rules should mandate adherence with the principles of necessity, proportionality, purpose limitation and data minimisation.

This would help prevent burdening individuals disproportionately with the responsibility of protecting their rights under the pretext of consent. Sensitive data must be explicitly identified and must include financial, health-related, biometric, racial, ethnic, or genetic information, as well as official identifiers like Aadhaar and driving license numbers. Heightened security standards must apply to this data, and strict restrictions must be placed on their use, even by authorities. Algorithmic transparency from platforms is essential to scrutinise how personal data is used to decide who sees what online. Redressal mechanisms must be accessible and strengthened through enhanced actionable rights. And data protection impact assessments must be designed to prioritise rights, ensure transparency and enable public scrutiny.

Control over data is a key lever in the power structures of today’s information-driven world. A framework that empowers people to exercise agency over their personal data is, therefore, essential to correct power asymmetries which would otherwise seriously undermine people’s power in a democracy. A political party’s approach to people’s privacy, right to information, more broadly people’s role and position in the big data ecosystem, is reflective of its approach to constitutionally guaranteed rights and freedoms. As the country gears up for elections, this must be a metric on which the commitments of political parties in their manifestos and campaigns are judged. Digitisation is here to stay, but its benefits must not obliterate the need to develop inclusive and rights-based models that will be beneficial in the long run.

Challenges to privacy are pervasive. But an election time in a democracy amplifies these challenges and the potential damage to people’s rights as political and business interests intensify, impacting not only individuals, but the state of the democracy as a whole. A people-centric data protection regime that finally readjusts the balance that has so far tilted in favour of data fiduciaries in the private sector and government, is the key to unlocking the full potential of Digital India.

The writer is Senior Policy Counsel at Access Now