[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the Justice Srikrishna report.]
Many of the issues connected with Privacy arise out of the complaint that “information collected by a Data Controller” is processed in such a manner that the data subject feels that his privacy has been breached. Hence “Consent” is sought and obtained before collection of information. Section 79 of ITA 2000/8 under its rules has already adopted the procedure of disclosure and consent when an “Intermediary” collects personal data from a data subject in India. The fact that “Consent” should be an “Informed consent” is also well appreciated.
However most data subjects never care to read the Privacy statements or Privacy policies when presented to them before a specific use of a service. Many service providers also take blanket permissions ignoring the principles of minimal collection and purposeful use.
In the absence of proper legal requirements, data subjects can only try to take legal action against an entity that breaches the law if they can claim damages. But in most cases, damages cannot immediately be recognized and evaluated and hence “breach” can be recognized but not its consequences. Hence there can be no legal remedy in most cases.
When a data protection law is in place, the regulator can take action for breaches even when no damage is claimed by any data subject. Though this provision is available even now under Section 46 of ITA 2000/8, it is hardly recognized as existing. When the new law comes in, since there will be a recognized regulator called the “Data Protection Officer of India”, it will be his duty to monitor the industry and initiate action when required.
Some data controllers may blame the data processors for the breach and data processors may allege that the data controller did not indicate the responsibilities properly in the SLA. Even now many of the data processors in India coming under GDPR allege that they donot have a proper Business Associate Contract from their vendors specifying the information security requirements. Hence the responsibilities cast on the data processors is vague and goes without compliance.
The new law should ensure that this “Vagueness” is removed, by making it mandatory that the Data Controller who is the person/entity to whom the data subject provides the personal data and “Consent” to use that data in a particular manner, take full responsibility for any breach and also mandate that any sub processors are bound with specific instructions which are clear. If the sub processor is also within the Indian jurisdiction, it may suffice to make a reference to the legal provision in toto by referring to the Act. But when the Data Controller and Data Processor are in different jurisdictional areas, it is necessary for the Data Controller to specify in a contract the actual responsibilities related to the processing of any data set/s and not leave it vague.
Such online consents may not be treated as proper “Informed Consent” because it is not digitally signed and also because the likelihood of it having been read and understood before it is consented to is low. Since India does not recognize the Click Wrap contract the acceptance of consent by the click of the button has no legal sanctity. The consent therefore only becomes an “Implied Consent of a dotted line contract”, where the fine point details could be considered voidable at the option of the customer.
Even when such consents are treated as contractually acceptable, the data subject may not be able to decypher the intricacies of the contract and take an informed decision. When multiple parties require multiple types of consents and multiple times, there would be inevitably the “consent fatigue” that makes him simply click without a second thought.
Hence the current system of each data controller taking individual consent each time a data is required for a specific purpose is not practically efficient.
One of the ways by which we can overcome this is to treat personal data as a property of value to the data subject and every usage as “Licensed Use” with some kind of rewards to be available to the data subject which is proportionate to the benefits that the data user may enjoy. In this concept the data subject actually sells the right to use his personal data for a consideration. However to manage this system, the data subject needs professional assistance and hence there is a role for an intermediary “Who Collects consents and data, keeps it with himself and releases it on specific request to a user as a personal Data manager of the data subject”.
The “Data Manager” being a professional agency knows the value of the personal data to different service providers and maximize the returns to the data subject. It is not necessary that the reward to the data subject is in the form of direct money. It could be in the form of reward points that are exchanged for some valuable service.
Further, the “Data Manager” as an intermediary can act like the “Personal Data Locker” and offer services such as anonymization and pseudonomization as well as providing limited set data devoid of key identifiers. He can ensure that value addition in the form of data mining and Big data analytics can be conducted without compromising the privacy of the data subject.
In order to provide an opportunity for such intermediary business, Personal property should be recognized as the property of the individual and he should have the right to license it for a price. The proposed data protection act should also recognize and define the role of the “Data Manager” as a business in which the data subject transfers the right to manage his personal data exclusively to one such agency. This role is different from that of the “Data Controller” and “Data Processor” as is used in laws such as GDPR. He should deal with the Data Controllers and ensures that they adhere to the principles such as minimal collection, purposeful use, adequate security, removal on completion etc. When he approves disclosure of personal data of his clients, he can ensure that adequate value is returned to the data subject however small it is.
The Data manager will subsume the role of the Data Controller to the extent that the data subject provides his consent only to the Data manager and all that the data controller gets is a “proxy identity”. The linking between the proxy identity and the real identity is in the hands of the Data Manager and the principles enunciated in our earlier discussions on “Regulated Anonymity” can be used so that only responsible data controllers will get the real identity based premium personal data. Others can get a lower valued proxy identity data. Some others may use limited data set and others the de-identified data. Thus the Data Manager can effectively classify and package data offerings and create value where as today the data subject does not get any value for his personal data which he shares with various service providers.
This type of parallel thinking can be incorporated in the Indian Data Protection Act so that it does not become simply a rehash of the GDPR or other international data protection legislation.