The global arena of citizens’ privacy regulation has experienced significant changes in the last few months. While the US Congress is in the final stages of formulating a privacy law, India recently withdrew its Personal Data Protection Bill, 2019 (PDP Bill), drawing wide criticism. However, the government has circulated a brand new bill for public consultation. But unfortunately, this new bill still retains the almost 40 years old antiquated Notice and Consent-based privacy framework despite this framework having globally failed to keep up with modern-day technology realities with over-emphasis on ex-ante compliance, leading to heavy compliance costs.
The N&C framework was first articulated in 1980 when computer technology was relatively new and OECD countries worried that automatic transfer of users’ personal data without their knowledge and informed consent would threaten users’ privacy rights. The OECD adopted ‘Guidelines on the Protection of Privacy and Transborder Flows of Personal Data’ under which a data processor was permitted to collect personal data only with the consent of the data principal. In a few years, the N&C framework became the de facto norm for data regulations globally and in 1995, the European Union (EU) incorporated this framework in its Directive 95/46/EC and later, in the EU General Data Protection Regulation (EUGDPR) too.
However, with exponential progress in complex and pervasive technologies such as Internet of Things, artificial intelligence, smart cities, screenless voice-based applications, the metaverse and social media in the last two decades, the N&C framework appeared slow and outdated to address evolving privacy concerns. Unlike in the 1980s, data transfer from a data principal is no longer a single-point transfer; data is collected and processed constantly as different uses evolve. Today information asymmetry cannot be bridged by a one-time informed consent of the N&C framework.
Rather, data principals will have to make many micro-decisions over a period, possibly leading to consent fatigue for the data principal and heavy costs for businesses. Legal compliance for smaller companies and start-ups becomes extremely cumbersome and expensive in the N&C framework. As a result, they are disincentivized to innovate. The only way for companies to avoid these unnecessary costs is to draft overbroad and oversimplified consent terms and hope that they would not require consent for every tiny technology tweak. But this method risks user privacy. The user may not know how their data is used by the companies in the future.
The N&C model has become outdated for another reason: the difficulty of obtaining informed consent. Affordability of the internet has led to an exponential increase in its users and a massive shift in their profiles. India has over 800 million internet users (over 400 million smartphone users). Their personal data is collected when they use social media or avail essential services such as food delivery, banking and government schemes on a multitude of e-commerce and fintech platforms.
A typical internet user today looks very different from the 1980s when the N&C framework was envisioned. Today, they consist of individuals who do not have technical knowledge of the enormous consequences, both good and bad, of their personal data’s use. As a result, user consent is no longer informed with potential harms. It is equally unrealistic to expect informed consent from them, particularly when the terms of consent are often complex “take it or leave it” terms devoid of a meaningful choice. Users invariably accept the terms to avoid denial of service. Further, consent fatigue from repeated notices has resulted in consent becoming a matter of formality or a checkbox.
Modern technology has defeated the original objective of the N&C framework. The EU was fully cognizant of this in 2016. Thus, while adopting the EUGDPR, it attempted to de-emphasise the N&C framework by implementing consent-independent principles such as purpose limitation, use limitation, transparency, security, fair and reasonable processing, though retaining overall N&C frameworks. The Indian PDP Bill 2019 (now withdrawn) and even the latest Digital Personal Data Protection Bill 2022 have substantially adopted the EUGDPR.
It is time that the government shifts focus from a teleological process-based N&C framework and addresses the end-harms of modern-day big tech, be it privacy-related, psychological or community harm. A modern privacy regulation must be a harm-based one. It must shift responsibility of privacy harms to data fiduciaries and processors. When responsibility for harm shifts to data fiduciaries, they will automatically put in place requisite due diligence and internal control mechanisms including some form of consent to prevent privacy harm.
To enforce such an accountability regime penalising harms, the government must first gain a technical understanding of tech-related harms to successfully enforce latest safety standards and procedures.
First, the new privacy law must set up a standing consultation mechanism between technologists, lawyers and other stakeholders to define technology-related harms. This way, law and policy may be able to keep up with technology. Rather than relying on the N&C framework, the government must act as trustees for privacy and innovation and penalise privacy harms harshly. They should set up administrative safeguards such as strong data impact assessment and audit standards and update them regularly. Global privacy by design standards may also be made mandatory, a facet sorely lacking in the new bill.
Besides, software, products and social media corporates must be required to maintain algorithmic transparency. Algorithmic ‘black boxes’ obfuscate a corporate’s business model and their impact on human privacy and rights. Transparency enables individuals to give informed consent.
Dr Amar Patnaik
Rajya Sabha MP and former CAG bureaucrat
(Views are personal)