How to ‘own your own data’ in the times of Aadhaar and privacy issues
What constitutes a practical model in the Indian context?
- Total Shares
Privacy is a hot topic. Especially when applied to data. Your data.
It gets nary a twitch of the eyebrow if it is related to overbearing familiarity coming from traditional Indian families or close-knitted communities, or if people are asked intimate details about self, family, friends and neighbours!
But any talk of data privacy gets one apoplectic. And up in arms.
Data democracy and data colonisation are two buzzwords doing the rounds currently and remain germane to the data privacy debate.
Data colonisation is a bugbear of the Telecom Regulatory Authority of India, and data democracy the peeve of former Infosys CEO Nandan Nilekani. The former is to do with someone else having, owning and farming your data without so much as a by your leave. And to add injury to insult, making money off it!
The latter is to do with ensuring reciprocal obligation on information between you and your service provider. To bring in some semblance of digital equivalence.
I will add a third to spruce up the reader’s lexicon. "Own your own data" (OYoD)! Which bridges the above two terms.
Before I explain, let’s start at the beginning. Privacy by any stretch of imagination is complex to get one’s head around. Whether it’s a citizen of a modern democracy with an elevated or perhaps even entitled sense of individual privacy, or one of us.
So when consumer technology and legal framework fall short in addressing privacy concerns, there is the perception, perhaps even apprehension, that the values themselves could be at risk.
This is where a privacy model helps by directly addressing those concerns.
The UIDAI, not the citizen, gets notified of Aadhaar data breaches. Photo: Reuters
What does it do? It matches ordinary people’s sociological expectations of trust and confidence in terms of relatable factors such as identity, service level agreements, and security, whether applied to a bank, credit card company, hospital, telecom provider, handset maker, search engine, email provider, social media or data analytics app.
What then constitutes a practical model in the Indian context?
It is based on four substantive principles (a) own your own data (OYoD) consent process (b) data confidentiality (c) adequate contractual arrangements among the user/consumer as the hub and your service provider (d) robust end-to-end security, connectivity and well-defined access/sharing measures among a set of stakeholders.
There are a few issues to flag to ensure that these are possible.
One, your service provider is often both a custodian and its own regulator.
For example, the UIDAI, not the citizen, gets notified of Aadhaar data breaches, and then decides how best to proceed. The citizen whose data could have been compromised has little legal recourse as Section 47 of the Aadhaar Act states that any criminal complaint can only be filed by the UIDAI.
Therefore, this makes the prior “consent architecture” incomplete, because meaningful consent can’t be built upon asymmetric information.
Secondly, data logs associated with one’s web surfing, mobile device information, voice, audio, video, app and camera activity, payments, etc., pertain to one’s day to day activity, habits and behaviour and need to be protected.
For example, when you use your banking app, card, wallet, net banking, phone, etc., it creates an electronic footprint of your lifestyle and consumption pattern, i.e. travel plans, purchases, orders and preferences.
Such unidirectional linkage does nothing to prevent the forming of an accurate picture of an individual by having AI bots run through the mosaic of digital crumbs from multiple sources and possible interconnected databases.
Nilekani rightfully says "data is indeed the new oil". But then “oil”, which is precious and a national strategic resource, must be safeguarded by safety principles.
In conclusion, OYoD-based consent process allows individuals to (a) view or “audit” their own data or decide what to be part of or not (b) whom and what "affiliate" to share with, or not, be allowed at one’s own discretion and (c) be informed of and party to any activity related to breach of one’s data.