By Karthik Rai
Introduction
Data-generation and collection have been transformed due to the power of modern techniques. They subsequently process said data through big-data analytics to generate new forms of information. How data entitlements are regulated will, therefore, regulate technologies premised on it.[1] However, existing data-protection regimes aren’t clear on this issue, and this has contributed to privacy-infringing data collection and other regulatory concerns. Therefore, vesting data ownership rights of various degrees depending on the context and nature of data can address how technologies collect and process data. It can also provide the necessary flexibility to meet new and unforeseen challenges.
In light of this, I wish to examine why there is an urgency to regulate data entitlements at the earliest. Through this piece, I detail the various challenges that crop up owing to this lack of entitlements. I then argue how the forthcoming data protection law in India may be insufficient to deal with this issue, and, how, given the pressing need to regulate the matter, there is a need to initiate discussions on creating data entitlements.
A Lack of Entitlements has Caused Data-Capitalism Through Technological Tools
Data are excludable – once appropriated, their access can be restricted to others. Coupled with this is the fact that modern tools collect and process data, sensitive or non-sensitive, using costless methods. These combinedly ensure that big-data is aggregated on large scales by high-technology corporations that have targeted advertising as their primary revenue-generating tool. They have obtained access and control over data, and have monetized it to generate profits, in a manifestation of data capitalism.[2]
However, this implicates the privacy of the people whose data is stored and processed. Regulatory regimes are not clear about the nature and extent of data rights that data subjects possess. Consequently, softwares have been deployed to capture it effortlessly.[3] Users, burdened with consent-fatigue, accept complex privacy-policies without reading them, which opens up the possibilities of re-use exploitation of their personal information.[4] This ‘accumulation by dispossession’ relies on privatising data, transferring the entitlements over it to corporates and facilitating commodification. Data exchange makes way for data extraction. This may give these technologies extensive entitlements in our sensitive-data, in manners undecipherable to us, and may harm our reasonable expectations of privacy.[5]
The PDP Bill’s Insufficiency in Dealing with this Issue
One might argue that data-protection regulations such as India’s impending Personal Data Protection Bill [‘PDP’] could protect against such privacy-infringing practices. However, I believe that the PDP’s understanding of data entitlements isn’t sufficiently protective against modern data-collection practices [i], and is inflexible to deal with novel regulatory challenges [ii].
i. The PDP is Ineffective Against Modern Data-Collection Methods
The PDP provides data-fiduciaries that store data, the ability to collect and process data on broad grounds. It is very unclear on how accountability and transparency will be ensured in this process.[6] Consent-requirements, are circumvented through provisions which allow for ‘reasonable grounds’ to process data – which may even allow for credit-scoring.[7] The Government is also vested with rights to effectively override the privacy principles based on undefined grounds like prevention of offences.[8]
Additionally, despite the Supreme Court’s jurisprudence on privacy, the Government, through the PDP and the amendment to the Aadhaar Act,[9] has implemented regulatory tools that circumvent the judgements’ concerns. By not defining data-entitlements clearly, it has potentially provided private parties access to sensitive data.[10] Such practices could engender profiling and surveillance – modern technologies such as scraping algorithms and IOT employed can gather disproportionate amounts of data for subsequent use. And the PDP may be insufficient in providing the necessary accountability mechanism.
ii. The PDP is Inflexible Against Novel Regulatory Concerns
A tenuous, principled regulatory framework governs the PDP. It provides greater governmental access to non-personal data [‘NPD’],[11] despite concerns of NPD being re-identifiable and becoming privacy-infringing in some contexts. Normatively, protecting data-subjects’ rights should be at the forefront of the PDP, providing them with stronger ownership rights in their sensitive data. However, the Bill views data as resource to be extracted,[12] without indications about how ownership of data ought to be regulated. Therefore, bilateral agreements with corporations may ultimately determine data-ownership.[13]
There may also be conflicts between protecting data-protection and emerging developments – for instance, competition can be bettered due to greater data-portability, but data protection may be negatively impacted.[14] There may also be confusions in regulatory functioning due to conflicts between the jurisdiction on determining antitrust and data-protection issues.[15] Individual businesses may own voluminous big-data but still escape conventional competition scrutiny.[16] The PDP may be inflexible in meeting these novel challenges. And this is because it is not backed by clear first-principles governing data ownership. It is an unclear amalgamation of proprietary rights and personal rights to data.[17] This can create various incompatibilities between the PDP and other regulations which concern data-ownership.
The Area Identified Should be Regulated at the Earliest
The urgency to regulate this issue stems partly from the inefficiencies of the PDP Bill in handling data ownership, identified above. It also stems from the ubiquity of data currently and its usage in almost every automated process. Most, if not all, concerns about regulating technologies lead to a fundamental question how data is to be protected, and therefore regulating this primary issue becomes the priority.
For instance, with the pandemic’s onset, the Government introduced applications like Co-WIN to ensure efficient vaccination. This spurred the creation of vaccine-alerting apps to notify users about vaccine-slots’ availability in their area. This provided third-parties access to Co-WIN’s APIs without any data policies governing the process, despite the sensitive-data involved. The government has been ambivalent on the issue –it sought to block third-parties access, but later changed its stance.[18] It stated that such third-parties were covered under the National Health Mission’s Privacy Policy – however, they weren’t. This generated data-protection concerns.[19]
Similarly, concerns of breaking end-to-end encryption by the government requiring traceability under the 2021 IT Rules, echo the importance of identifying data-entitlements. Should the government be entitled to access private conversations over concerns of ‘offensive’ content spread via social-media, is the fundamental question.[20] Concerns about targeted advertising also stem from the kind of entitlements users have over the data and metadata generated by users using search engines and social-media intermediaries, for instance.
Contrarily, data-entitlements that are generally in favour of data subjects may also have to be overridden to achieve more important outcomes. For instance, COVID-19 showed the importance of sharing of health-data which probably helped accelerate research on tackling the disease. If access to datasets is restricted, the synergies that big-data produces through data-analytics may not be possible and the functioning of software-utilities is affected. Thus, current technological concerns are often premised on how data entitlements are regulated.
While some regard data as constitutive of one’s identity and inalienable, others highlight the need for its marketability/transferability for satisfying common needs. Each perspective advances its own version of informational self-determination. Therefore, handling data-entitlements can implicate seemingly-irreconcilable interests.[21]
However, debates on data-protection laws and whether private parties should access data seem to distract from the main issue at hand: regulating data-ownership. The former only leads to conceptions about data-protection laws as the catch-all solution, while they may actually not be as flexible and may overregulate or underregulate the interests involved.[22] The unclarities on data-entitlements that citizens/corporations/the government ought to possess over data, indicated by the preceding examples, cause concerns. The concerns will only proliferate with increasing use of facial recognition software, smart-assistants, and other data-based services, which will benefit from the data exhausts people generate. And people may unwittingly be made vulnerable to prejudicial outcomes.
Therefore, I believe creating a principled framework[23] for evaluating data-ownership rights could help tackle these challenges better. It would provide greater interpretive flexibility to deal with various types of data, the different contexts in which they are utilised, and the conflicting interests in data. Implementing these principles as a regulatory framework would help provide clearer instructions on the nature and extent of collection and processing that ought to be performed. This would help operationalize benevolent, rather than exploitative, technologies, by incorporating such principles as part of their privacy-by-design framework.
Deciding on the Data-Entitlements, and How this Will Help
Ownership of a property may involve several rights within it, in a bundle – for instance, the right to generate income from it, to prevent its harmful use, and to manage it, among others. Therefore, depending on the various contexts data is to be used in, the kind of sub-bundles that would be available to the data subject and those that would be available to other parties – like the government or private bodies – must be deliberated upon.
For instance, in the context of health-related data, vesting all bundles of ownership with either the data-subject or private parties/the government would be problematic. However, by transferring limited data ownership rights to the government [subject to conditions] and retaining the other rights with the data-subjects, a more mutually beneficial outcome could be reached.[24]
An understanding of this sort was manifest in the UNICEF Report on Data Protection amidst COVID-19. The Report identified how decentralized data storage in contract-tracing apps would generally be sufficient for the government’s requirements. Even in specific situations, where centralized data-storage is unavoidable, having safeguards like encrypting and storing data in a deidentified manner was necessary. By designing apps that comply with this mandate, users could have greater ‘control’ over their data, it notes.[25] This shows how delineating clear(er) data entitlements can help address data usage concerns contextually in the most proportionate manner.
For data that is considered less significant in terms of collective interests involved, more bundles of ownership should be vested with the data-subject. For instance, they must be allowed to provide and withdraw data at any time from the data controller, and prevent any form of re-usage without their express consent. This would provide data-subjects maximum ownership and controlling their data,[26] and can help better preserve data-privacy.
Contrary to the rigidities that data-protection laws entail, developing such a framework will help redefine technological methods governing data usage, by creating possibilities for new mechanisms to be implemented. For instance, Lee’s ‘Solid’ Project, which envisions the storage of personal data in pods to which access can be conditionally granted by data-subjects;[27] or implementing frameworks where data is regarded as ‘labour’ performed for which the data-subjects receive remuneration;[28] are some alternatives.
With such flexibility comes greater options to deal with modern regulatory concerns, like the conflict between cybersecurity and antitrust laws. Concepts like adversarial interoperability or data portability could be reasoned out based on the data-entitlements created. These may prevent potentially abusive conduct of platform companies thriving on datasets, while simultaneously addressing privacy concerns. It can help redesign technologies accordingly, facilitating a holistic solution to such regulatory conflicts.[29] Similarly, the potential problems that the Data Protection Authority under the PDP could face in harmonizing its interactions with sector-specific data protection guidelines[30] may also be simplified by such a framework.
Conclusion: Not an Easy Suggestion to Implement
The area I identified as requiring urgent regulation is not an easy region to negotiate. For instance, the issues could get complicated with data of multiple subjects or datasets that are inextricably linked – who should be provided ownership, and what part of it should be marketable? Should less-personal data vest lesser ownership entitlements in users than ‘sensitive personal’ data? Does a data ‘belong’ to the data-subject, or to the algorithms processing it to create analytics?
Many of the ideas proposed would necessarily involve subjective solutions and would take years, if not decades, to implement satisfactorily. However, unlike the EU’s 2018 Communication which stated that freedom of contract is more important than delineating data-entitlements,[31] I believe that working towards creating entitlements is important. Absence of clear entitlements would create a ‘might-is-right’ situation where the big-tech giants would appropriate data at the users’ expense.[32] For the sake of generating greater trust and transparency, technologies must be regulated by regulating how data entitlements are identified and vested.
The author, Karthik Rai, is an undergraduate law student at the National Law School of India University (NLSIU), Bangalore.
[1] Emmanuel Letouzé, Big Data for Development, UN Global Pulse, available at https://unstats.un.org/unsd/trade/events/2014/Beijing/documents/globalpulse/Big%20Data%20for%20Development%20-%20UN%20Global%20Pulse%20-%20June2012.pdf, last seen on 14/7/2021.
[2]Yan Carrière-Swallow and Vikram Haksar, The Economics and Implications of Data IMF Departmental Paper Series, 11-16, Working Paper Number 19/16 (2019).
[3] Jason Moore, Capitalism in the Web of Life, 223-226(2015).
[4] Rahul Matthan, Privacy 3.0, 145 (2019).
[5]Nick Couldry and Ulysses Meijas, The Costs of Connection, 93(2019).
[6] Nayantara Ranganathan, Solving for Data Justice, Internet Democracy, available at https://internetdemocracy.in/reports/datajustice/,last seen on 20/07/2021.
[7] Prashant Reddy, PDP Bill: The Consent Black Hole Bloomberg, available at https://www.bloombergquint.com/opinion/personal-data-protection-bill-the-consent-black-hole#:~:text=The%20bedrock%20of%20the%20Personal,manner%20prescribed%20by%20the%20law., last seen on 10/07/2021.
[8]s 36(a), Personal Data Protection Bill, 2019.
[9] Gautam Bhatia, Judicial evasion and the status quo: on SC judgments, The Hindu, available at https://www.thehindu.com/opinion/lead/judicial-evasion-and-the-status-quo/article25953052.ece,last seen on 20/07/2021.
[10] Shreya Atrey and Gautam Bhatia, New Beginnings: Indian Rights Jurisprudence After Puttaswamy,3(2) University of Oxford Human Rights Hub Journal 1, 4 (2020).
[11]s 91(a), Personal Data Protection Bill, 2019.
[12]Fathima VN, #DataProtectionTop10: Impostors under the Personal Data Protection Bill, Internet Freedom Foundation, available at https://internetfreedom.in/dataprotectiontop10-imposters-under-the-personal-data-protection-bill/, last seen on 7/7/2021.
[13]Bertin Martens, The impact of data access regimes on artificial intelligence and machine learning, JRC Digital Economy Working Paper, 18-19, Working Paper Number. 9/2018 (2019).
[14]E. Douglas, The New Antitrust/Data Privacy Law Interface, 130 Yale Law Journal Forum 647, 649 (2021).
[15]In Re : Updated Terms of Service and Privacy Policy for WhatsApp Users, (2021) SCC OnLine CCI 19 [11].
[16] Lina Khan, Amazon’s Antitrust Paradox,126 Yale Law Journal 710, 746(2017).
[17]P Hummel et al, Own Data? Ethical Reflections on Data Ownership, 1 Philosophy and Technology 1, 4 (2020).
[18]Government Selectively Opens Up Co-WIN APIs To Third Parties Without Data Policy, Medianama, available at https://www.medianama.com/2021/04/223-nha-cowin-api-access/, last seen on12 May 2021.
[19] Apar Gupta and Anushka Jain, India’s technocratic approach to vaccination is excluding the digitally-deprived, Indian Express, available at https://indianexpress.com/article/opinion/columns/indias-technocratic-approach-to-vaccination-is-excluding-the-digitally-deprived-7315442/, last seen on 15/07/2021.
[20] Sarvesh Mathi, The Traceability Mandate and What It Means For End-To-End Encryption, Medianama, available at https://www.medianama.com/2021/04/223-traceability-mandate-medianama-discussion/,last seen on 28April 2021.
[21]Supra 17, at 2-3.
[22]C. Reimsback Kounatze and E. Ronchi, Risks and challenges of data access and sharing’, 84-85 inOECD: Enhancing Access to and Sharing of Data: Reconciling Risks and Benefits for Data Re-use across Societies(2019).
[23] Rahul Matthan, Technology needs a principle-based regulatory regime, Mint, available at https://www.livemint.com/opinion/columns/technology-needs-a-principle-based-regulatory-regime-11612279495782.html,last seen on 15/7/2021.
[24] B. Evans, Much Ado About Data Ownership, 25(1) Harvard Journal of Law and Technology 69, 80 (2011).
[25]Gabrielle Berman et al, Digital contact tracing and surveillance during COVID-19, UNICEF Innocenti Working Paper Series, 9-12, Working Paper Number 2020-01, UNICEF (2020).
[26]Supra 17, at 10.
[27] Rahul Matthan, The Beckn Protocol, Ex Machina, available at https://exmachina.substack.com/p/the-beckn-protocol,last seen on 30/06/2021.
[28]I. Arrieta-Ibarra et al., Should We Treat Data as Labor? Moving beyond “Free” 108 AEA Papers and Proceedings 38, 39-40 (2018).
[29]Bhaskar Chakravorti, Why It’s So Hard for Users to Control Their Data, Harvard Business Review, available at https://hbr.org/2020/01/why-companies-make-it-so-hard-for-users-to-control-their-data, last seen on 12 May 2021.
[30]An Arduous Task Lies Ahead of India’s Proposed Data Protection Regulator, Medianama, available at https://www.medianama.com/2021/03/223-an-arduous-task-lies-ahead-of-indias-proposed-data-protection-regulator/, last seen on 10/07/2021.
[31]European Commission, Towards a common European data space,EC Document COM (2018) 232 final, 9, (25/4/2018) available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52018DC0232&from=en, last seen on 21 July 2021.
[32]Guido Calabresi and A. Douglas Melamed, Property Rules, Liability Rules and Inalienability: One View of the Cathedral, 85(6) Harvard Law Review 1089, 1100 (1972).
The Journal of Indian Law and Society Blog 