Data protection is about protecting people not innovation
“What do judges know that we cannot teach a computer?”. An existing distrust in legal rules and state structures and then further looking to technology for solutions is a sizeable public sentiment. After all many trust their smartphones more than they trust their government. But what may seem as a fairly modern libertarian opinion, voiced in pitch decks and technology conferences, buoyed by the success of the information economy has much deeper roots as explored in Noam Cohen’s recent book, The know-it-alls. Such ambitions of a technology centric society were voiced more than forty years ago by John McCarthy, an influential computer scientist and professor at Stanford who coined the term, “artificial intelligence” and nurtured it into a formal field of research. It was not that such assertions were without prominent challengers, noticeably Joseph Weizenbaum whose 1976 book titled, Computer Power and Human Reason put people at the centre of technological progress, rather than them being it’s subjects.
Such debates for permissionless innovation, social leapfrogging facilitated by technology, and challenges to the legal order have now acquired an immediate urgency without losing any of it’s polemical flavour, shifting from academia to law making. Concerns are being voiced this month in several Indian cities by members of the public, civil society, academic experts and technologists, think tanks, industry associations and technology companies to a committee headed by Justice Srikrishna that has been tasked with making recommendations and drafting a data protection law. The importance of this committee is heightened by disturbing news reports on Aadhaar which point to a variety of technical and legal flaws that may be addressed through such a legislation. This committee holds immense promise but a white paper published by the Justice Srikrishna committee — the primary public document on the basis of which public comment is solicited, gives reason for concern.
This white paper published around a month back extends into two hundred and thirty-three pages and poses two hundred and thirty-three distinct questions. While the sheer breadth of the paper poses granular choices, the broader framing of the document proceeds from a premise of weighing the scales between individual rights and technological innovation. The first few pages note that rationale of the committee as, “to harness the benefits of digital economy and mitigate the harms consequent to it”. The subsequent paragraphs provide further explanation when they state, “technologies such as Big Data, the Internet of Things, and Artificial Intelligence are here to stay and hold out the promise of welfare and innovation, India will have to develop a data protection law… to balance between innovation and privacy”. This framing of a trade-off between the demands of technological innovation and individual rights is a terrible bargain for our future. It presumes both to hold both, fundamental rights and innovation as somewhat equal or at the very least as competing values. This appears contrary to the context and the mandate of the committee, as well as principles of individual liberty.
The formation of the Justice Srikrishna Committee on Data Protection committee was first revealed by government lawyers in the midst of Supreme Court hearings when it was disputing the fundamental right to privacy in the Puttaswamy case. This submission was taken note by the Supreme Court of India, most prominently in the judgement authored by Justice Chandrachud who observes that a, “carefully structured regime for the protection of data” may be created having, “due regard to what has been set out in this judgement”. The judgement itself in previous paragraphs proceeds from a premise of asserting that the right to privacy exists as a natural right inherent in all fundamental rights of the Constitution. At the root of this is the liberty of the individual that finds expression through concepts such as autonomy and dignity — choice and freedom. Justice Chandrachud further notes that privacy has positive and negative features, where it restrains, “an intrusion upon the life and personal liberty of a citizen” and also requires, “an obligation on the state to take all necessary measures to protect the privacy of an individual”. Not only from these remarks in isolation, but a joint reading of all the six separate opinions which flow into the heart of the judgement, lead to a singular inescapable conclusion. The privacy protections that limit state intrusion and the duty to enact a data protection laws exist to protect individuals rather than commercial interests or technological innovation.
At this point a concern may arise as to dangers of a legal disruption to innovation. But using individual rights as a foundation is not the same as the advocacy of luddism and may even be it’s very opposite. By avoiding a binary bargain between the benefits of rights and technology a legislation furthers innovation as a social goal that serves human needs. It makes big data subject to greater legality, the Internet of Things best suited to the internet of people, and artificial intelligence subject to natural rights. To forge such an understanding a fundamental acknowledgment has to be forthcoming that technology is a means, and not the end in itself,. It must exist and work within a framework of the rule of law. While traditional legal systems are slow to adapt and change, the right regulatory design will prevent pure market mechanisms that concentrate power and cause harm to individuals. Doing otherwise alerts to a danger as forewarned by Weizenbaum that, “technological inevitability can thus be seen to be a mere element of a much larger syndrome. Science promised man power. But, as so often happens when people are seduced by promises of power, the price extracted is servitude and impotence. Power is nothing is if it is not the power to choose.”
A practical way to operationalise individual choice in a data protection law is for the Srikrishna Committee to take benefit of past expert efforts. Most noticeably by the Justice A.P. Shah Committee which a little over five years ago proposed nine privacy principles acting on a, “fundamental philosophy” of, “ensuring that the privacy of the data subject is guaranteed”. To operationalise these principles and account for, “innovation” the A.P. Shah Committee among other things recommended, “the Privacy Act should not make any reference to to specific technologies and must be generic enough such that the principles and enforcement mechanisms remain adaptable to changes in society, the marketplace, technology, and the government.”. However, such existing recommendations proceed from a clear acknowledgment of data protection protecting individuals and not about protecting innovation, the state interests for welfare objectives, or the commercial interests of technologists and corporations. Ignoring them charts a perilous path that has become apparent over the past few months with wider implementation of Aadhaar.
The Aadhaar project which aims to usher a data driven revolution in the private sector and at the same time act as a state policy panacea has become a topic of continuing public concern. Repeated press reports indicate continuing data breaches, exclusion and theft of benefits, lack of legal remedies and the prospect of profiling and surveillance. Sufficient evidence exists today persuading us to honour constitutionalism, privileging individual rights over innovation. In doing so we must forsake the artificial reasonableness of a balancing exercise between unequals. Such caution is counselled by Justice Srikrishna himself when he quotes the Garuda Purana in an article critiquing judicial activism to state, “He who forsakes that which is stable in favour of something unstable, suffers doubly; he loses that which is stable, and, of course, loses that which is unstable.”
An edited version of this article was published by the Hindu on January 13, 2018.