This article is Part 9 of a multi-part series explaining the recently issued white paper on data protection in India. The responses to the white paper will help in the formulation of India’s future data protection laws. You can read Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7 and Part 8.
The rights of access, clarification and rectification, discussed in Part 8 of this series, are essential to any privacy law and find a place among even the fundamental privacy principles established under the Fair Information Practices and the OECD Guidelines. These fundamental principles were, however, framed before the arrival of the digital age.
Developing practices with data, such as its use for marketing purposes, or the perpetual nature of information published on the internet, lead to a need for rights of a different nature. To deal with such new issues, some jurisdictions, such as the European Union (EU), have developed and granted new rights to individuals. The White Paper looks at some of these rights and their relevance in the Indian context.
A right against direct marketing and spam
Finding an inbox filled with spam and marketing mails has become a part of everyone’s daily life. A privacy law can give a remedy to deal with this, in the form of the right to object to the use of your data for direct marketing. Marketers tend to obtain this information from multiple sources, whether directly from the individual or from public sources.
Privacy laws, in general, allow direct marketing as a legal activity, but only until the individual objects to it. On objecting, the marketing must stop. In some jurisdictions, continuing with the marketing communications also meets with huge fines, such as the UK’s ICO’s fine of £130,000 to a pharmacy company for selling their customers’ data to a third party without their consent.
Direct marketing is also slightly different from spam, which consists of unsolicited mails sent to a large number of people. Direct marketing involves the specific targeting of an individual. In India, spam is typically handled by TRAI, such as the establishment of the do not disturb (DND) registry. TRAI has, in fact, issued a Consultation Paper recently on Unsolicited Commercial Communication.
While TRAI’s regulations basically deal with such communication through calls or SMSs, there is currently no corresponding provision for e-mails. This was covered to a limited extent under the erstwhile Section 66A of the IT Act. A provision under a privacy law will be much broader in its scope, covering such communications in all forms, be it solicited or unsolicited, commercial or non-commercial, and via any medium, be it SMS, calls, e-mails or at homes.
Right to prevent discriminatory AI decisions
A new development with data based decisions made with the use of artificial intelligence, such as algorithmically automated decisions, to process the data. AI is being encouraged, in view of the greater perceived objectivity of an AI based decision in comparison to one with human intervention. However, errors in the programming of the AI have led to mistakes and discrimination in the decisions.
For example, a veteran American Airline pilot was detained 80 times due to the AI confusing him with an IRA activist. An algorithm used to judge beauty contests was found to discriminate against dark skins. In another example, one man’s driver’s license was revoked after an anti-terrorism computerised system mistook him to be another man using a fake license.
Considering the increasingly important decisions being taken by AIs these days, it is important to have a means to question them. This is provided via data protection laws, which grants a right to not be subject to a decision based solely on automated processing. For the exercise of this right, it is essential to show the harm caused to the individual on account of the processing.
The right to data portability is another interesting new right, allowing the data in the possession of one company to be transferable to another on the request of the individual. For example, a seller on one e-commerce site could ask for your data, and transfer his business to a new e-commerce site, without losing out on the product reviews and seller ratings achieved on the previous site.
Current Indian laws allow the transfer of such data, but only in pursuance of a contract. This right allows individuals to claim ownership on their data, and prevent companies from storing their data in silos, such as the data in the possession of the tech giants. The fact that this data can even be transferred between competitors gives the people a lot of freedom with their data, though companies are likely to be unhappy with such a provision.
Right to be forgotten
Yet another right is the right to be forgotten. The Puttaswamy judgment emphasised the importance of the right to be forgotten as a facet of privacy, noting that the impact of the digital age results in information on the internet being permanent. Consider Google, which lists every possible information on a person, which may include personal, embarrassing and even sensitive data available on the internet. This immortalisation of data on the internet leads to a preference for apps like Snapchat which erase the data.
Indian courts, prior to the Puttaswamy judgment supporting it, have taken conflicting stands on the right to privacy. A Karnataka High Court judgment recognised this right in India for the first time, with respect to sensitive cases involving women in general and highly sensitive cases involving rape or affecting the modesty and reputation of the person concerned. Here, a woman’s name was directed to be removed from the title of a sensitive case, so it could not be found on an internet search of her name. On the other hand, the Gujarat High Court, at around the same time, dismissed a petition seeking the removal of such a judgment, holding that the petitioner could not show even the basic laws that were attracted to the case.
The Puttaswamy judgement has provided some clarity on this issue, but its inclusion in the privacy law can define the exact contours of this right.
Objecting to processing
This last right allows an individual to object to the processing of your data, but under limited circumstances. When you can show factors like substantial distress or damage on account of the processing, then you can object to the processing for any legitimate reason, for research, or for carrying out the task of a public authority. This is, of course, subject to limits. For instance, the data controller can continue to process the data if there are compelling legal needs that outweigh the rights of the individual, such as if it is necessary for the establishment of a legal claim.
An example of this is if an individual is denied employment, because his prospective employer found his name on a blacklist of ‘unsuitable’ employees maintained by someone else. The list consists of individuals who are regarded as such because they are trade union activists. The individual can legitimately ask for his name to be removed from the list, since the assessment of ‘unsuitability’ is arbitrary and lacks justification, and the damage to him by way of being denied employment is substantial.
Indian laws, in their current form, do not allow an objection to processing. They only permit a withdrawal of consent, after which the entity in question has a right to stop providing the services in question. This right can allow an individual to stop a harmful use of his data, while continuing to enjoy the benefits of it.
Key questions raised in the White Paper
These new rights are certainly important in the digital age. Implementation, however, meets with certain challenges in the Indian context. Cost of implementation is a big concern, along with overlap of other sectoral regulations, such as TRAI, and the confusing nature of the rights themselves, making them subject to varying interpretation and dispute. With the right to be forgotten, other issues also arise, such as its conflict with the right to freedom speech, and with determining who all are responsible for the removal of data in question.
In view of these issues, the White Paper has presently sought comments on the following key questions with respect to the rights of an individual:
- What are your views on these rights?
- What should be the scope of the right to restrict processing and the right to data portability in the Indian context?
- Is the right against automated decisions feasible in India? Should evaluative decisions taken based on automated decisions be prohibited?
- How should direct marketing be addressed — as a privacy principle or through sectoral regulations?
- Does the right to be forgotten have a place in India? Should it be restricted to personal data given out voluntarily?
- Does the right to be forgotten entail prohibition on display/dissemination or the erasure of the information from the controller‘s possession?
- Is a case-to-case balancing of the data subject‘s rights with controller and public interests a necessary approach for the right to be forgotten?
- Should there be special exemptions to the right to be forgotten?
- Any other views
Part I of the series explores the definitions of personal data and sensitive personal data, Part II of the series examines the jurisdiction and territorial scope of data protection laws, Part III of the series explores cross-border data flows and data localisation, Part IV deals with exemptions to data protection law, Part V deals with notice and consent, Part VI deals with the big data challenge to privacy principles, Part VII deals with processing of sensitive personal data and Part VIII deals with ensuring data quality.
The author is a lawyer and author specialising in technology laws. She is also a certified information privacy professional.