Twenty-first generation is a smart one. We have applications to connect with people, and take care of our basic needs- food, clothing and shelter. Communicating our choices, likes and dislikes have become easier, so much so that a distant cousin can know if a particular person liked a particular movie. We don’t realise how much data we are feeding to the applications installed on our phones or signed up through social networking websites.
Definition of Data- Unclear
Data is an ambiguous term as it is associated to broad areas. The Information Technology Act, 2000 does not define information or data to be understood by a layman. The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, provides a list of sensitive personal data or information, including, password; financial information; Biometric information. The proviso under this rule provides that “any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules”. The one important aspect arising from this proviso is the ambit of public domain.
Not a consensual consent
The aspect of public domain takes the subject to the concept of consent. Consent in virtual world becomes more complicated because the “trust” factor solely depends on the data protection and processing regulations of the body incorporate. Irrespective of that, having a say in the kind of data that can be shared only seems logical. The phenomenon that currently service providing platforms adopt is that of compelled consent. One cannot simply create a profile and make use of the services until and unless the mandatory information is not provided. Furthermore, the small box placed before the ‘sign-up’ option compels to accept the terms and conditions. The terms and regulations often use terminologies that cannot be understood by a layman. However, a one liner pop-up on a screen seeking permission to access contacts and photos is equally problematic.
Public and Private domain- a fine line
When consent to share and use data is given, the question of the duration and the ambit of that consent is unanswered. The list of bothersome issues also includes whether consent to share information also extends to part of the private sphere going in the public domain? An interesting analogy to this aspect is a case in New York, where a photographer took pictures of his neighbours in their homes without permission. He used a great lens and peeped inside the big glass window apartments, monitored the subjects carefully and clicked pictures. The neighbours on seeing their pictures in a gallery got offended and sued the photographer. One factor in defense of the photographer could be that the subject neighbours had big glass windows, without any curtains or anything to cover the windows, so it can be presumed that people would, in any case, peep in their homes. The same can be considered that they had less value for their privacy. Thus, if there is an open glass window by providing personal information to place an order online, there is a consent to peep, but does that consent also extend to taking pictures or use the information provided for other benefit?
Real life scenarios
The information sharing and using of the same has become successful business models. To take a recent example, during the US election, a British data firm Cambridge Analytica was able to mine personal information of 50 million users. When the General Counsel of Facebook was contacted, regarding the same, he said that like any other app developer, Aleksandr Kogan, had requested for information and the people who gave the consent knowingly provided the information. This does sound legally correct as there was no unlawful sharing of personal data or information. Similar incident took place in 2010 Bihar elections, in which the involvement of data scientists and the data mining firm was later confirmed. The laws under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 will not be applicable, as the information is then within public domain, which can be easily accessible through social networking websites.
The problem discussed forms a vicious cycle and the interrelationship between the process of taking/giving consent to share information becomes crucial. The reason for stressing this interrelationship is because the proviso if the Rule 3 can be used as a major defense.
We recently celebrated a landmark judgment that concluded the Right to Privacy is a Fundamental Right, and ruled that the Right to Privacy is an innate right. The judgement focused on the fact that privacy includes creating private spaces and autonomy to make choices to decide whether certain information is to be shared or not. Keeping these important aspects in mind, the need of the hour is to provide a right to common people to have control over their information. The White Paper released by the Committee of Experts on a Data Protection Framework for India on November 27, 2017 made suggestions regarding the ways data must be governed. The Committee suggested seven critical principles for establishing a framework, one of them being that process of giving/taking consent must be genuine, informed and meaningful.
Notion of informed consent in pharmaceutical trials and in a virtual world have some common grounds, most important one being an inability of understanding terms and conditions. Thus, a starting point regarding informed consent can be from Indian Council of Medical Research (ICMR) guidelines.
(writer is intellectual property attorney at Vutts & Associates, Delhi)