In continuation of our previous article

As concerns about Big Data proliferate, laws are being proposed to address them in all major economies. While the EU is counting down towards the implementation of the GDPR, the U.S. is not yet on board with its own comprehensive law. India also does not yet have a concrete law in place on Privacy.

CURRENT POLICIES AND SHORTCOMINGS

The Information Technology Act 2000 was passed in the context of the initial stages of e-commerce and to facilitate the utilization of electronic documentation. To be relying on it in the context of Big Data, especially its universal and daily application in the form of Aadhaar, social media and cloud computing is a major flaw in the legal structure.

To tackle that, and broader aspects, the Personal Data Protection Bill was introduced in the Rajya Sabha in 2014 which seeks compensation for individuals whose personal data or information has been processed without consent. To handle complaints, the bill seeks the appointment of Data Controllers, not more than three of them, in each state and union territory. The government proposes to have it passed by December 2017.

With Aadhaar enrollees finding their names published on websites along with their Aadhaar numbers, it appears that the government has a long way to go before framing adequate safeguards of privacy and then implementing them. Prior to the Supreme Court of India establishing privacy as a fundamental right, the government had argued that it was not so. In fact, the government asked SC to reconsider the verdict on privacy being a fundamental right or a common right. While the Aadhaar Act has safeguards against data being used for purposes other than what it was collected for, the levels of breaches that have been occurring seem to make a mockery of the entire database.

PLANNED BIG DATA MOVES AND SCARES

One of the other proposed moves in Big Data is in the realm of healthcare where the government is working to develop a system of Electronic Health Records(EHR). The need for safeguarding against the leakage of EHRs is being sought to be addressed by a new law. Among the features of the proposed centralized system is reduction of the need for medical tests as all previous records would be available in the database.

A person’s medical health records like personal information, test reports, allergies, medications, etc. are some of the private data that no person would be comfortable sharing with anyone beyond closest family. If this data were to leak or get hacked, it could be a serious breach of privacy. Centralized databases of this sort need to provide the functionality it is developed for while fully securing against unauthorized access as seems to be the case with Aadhaar.

ALTERNATIVE POLICY RECOMMENDATIONS

Personal Data Services (PDS), similar to the Personal Information Management systems (PIMS) that we saw in our previous article have been proposed in a number of studies as the way forward to achieve a practical solution to the questions of consent and transparency that Big Data poses. In a 2011 Report of the World Economic Forum, the need for a Personal Data ecosystem was raised. One of the features of PDS would be Selective Disclosure whereby the consumer only makes available the data that he/she wishes to expose. A Working Paper of the New York University School of Law has laid out the technical requirements such as meta tagging of data with the related preferences and permissions.

According to the paper authored by Ira Rubenstein, such a business model would democratize the Big Data industry as it would afford new entrants to the business availability to data thereby enabling them to compete against the major corporations. Further, the problem of data quality that arises when data is passed from one source to another is removed with direct sourcing from the customer. Instead of working on assumptions, businesses would be able to target customers who signal their need for products or services.

The Paper specifies eight conditions for companies that would operate the PDSs including the one on ‘Selective Disclosure’ that we saw earlier. Among the eight elements is the capability of ‘Signaling’ whereby customers reveal their demand for what they require in ‘open markets.’ Control over the duration that data can be used, identity management, security, data portability and accountability make up the eight elements the first of which is that the individual will be the fulcrum of collection, management and use of data. The Paper recommends incentives for PDS firms that have all eight elements inbuilt.

DATA CONTROL

As PDSs are evolved, the aspect of using Big Data itself to root out issues impacting privacy, especially discrimination, has been spelt out in a White House Report of May 2016. The Report spells out the way that Big Data techniques can be used to prevent discrimination that can creep into automated decision making processes that filter out applicants over a range of applications such as jobs, credit and insurance. The Report spelt out that companies and public entities need to provide better avenues for their target populations to go through data on themselves and to be able to correct errors. The Report also pointed to Algorithmic Systems Accountability and the need for neutral testing of Big Data Systems.

In United States, the FTC has initiated action against a wide range of flagrant violations of customer data confidentiality which reveals the extent of the dangers that are posed without adequately-equipped laws. According to the FTC, data brokers need to comply with accuracy, dispute, notice and privacy. These requirements pertain to the Fair Credit Reporting Act or FCRA. The ‘dispute’ requirements pertain to the procedures for handling disputes on data. The section within the FTC Act that addresses ’unfair and deceptive’ practices such as pyramid schemes has been brought to address Big Data-related unfair and deceptive practices. In a case against Google, the FTC targeted the company for using Gmail registration data to enroll consumers for its social network Buzz. In its suit against Facebook, the FTC targeted the sale of ‘Private’ posts by consumers to third-party apps which is quite a major offense.

CONCLUSION

In the context of the pro-active actions that the FTC is taking in the U.S. and the laws that the EU has developed, India is way behind in monitoring wrongdoing or developing suitable legal framework or developing technological systems that can tackle the technological challenges. It is essential that laws and mechanisms are in place to deal with privacy concerns of the citizen. Citizen, companies and government organizations, each will play a big role in framing whatever that future holds. Here’s hoping for a future that is more secure and privacy focused.