Introduction
The phenomenon of technological advancement has led private and government entities to collect personal data of citizens, traces of which are inadvertently left by users while browsing the internet. Such personal information collected without consent of the user is then used to influence the behaviour and action of the citizen through persuasive technology resulting in transgression of the liberty granted to each Indian citizen by the Constitution.
Although the need1 for a dedicated legislation2 on data protection and privacy was previously stated by Standing and Parliamentary4 Committees in their Reports, a major breakthrough did not arrive until the recent Puttaswamy5 judgment pronounced by the Supreme Court of India which recognised the Right to Privacy as a fundamental right and informational privacy, a postulate of human dignity emanating from liberty and right to life6. Placing the accountability on the State, the Court held that the individual at the center stage and directed the Central Government to put a robust mechanism in place.
Draft Data Protection Bill – Critical overview
In accordance with direction of the Supreme Court, Justice B.N. Srikrishna Committee7 was set up which presented the Draft Personal Data Protection Bill, 20198 currently under consideration of a Joint Parliamentary Committee of the Parliament9. While the Bill elaborately discusses the categories of data10, inclusion of Government as a responsible party11, restriction of retention of personal data12 and process of obtaining consent13; particular important aspects of right to collection of such data evade through the voluminous white paper leaving emphasis only on secondary aspects of its usage. This view is corroborated by the letter written by eminent jurist, Justice M. Jagannadha Rao (retd.) to the Justice Krishna Committee where he questions the extent of permissible surveillance by the State. The Bill discusses the constitution of the regulatory authority14 which is to be appointed solely by the Central Government but does not specify the Committee members after laying down the selection criterion. Giving a free hand to the government entities it grants exemptions15 where the government agency shall elude from the consent procedure laid down as per the Act. The Parliamentary Committee presently considering the Bill is unbalanced in its composition with no diverse perspective present. Absence of dissent in the Committee with majority of the members aligned with the government view, steers the way free for the Bill to be passed with least or no amendments.
Government autonomy in draft Bill — Absolute power corrupts absolutely
The combined factors of structure of draft Bill and the lack of strong opposition in the Committee considering it, work towards autonomy remaining in hands of the Government, and the possibility of potential misuse by State surveillance. While persuasive technology has potentially affected the Indian democracy in the past16 such unrestricted power may well destroy the constitutional fabric by influencing voters using their data, instances of which have already occurred in some parts of the world17. If the current model is followed, a government in power can use persuasive technology to drive voters to vote in their favour and can escape the liability under the veil of exemptions or easily receive a clean chit from a favourable regulatory authority.
Affect of persuasive technology on elections — Deleting reoccurrence of Cambridge Analytica episode
The potential misuse of technology in elections through accessing personal data bits of the voter is an episode telecasted in India in the recent past too. Although an Indian citizen as per law18 is to be compensated for unauthorised access or leakage of personal information, no compensation was awarded when information from over thousands of facebook accounts were extracted to manipulate election results. Cambridge Analytica, a political consultancy firm based in the UK has shown us a prequel as to the search engine manipulation effect19 while its business brochure boasts experience of working in elections and political events from around the globe, speculations of it affecting the US elections leading to the victory of Trump, stirring political conundrums is a speculation which cannot be entirely put to rest. While the former employee of the company admitted to harvesting unsolicited personal information20 and claimed to work with national political parties in India the exemption clause to government entities in the Draft Data Protection Bill, 2019 shall make sure that such manipulation is masked and no evidence of manipulation remains. Linking the dots together we paint ourselves a tarnished image of democracy where choice of the people, by the people and of the people are all directed by the data holding puppeteer. Various studies21 conducted on the affect of persuasive technology across the globe have shown that direct response advertisements and personally targeted messages on the screens of the social media user were common around the months of election. For instance, “Our recovery will be made in America” surfaced on the screens of maximum American voters in region which were predominantly democrat. Thus, a legislation exempting the government entities to access sensitive personal data of its citizens will not only affect power play in politics but will also corrode the democratic structure.
Adjudging vicarious liability
The UK Supreme Court in a recent case of Various Claimants v. W.M. Morrison Supermarkets Plc22 decided on the vicarious liability of the employer Morrisons as his employee, Mr. Skelton, disclosed confidential data of over thousand employees. The Supreme Court held that as it was an act of personal vendetta and as the data was given for a legitimate task, the wrongdoing was not in the nature of employment of the employee the principle of vicarious liability shall not apply. The Draft Data Protection Bill is silent on this perspective. It is unclear whether a government employee in possession of sensitive personal information will be treated as an extension of the term government entity or will be labelled as an agent in case data is illegally outsourced for financial considerations. Will the Government be held vicariously responsible in case sensitive data of voters is traded to manipulate election outcome by any of its employees. This issue needs to be recognised and addressed in the light of the principle of vicarious liability and precedents on data breach.
Suggestive recommendations — Mending the road ahead
To prevent potential misuse, a methodical framework is to be adopted to thwart State surveillance. The first step would be to declare data of an individual as property and make it available on payment of consideration. It would be useful to consider the US senate hearings23 as a reference point to develop a framework whereby witnesses have accepted to social media websites like Facebook24, eating election advertising to influence voter pool. Adopting norms of laissez-faire; similar to US; where consent of the citizen is required before usage of their personal data becomes essential in curbing abuse of State surveillance. Further setting up standard security measures to be met with all entities in possession of such data can be framed on the lines of EU GDPR25 laws which would ensure strong security protocol. With security protocols in place the next step would be to set out a timeline which places a cap on the time period beyond which data retention by entities would not be permitted while also providing a cut-off date to delete previously retained data. The concept of vicarious liability of the government and private sector entities needs to be infused in the present draft Bill. To bring about such changes the defect in the composition of the Parliamentary Committee is to be cured by introducing members of diverse view (opposition party) in equal number of government representatives to avoid polarisation of opinion and ensure democratic action in data collection while keeping State surveillance in check.
† Shivani Dewalla, Advocate Supreme Court of India and High Court of Delhi, presently associated with the chambers of Mr R.S. Suri, Additional Solicitor General of India, e-mail: shivanidewalla5@gmail.com.
1 The 50th Report of the SCIT on the Information Technology (Amendment) Bill, 2006. See, <https://eparlib.nic.in/bitstream/123456789/63025/1/14_Information_Technology_50.pdf>.
2 52nd Report of the SCIT on Cyber Crime, Cyber Security and Right to Privacy. See <https://eparlib.nic.in/bitstream/123456789/64330/1/15_Information_Technology_52.pdf>.
4 The A.P. Shah Committee Report in 2012. See, <https://niti.gov.in/planningcommission.gov.in/docs/reports/genrep/rep_privacy.pdf>.
5 K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1. This judgment overruled previous judgments of M.P. Sharma v. Satish Chandra, 1954 SCR 1077 and Kharak Singh v. State of U.P., (1964) 1 SCR 332 to the extent to which they did not recognise right to privacy as a fundamental right.
6 K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1, See, Per S.A. Bobde, J. at para 6; Per Chelameswar, J. at para 9; Per Dr D.Y. Chandrachud, J. at para 320.
7 Report of the Committee, available on <https://www.meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_171127_final_v2.pdf>.
8 <http://www.scconline.com/DocumentLink/A3yGRo3e>.
9<https://www.meity.gov.in/writereaddata/files/constitution_of_committee_of_experts_to_deliberate_on_data_governance-framework.pdf>.
10 Ss. 3 (19), (21), (28) and (36) of the Personal Data Protection Bill, 2019. <http://www.scconline.com/DocumentLink/A3yGRo3e>
11 S. 2 of the Personal Data Protection Bill, 2019 <http://www.scconline.com/DocumentLink/A3yGRo3e>
12 S. 9 of the Personal Data Protection Bill, 2019. <http://www.scconline.com/DocumentLink/A3yGRo3e>
13 S. 11 of the Personal Data Protection Bill, 2019. <http://www.scconline.com/DocumentLink/A3yGRo3e>
14 Ss. 41 and 42 of the Personal Data Protection Bill, 2019. <http://www.scconline.com/DocumentLink/A3yGRo3e>
15 Ch. VIII, Cls. 35-40 of the Personal Data Protection Bill, 2019. <http://www.scconline.com/DocumentLink/A3yGRo3e>
16 See, <https://in.reuters.com/article/facebook-cambridge-analytica-india/india-queries-cambridge-analytica-over-alleged-facebook-data-breach-idINKBN1H00B0> to assess misuse of data over internet to affect Indian elections.
17 US election affected by persuasive technology <https://www.dni.gov/files/documents/ICA_2017_01.pdf>.
18 S. 43-A Information Technology Act, 2000.
19 See, <https://www.pnas.org/content/112/33/E4512#sec-5>, to assess case studies proving potential misuse of search engines.
20 See more information on, Ex-Cambridge Analytica boss admits getting Facebook data from researcher on <https://www.reuters.com/article/facebook-privacy-britain-idINKCN1J222L?edition-redirect=in>.
21 See, <https://adobservatory.org/>, New York University project on ad observatory providing information on spending on social media by President nominees in America.
22 (2020) 2 WLR 941: 2020 UKSC 12.
23 See, <https://www.commerce.senate.gov/services/files/20789C1F-12C1-400E-9936-092F6AC74EDC>, US Senate hearings — “Responses to Written Questions submitted by Honorable John Thune to Tristan Harris”, emphasising on digital well-being of the user.
24 See, <https://www.commerce.senate.gov/services/files/96E3A739-DC8D-45F1-87D7-EC70A368371D>. Mr. Tristan Harris — Co-Founder and Executive Director — Center for Humane Technology, Facebook “eats” election advertising.
25 General Data Protection Regulation (EU) 2016/679 (GDPR) came into force on 25-5-2018 as an umbrella regulation to safeguard data and privacy in the European Union (EU) and European Economic Area.
