We often say that “One person’s right to extend the arm ends at the tip of the nose of the next person”. This is a well known cliche but often forgotten by those who are over enthusiastic on “Privacy” including the judges of the Supreme Court.
We are now in the midst of the drafting of the new Data Protection Law and there is all forms of demand on how the Privacy has to be protected.
There is one school of thought that “Privacy” has to be protected not only in terms of Information but also otherwise. In the GDPR there was mention of information processed “by automatic means” or “Semi automatic means” as the scope of the act. Now the Indian Data Protection Act (IDPA)for which the B N Srikrishna Committee published a white paper is finalizing the recommendation on the scope of the act. Should it be applicable only to “Electronic Information” or should it extend to “Paper and Voice” is one question that the committee has been posed.
We must shout out aloud at this point of time that the erudite 9 member Supreme Court which hurriedly passed a 547 page judgement just to declare “Privacy is a fundamental Right” abdicated its responsibility to define what is Privacy. How can we then force the law to define “Privacy”? and to extend it beyond the “Electronic form” in which “Data Protection” is being discussed by the committee?.
It is therefore essential to accept the limitation that this new proposed law (IDPA) will have to restrict itself as a “Data Protection Act” and not as a “Privacy Protection Act”. Since Data is already protected in the ITA 2000/8, we can say that IDPA will now be a “Privacy Data Protection Act” meaning that it will only address information related to Privacy.
Since Privacy is not defined, any attempt to protect information about the vague entity called Privacy will also be reasonably vague. Hence the scope will have to use such words as
“Information such as Name, Address, Mobile Number, E Mail Address, Financial Information, Heath Information, Biometric information etc..”
Presently we leave the definition as any information that is capable of identifying or associating with a living individual. Nothing much can be done beyond this definition of Personal Information. If some software or person is clever enough to see some information and identify a living person through it through his clairvoyance, we cannot factor it into the definition beyond use of such words as
“Personally identifiable information includes any information which along with other information in the hands of the person could be used by any prudent person with ordinary capabilities to identify the true identity of the owner of the data”.
It can also state…
” Personally identifiable information does not include de-identified/anonymized information or pseudonomized information which means that the identity apparently associated with the data cannot be reasonably used to identify the real identity of the data owner by a person of ordinary prudence with the information already in his hands?”
While “De-identified” data will go out of the legislation, there is a view by some that any attempt to “Re-identify” a de-identified data should be made a criminal offence.
While privacy activists can make a good case for sending the person who causes re-identification to the gallows if allowed, one must understand that it is the duty of the “Law Enforcement” on a day to day basis to read available information and try to identify criminals both present and potential. Many scientific data analytics including genetics try to identify the “Tendencies” to be a criminal. May be this is not a perfected science. But today scientists and law enforcement people browsing through CCTV footage and trying to identify people with face recognition features etc or identifying Car number plates to file a traffic violation case, can all be accused of “Identifying a De-identified data” and punished if the law to be made does not take the possibility into consideration.
Further all the Data Analytics companies will be made “Illegal Activities” ab-initio. All Start ups in this filed have to close down.
If therefore “Re-identification” of “De-identified data” is made an offence, then we will be creating a new data protection regime in which the proposition that “Data is New Oil” will be killed. Perhaps economists can estimate by how much percentage points the GDP of India will decline if this is made into a law.
The Google Glass technology is meant to view a person and immediately check the tags in Face book and Google to give you a flash back of the person you are now shaking hands with. Is it not “Re-identification” of the “Not identified”?. The entire industry of Artificial intelligence including the “Automated Car” , “Smart City Energy Management” etc uses plenty of data analytics which includes identification of the un-identified with the use of available data. Gait recognition is the new terrorist control measure that intelligence agencies use. Profiling of employees through their non verbal communication is a new science under development. Analysing social media information and developing a credit rating is another area of scientific research.
Should we kill all these innovations because some criminal wants to have the right to hide as part of right to privacy?
All those Privacy activists who strongly support Privacy to the extent of making the work of law enforcement impossible should think for a while on whether we have any need to protect the honest from the dishonest who want to hide.
I have recently quoted two instances in which I see how Privacy laws are protecting the criminals more than the honest and challenge the Privacy activists to prove me wrong.
First, I get an e-mail from a Gmail ID which is either a fraudulent mail or a defamatory mail or a threatening mail. I am the recipient of the mail but the sender hides his identity with the help of Google by anonymization of the IP address. The recipient of the e-mail which is me, have no right to ask Google to tell me who has sent me the e-mail hiding behind a self created pseudonomized ID. If I want to know the identity of the person, I need to first approach the Police, get my complaint registered which may require payment of a bribe in most cases, make them send a CrPc notice, wait for Google to send the IP resolution, thereafter send a similar request to the local ISP and finally get the address of the person who sent me the offending e-mail. All this takes so much time that by the time I get the information the criminal is no longer traceable.
This criminal friendly situation has been created because Google considers that the Privacy of the sender of the e-mail is more important than the Privacy of the receiver of the e-mail. This is a gross misuse of the concept of Privacy.
The same defense extends to all those who register fake websites and carry out phishing attacks. Their registration details are protected under what is termed as a “Right to Privacy”.
This practice of Privacy being used as a shield to protect criminals must be stopped.
Hence apart from the IDPA not criminalizing re-identification, a punishable offence, the law should not curtain the hands of the law enforcement by enabling Privacy to be used as a shield either by Google or any other web operator.
What should be punishable is the misuse of the re-identified data and posing unreasonable hurdles on re-identification when a genuine stake holder such as a receiver of an e-mail or a visitor of a website demand for the information. The Data controller can ask for an undertaking from the recipient not to misuse the information such as the IP address or telephone number and also have a process by which such demands are logged in with the Data Protection Authority to take further action when required.
But a refusal to divulge the information that protects the criminal should be itself made a crime.
I therefore request that in the IDPA, a provision is made where by a recipient of an E-Mail or a phone call or a visitor to a public website or a Twitter or Facebook is entitled to demand the identity of the sender of the communication with an undertaking not to misuse the information and be accountable for any punishment thereof and escrowing such request and declaration with the Data Protection authority.