“I agree to the Terms & Conditions.”
In the last 12 years, I’ve ticked this box more times than there are grains of sand on a beach, and I’ll wager you’re guilty of it too.
When so much of what we do, what services we access, and how we share information online, requires agreeing to terms and conditions, too many of us seek the instant gratification of “payment successful” or “successfully installed”, over our own privacy. Yes. Have you ever stopped to think about all the details you share about yourself online? And no, I’m not talking about your rambling Instagram stories or restaurant check-ins on Facebook. At least not just those two things alone.
Today, a majority of the world runs on data. There are attempts to make technology and data-driven services available to citizens in rural areas, where this was previously unheard of. Pretty soon, electronic and online commerce (and subsequently data collection) will become as essential a part of life as air, food, water, and shelter. But we really need to ask if we’re shooting ourselves in the foot by putting all our personal details out there.
If you just recalled a rant by a parent about how ‘the internet people’ can misuse your photos, instant messages, your accounts on various social media networks, just stay with that thought, because they’re not speaking gibberish. Our data privacy is under threat.
A team of young lawyers and policy researchers are campaigning to #SaveOurPrivacy. They are Apar Gupta, Gautam Bhatia, Kritika Bhardwaj, Maansi Verma, Naman M. Aggarwal, Praavita Kashyap, Prasanna S., Raman Jit Singh Chima, Ujwala Uppaluri, and Vrinda Bhandari. Together they have prepared a model draft bill, called the Indian Privacy Code 2018, which is currently open for review, suggestions and endorsement.
Drawing on the Privacy (Protection) Bill 2013, two Supreme Court expert committee reports (here, and here), and one judgements, the model draft bill is an impressive nine-chapter document. It contains fair, transparent, and binding provisions around data privacy, and the rights and duties of Data Subjects (that’s folks like you and me), Data Collectors (any service that requires your personal information to fulfill its purpose), and the State.
All your data exploits online are potentially risky activities. Any time we go online for our goods and services, we provide all kinds of personal information. The same goes for data required by the government in the form of the Aadhar Card. Did you know eight out of 10 people are fearful of what could happen with it? A study by Velocity MR confirms it.
As the campaigners say, “We support the use of digital technologies for public benefit. However, they should not be privileged over fundamental rights.” Without clearly defined provisions on how personal data can be obtained, stored, and protected, data collection simply isn’t compliant with The Right to Privacy, guaranteed in Chapter III of the Indian Constitution.
So, what does it take to #SaveOurPrivacy?
One of the most important requirements in the model bill (a) is consent. The model bill says a data collector cannot obtain any bit of information without the express consent of a data subject, and in written. Consent has to be obtained only after the data subject is thoroughly informed of the purpose, any costs incurred, the risks, and any other alternatives to the service. This is especially important for minors, aged 13 and up.
There are, of course, people who may be unable to give consent, because of illiteracy, loss of hearing or sight, or other medical reasons, as well as people who are legally missing or dead. The model bill provides for this too.
The bill provides that consent can be obtained without consent only in specific situations, such as needing a medical emergency service, and to prevent, investigate, or prosecute a cognisable offence. However, it also states that a state Privacy commission can do this “as per provisions relating to interception and surveillance”, presumably for national security reasons.
In addition to guaranteeing transparency, the model bill also requires that only relevant information must be provided. In other words, details that do not serve the purpose or function of the service should not be disclosed.
If data collectors breach protocol, the bill says data subjects are entitled to do the following: alter, rescind, or withdraw their consent, hold the collector liable and ask for exemplary damages, and request that the wrongfully obtained data be destroyed.
For data that is correctly gathered, its existence will also be bound by rules that protect the individual.
If this bill is passed as a law, it will cover two kinds of data – everything that was collected prior to its enforcement, and everything collected subsequently.
For the former, it is recommended that it be “anonymised in such manner as to make re-identification of the data subject absolutely impossible.”
But for data in general, the bill says it must be destroyed as soon as it has served its purpose and function. The respective data subject must be informed of the same. In fact, the only time a data collector is allowed to store the information is when a data subject has directly granted permission to do this.
For those of you who use apps like PayTM or Ola, remember the frustration of having your accounts blocked until you completed that friggin’ KYC form? Now, take that situation, and magnify it a hundred times. For a data subject who cannot provide a certain type of data, they could lose access to food from the public distribution system, to social security, and to benefits under the MNREGA scheme.
To prevent such a cruel situation, the model bill states that data collectors must accept alternative forms of identification. The only time they can insist on a particular detail is if/when they can prove that its unavailability will cause “grave and irreparable injury.”
If you use goods and services in India, this should matter to you. You can either sign the pact with the devil, and give up on your privacy, or you can fight for your rights. The #SaveOurPrivacy campaign looks to every person for support. There are two big ways you can help. First, go through the bill and offer your comments and suggestions to the campaigners. The above mentioned points are only a few highlights, and we would all do well to do a close reading of the document. And second, signal boost this model draft bill on your social media – yes, those very platforms on which the battle for privacy is to be fought! Because this is going to take a concerted effort on a grand scale.