Review of Rahul Matthan’s book “Privacy 3.0: Unlocking Our Data-Driven Future. India, HarperCollins Publishers India, 2018”
By Swathi Kowturu, Assistant Professor, St. Joseph’s College of Law, Bengaluru.
Email: pcs.swathi@gmail.com.
Justice Puttaswamy whose name is synonymous with the privacy judgment in India passed away recently. The Justice Puttaswamy judgement ushered in a new era of data privacy law in India. It will remain in the annals of history as a landmark judgement that bestowed the status of a fundamental right to privacy in India. The Puttaswamy Judgement was delivered in the backdrop of the enactment of The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. Justice Puttaswamy questioned certain provisions of the Aadhaar Act as violating the Indian citizen's Fundamental Right to Privacy. The Supreme Court upheld the Aadhaar Act as being constitutional and struck down only certain provisions of the Act like those which allowed private entities to collect Aadhaar numbers of Indian citizens as identity proofs, and mandatory linking of Aadhaar to mobile SIM cards among few other provisions.
The Puttaswamy judgement, also known as the Aadhaar Judgement, provides valuable insights into privacy jurisprudence in India and other countries. A must-read for privacy enthusiasts is Rahul Matthan's "Privacy 3.0 Unlocking our Data-Driven Future" which sets the reader on a journey of how privacy was conceptualised in India and the world, before being established as a fundamental right in the Puttaswamy judgement and finally culminating in the enactment of the Privacy law in India.
Privacy is an oxymoron in the age of technology. The author theorises in his book that nature never encouraged privacy. Privacy is not a natural concept but a social concept that evolved with the development of technology. Technology has been a beneficial tool to mankind but it comes at a price, at the cost of personal privacy, says the author. Privacy violations by technology were evaluated in each generation, but each time, technological benefits outweighed privacy harms posed by such technology. As a result, technology developed unhindered, unrestricted by law. It grew by leaps and bounds and privacy harms also multiplied and amplified equally and the law struggled to keep pace to regulate the multifarious dimensions of technology.
Data breaches have become so common today that data security and protection are on top of every company's agenda. The author states that while introducing a digital identity like Aadhaar in India which was set to transform individual lives like no other, it was imperative to first formally enact a privacy law. He also expresses concerns over how linking everything to the Aadhaar database also meant state surveillance of the Orwellian kind and that it upped the need for proper regulation to protect individual privacy rights.
The book is divided into three parts highlighting the three phases of the evolution of privacy law-Privacy 1.0, Privacy 2.0 and finally Privacy 3.0. The author has brilliantly classified the periods of evolution and explored the development of privacy from being a mere tort of breach of confidential information to privacy as a right in the day of modern technology.
What makes the book an interesting read is how the author traces the development of privacy violations from the primitive ages, the age of the invention of the printing press, the telephone, and the camera to the modern day of technology. He narrates how the media embraced these new technologies to encroach upon the privacy of celebrities and other personalities of popular interest.
The various anecdotes and stories narrated by the author of the people who pivoted the enactment of one of the first privacy laws in America add flavour to the book. Whether it was President Grover Cleveland's wife's photo being used without her consent for commercial advertisements or Samuel Warren's personal interest in protecting his brother's sexual orientation which led to his exposition of the concept of privacy as a right, the reader is treated with interesting insights of how privacy developed as a social need. The right was invoked in the famous Griswold v Connecticut against a Connecticut law prohibiting the sale of contraceptives to married couples.
Under Privacy 2.0, the author discusses the legislative journey of the privacy right against intrusions by the government. Interception of communication and surveillance by the government under the garb of national security is one of the common grounds for privacy intrusion by the government. In the US, Wikileaks and Snowden revelations exposed how governments indulged in profiling of individuals through passive data collection, by recording their movements and tracking their online behaviour. Therefore, the need for privacy had certain political underpinnings, against state excesses and unrequited intrusion.
The author after having explored the social aspect and the political aspect of privacy, moves on to the economic aspect of privacy and traces the trade origins of privacy and personal data collection. For the first time, personal data was collected by credit rating businesses to assess an individual's credit history. With time, businesses began using data to create personalisation tools and offer better services. New emerging technologies changed the face of business. However, the privacy of the consumer was at stake.
The author then moves on to discuss the evolution of privacy laws in the US and Europe like the Code of Fair Information Practices Principles [FIPPS] which laid down how personal data must be handled, stored, and managed to ensure fairness, privacy, and security in the context of new technologies. The OECD guidelines in 1980, laid down a set of guidelines which upheld protection of human rights while allowing at the same time cross border data flows. These formed the basis for the European Directive 95/46/EC and the 2004 Asia Pacific Economic Cooperation Framework as well as privacy laws of Australia, New Zealand, and Japan.
Tracing the parallel political history in India, the author analyses that India never felt the impact of technologies the same way as the rest of the world having been under colonial rule for a long time and fighting against slavery and denial of basic human rights. He draws a presumption that, as a result, Indians have a laissez-faire attitude to technology which is why they have embraced technology with all its flaws, unlike other countries which were sceptical about technology and focused on balancing the benefits of technology with the privacy of individuals. Though this presumption of the author is questionable, it cannot be denied that Indians have always welcomed technological innovations, albeit much later than the rest of the world, with few reservations such as aspects of privacy.
Tracing the constitutional history of privacy in India, the author mentions that the constitution makers made a conscious decision not to expressly include privacy in the constitution. According to him, privacy did not seem to be the most pressing need of those times. Thereafter, the author traverses through the judgements of MP Sharma v Satish Chandra, Kharak Singh v State of UP, Govind v State of MP, the AutoShankar case, Sareetha case to highlight the development of privacy jurisprudence in the Indian courts.
After technology entered India, the author narrates how government departments collected information in a unique format, that databases were not interlinked, not interoperable nor were they capable of being cross-referenced. Since data was stored in silos, there was no perceivable threat to privacy.
In the 1990s and early 2000s, when the outsourcing industry boomed, it mostly involved transfer of personal data. The Information Technology Act, 2000 was enacted to address concerns of the ecommerce industry and Section 43A addressed the protection of personal data given in confidence to organisations handling personal data. The IT (Reasonable security practices and procedures and sensitive personal data or information) rules, 2011 further addressed the issues of online privacy. The author further traces the evolution of privacy law from the formation of Justice AP Shah Committee in 2012 to the passing of the Aadhaar Act in 2015 wherein Aadhaar was used for opening 115 million new bank accounts ending with the Puttaswamy judgement.
The introduction of the UIDAI project become a matter of concern in the privacy field. The author had been directly involved with the government in formulating the privacy law initially, even before the Justice B.N.SriKrishna Committee was formed, to suggest a new privacy law for India. The author was instrumental in convincing the echelons of the government about the need for a separate privacy law along the lines of the European Union's General Data Protection Regulation.
In Privacy 3.0, the author advocates for a new legal framework for privacy. According to him, the consent model of privacy indemnifies the data controller from any privacy violations once consent is given. The consent model is faulty since it can result in consent fatigue due to giving too many consents, and the impracticality of reading long privacy policies, about targeted advertisements and cookies which analysed our browsing history.
The author believes that consent is no longer a feasible means to safeguard privacy due to fatigue. He argues that interoperability and interconnection create privacy implications that are tough to understand. Agreeing to a single privacy policy and allowing these various databases to interconnect is beyond the ability of the consent construct. He talks about how non-personal data can also be used to create personal profiles. Since consent is not required to collect or process non-personal data, relying only on consent is ineffective against the harms that result from the use of algorithms.
Without fully understanding the implications of giving consent, data subjects cannot be expected to give informed consent. Therefore, he argues that the burden must shift from the data subject to the data controller who has complete control over the information and the manner of its usage. Therefore, instead of using consent as a defence, the data controller must ensure the protection of the privacy of the data subject. He proposes a new accountability model. Under this model, a penalty will be imposed on the data controller in the event of a privacy breach. The author suggests imposing a penalty along the same lines as GDPR. Interestingly, the same is today reflected in the current legislation which imposes a penalty of up to Rs. 250 crores for failing to take reasonable safeguards to prevent a data breach.
However, the author warns that such a measure of imposing heavy penalties must be approached with caution. It is important to ensure that the law balances competing interests. Too many restrictions might ensure privacy but might stunt the growth of the data economy. Therefore, data controllers must be encouraged to keep innovating while protecting privacy. The regulatory approach for the same must be remediation rather than punishment. Machine learning algorithms have unintended consequences. It is impossible to predict its consequences with accuracy. Therefore, the data controllers must be penalised only if, after being made aware of the privacy violation, they do not remedy it on time. The author suggests other measures like carrying out data protection impact assessments and evaluating the harm that is likely to occur due to new technology. He suggests establishing intermediaries who can rate data controllers for their data practices. Creating an ecosystem or culture of data protection alone can ensure effective data protection practices.
In the Epilogue, the author ends by reiterating that technology impacts lives and that historically, we have always adjusted our jurisprudence to the same. He reiterates that we must junk old notions of privacy to give way to modern notions.
The book is a must-read for law students and privacy enthusiasts. The author has a breezy style of narration and what sets the book apart is the personal touch the author brings to the subject. Having been one of the first to identify the need for exclusive privacy law in India and one who convinced the echelons of the government to legislate one such law, the book reflects the passion of the author towards privacy legislation.
The book was published in 2018. Much water has flown thereafter and the original bill introduced in 2018 was redrafted many times before the passing of the current law i.e. the Digital Personal Data Protection Act, 2023. The book gives the reader a fair understanding of the initial approaches of the government, the judiciary as well as the public towards privacy law and the current regulatory approach which is required to handle challenges related to data privacy and protection in the modern era.
******