Data protection legislation should be about protecting people, not innovation

“What do judges know that we cannot teach a computer?” There is a substantial public sentiment that distrusts legal rules and state structures and looks to technology for solutions. After all, many trust their smartphones more than they trust their government. But what may seem as a fairly modern libertarian opinion, voiced in pitch decks and technology conferences, and buoyed by the success of the information economy, has much deeper roots. Such ambitions of a technology centric society were voiced more than forty years ago by John McCarthy, an influential computer scientist and professor at Stanford who coined the term, “artificial intelligence”, and nurtured it into a formal field of research. It was not that such assertions were without prominent challengers, noticeably Joseph Weizenbaum whose 1976 book titled Computer Power and Human Reason put people at the centre of technological progress, rather than being its subjects.

Many concerns

Debates on permission-less innovation, social leapfrogging facilitated by technology, and challenges to the legal order have now acquired greater urgency without losing any of their polemical flavour, shifting from academia to law-making. Concerns are being voiced this month in several Indian cities by members of the public, civil society groups, academic experts and technologists, think tanks, industry associations and technology companies to a committee headed by Justice B.N. Srikrishna, a former Supreme Court judge, tasked with making recommendations and drafting a data protection law. This committee holds immense promise but a white paper it published, the primary public document on the basis of which public comment is solicited, gives reason for concern.

The white paper, published late last year, extends into 233 pages and poses 233 distinct questions. While the sheer breadth of the paper poses granular choices, the broader framing of the document proceeds from a premise of weighing the scales between individual rights and technological innovation. The first few pages note the rationale of the committee “to harness the benefits of the digital economy and mitigate the harms consequent to it”.

Subsequent paragraphs provide further explanation: “Since technologies such as Big Data, the Internet of Things, and Artificial Intelligence are here to stay and hold out the promise of welfare and innovation, India will have to develop a data protection law... to ensure a balance between innovation and privacy.” This framing of a trade-off between the demands of technological innovation and individual rights is a terrible bargain for our future. It presumes to hold both fundamental rights and innovation as somewhat equal, or at the very least as competing values. This appears contrary to the context and the mandate of the committee, as well as principles of individual liberty.

The right to privacy

The formation of the Justice Srikrishna Committee on data protection was cited by government lawyers in the midst of Supreme Court hearings on the fundamental right to privacy in the Puttaswamy case. This submission was taken note by the Supreme Court of India, most prominently in the judgment authored by Justice D.Y. Chandrachud who observed that a “carefully structured regime for the protection of data” may be created, having “due regard to what has been set out in this judgment”. The judgment itself in previous paragraphs proceeded from a premise of asserting that the right to privacy exists as a natural right inherent in all fundamental rights of the Constitution. At the root of this is the liberty of the individual that finds expression through concepts such as autonomy and dignity — choice and freedom. Justice Chandrachud further noted that privacy has positive and negative features, where it restrains “an intrusion upon the life and personal liberty of a citizen”, and also requires “an obligation on the state to take all necessary measures to protect the privacy of the individual”.

A joint reading of all the six separate opinions which flow into the heart of the judgment lead to a singular inescapable conclusion. The privacy protections that limit state intrusion and data protection laws should shield individuals rather than commercial interests or technological innovation.

At this point a concern may arise about the dangers of a legal disruption to innovation. But using individual rights as a foundation is not the same as advocacy of Luddism — and may even be its very opposite. By avoiding a binary bargain between the benefits of rights and technology, a sound legislation would further innovation as a social goal that serves human needs. It would make big data subject to greater legality, the Internet of Things best suited to the Internet of people, and artificial intelligence subject to natural rights. To forge such an understanding, a fundamental acknowledgement has to be forthcoming that technology is a means, and not the end in itself. It must exist and work within the framework of the rule of law. While traditional legal systems are slow to adapt and change, the right regulatory design will prevent pure market mechanisms that concentrate power and cause harm to individuals. Doing otherwise would alert us to a danger as forewarned by Weizenbaum, that “technological inevitability can thus be seen to be a mere element of a much larger syndrome. Science promised man power. But, as so often happens when people are seduced by promises of power, the price extracted… is servitude and impotence. Power is nothing if it is not the power to choose.”

A practical way to operationalise individual choice in a data protection law is for the Srikrishna Committee to take the benefit of past expert efforts. Most noticeably by the Justice A.P. Shah Committee which a little over five years ago proposed nine privacy principles acting on a “fundamental philosophy” of “ensuring that the privacy of the data subject is guaranteed”. To operationalise these principles and account for “innovation” the A.P. Shah Committee among other things recommended, “the Privacy Act should not make any reference to specific technologies and must be generic enough such that the principles and enforcement mechanisms remain adaptable to changes in society, the marketplace, technology, and the government.” However, such existing recommendations proceed from a clear acknowledgement of data protection protecting individuals and not about protecting innovation, state interests for welfare objectives, or commercial interests of technologists and corporations. To ignore them would be to chart a perilous path that has become apparent over the past few months with wider implementation of Aadhaar.

Constitutionalism as guide

The Aadhaar project, which aims to usher a data-driven revolution in the private sector and at the same time act as a state policy panacea, has become a topic of continuing public concern. Repeated press reports indicate continuing data breaches, exclusion and theft of benefits, lack of legal remedies and the prospect of profiling and surveillance. Sufficient evidence exists today persuading us to honour constitutionalism, privileging individual rights over innovation. In doing so, we must forsake the artificial reasonableness of a balancing exercise between unequals. Such caution was counselled by Justice Srikrishna himself when he quoted the Garuda Purana in an article critiquing judicial activism to state, “He who forsakes that which is stable in favour of something unstable, suffers doubly; he loses that which is stable, and, of course, loses that which is unstable.”

Apar Gupta practises law in New Delhi