As the extended date (31st January 2018) for submission of feedback on the whitepaper on Data Protection law approaches, there is increased activity in the industry circles to submit the recommendations.
It is obvious that there will be two distinct sets of recommendations that will be reaching the Government. One would be from the industry side where the concern is on the role of Data Controllers, Data Processors, the Cross border data flow restrictions, Data Localization, impositions such as Privacy by design and Right to be forgotten, Right to access and correction etc. On the other hand the Privacy Rights activists would be focusing more on the rights protection through increased participation of the data subject in the management of personal data, increased penalty, better data breach notification, proper consent management etc.
The law makers need to ensure that there is a balance in meeting the conflicting demands of the two stakeholders.
The Justice Srikrishna Panel has been heavily influenced by the GDPR in the draft of the white paper and it is likely that even the final law may borrow a lot of ideas directly from GDPR.
One of the key suggestions which Naavi.org would like to put out is to look beyond the concepts of Data Controller and Data Processor which form the backbone of GDPR and look at a new dimension of control by creating a third entity which we may call “Data Trusts” or “Data Managers”.
The “Data Trust” is envisaged an intermediary between the data subject and the Data Controller and would address most of the regulatory concerns where there are likely to be conflicts between the Privacy activists and Data Industry.
We all accept that “Data” is the new oil and there is a huge business interest driving data analytics which will be seriously affected by the Privacy regulations. If the regulations are too strict, the business interests will find ways to overcome the law and do what they would do for the commercial gains.
For example, “Informed Consent” coupled with “Notice” can be the basis on which any data controller could gather personal information for further processing. Even if these are mandated by legislation and supported by audit, penalty etc, it is unlikely that this would be anything beyond formalities. In the mobile world which is the biggest concern, consumers of service can hardly be expected to study the Privacy Notice and provide Informed Consent all the time. The Consent may be so complicated and long winding that “Consent Fatigue” may make it useless. Further it is possible that the coding of the Apps or software may include data mining though the notice may say otherwise.
Hence “Notice+Informed Consent” principle though is essential would not work in practice to the extent it should.
I therefore propose that a system should be introduced where data subjects are provided assistance by professionals in managing their “Data” and ensuring that it is not misused and where it is used with consent for financial gain, a part of the reward goes to the data subject.
For this, I propose the following infrastructure.
- Declare “Personal Data” as the property of the data subject which he has right to license for a commercial consideration.
- Any Data Controller who wants to use personal data must be prepared to purchase the rights from the data subject through a “License”.
- The “Personal Data License” will be bound by a contract (like the consent) which will determine the purpose for which the data use is licensed, the period etc along with a measurable financial benefit in case the data is used for marketing and financial gain.
- Since it is difficult for the data subject to negotiate a proper value for the personal data, there is a need for “Personal Data Managers” as professional advisers to the data subjects or a more institutional form of “Data Trusts” which could be organizations who will offer the service of “Personal Data Management”. They will function like “Portfolio management advisers” and “Mutual Fund” organizations in the investment circles.
- Personal Data Managers and Data Trusts may offer their services under a “Self Declared Data Management Practice Statement” which is registered with and approved by the National Data Management Authority.
- The National Data Management Authority will provide the Approval rating of such individual Personal Data Managers and Institutional Data Trusts in a National Registry and through periodical public feedback and its own research make necessary changes as and when required.
- The data subject will be free to chose any Personal Data Manager or Data Trust and deposit their personal data with them with option to “Port data” to other data managers/trusts.
- The Data Controllers will be mandatorily required to obtain the data from these data managers and trusts who will be responsible for vetting the “Notice” and “Consent” in a professional manner.
- In order to enable a data subject to encapsulate his personal data into a package that can be managed, the Data Trust will receive the data and issue a “Personal Data Management ID”. This could be issued in multiple layers such as “Basic Data ID”, “Medical Data ID”, “Financial Data ID”, “Biometric Data ID” etc.
- When a data subject needs to provide his personal data for availing any service, he may simply provide the appropriate ID and the service provider has to extract the details from the designated data trust/manager who is expected to apply due diligence in the interest of protecting the interests of the data subject.
Apart from the benefits of this system to assist the data subject surf through the maze of complicated Privacy Notices, and Consent forms multiple times and understanding them befor approval, the system will make it easy for the regulator to regulate the industry since instead of regulating hundreds of data controllers and processors, they can focus on regulating the Data Trusts and Data Managers as an intermediary industry. This will reduce the number of players to be monitored.
At the same time, the Data Management industry will be able to develop expertise in data protection and management which is absent today even with regulatory authorities.
Since this scheme envisages that there would be a proxy ID for the data, it will enable confidentiality and data security by not exposing the primary data in multiple collection points.
Each data trust will be like the UIDAI or even better in terms of data security and they should compete on the basis of their security principles and ability to pay a license fee to the data subject members.
We donot envisage that members will pay for this service. They will license their personal data to the Data Trust agency either for free or for a fee payable. It may take some time for the economic model here to develop and for the Data Trusts to provide a commercial benefit to the members. But initially, their ability to provide data protection by pseudonomization of the personal ID or through complete encapsulation with the proxy ID will be a sufficient reward to the data subjects.
If Data is really the new Oil and the Data industry makes money out of the data subject’s data, then they may pass on part of the benefits to the data subjects. For this purpose they may offer a small percentage, even if it is one part in a lakh of a rupee of their profits from the data management business either in cash or in the form of “Loyalty Coupons” that can be exchanged elsewhere, it would provide some kind of “Return” to the data subject to compensate for his loss of privacy.
I believe that the above proposal is even a solution for the inadequacy of UIDAI to secure the Aadhaar data.
P.S: These are my preliminary ideas which can be refined further into a commercial service if any organization is interested. I trust the Data Protection Law recommended by Justice Srikrishna Committee makes such service feasible through appropriate enabling provisions.