(First published in The Economic Times Brand Equity, August 2022)
On July 27, Google announced that it will delay the deprecation of third party cookies to the year 2024, saying that it needs more time to test the tools for privacy “while giving businesses the tools to succeed online.”
A few days later, on August 3, the Government of India withdrew the Data Protection bill, which has been in the making for over 10 years.
Though the proximity of the timing of these two decisions is a mere coincidence, it represents the challenges at the two ends of a spectrum—one that faced by the market actors and the other, the State, in the face of changing technology and social contexts.
For Google, and for the rest of private enterprises, it is the impact on the multi-billion dollar advertising business. Advertising virtually funds the big tech. With more than 60% of the world’s population now online, and ever increasing time spent, the problem of ‘infinite media inventory’ is real. The only thing that qualifies and makes the inventory valuable is personal data. Giving it away, without finding alternate ways of making media inventory relevant, makes everyone worried.
The business of advertising is the business of influencing. It is the most effective when you know all about the one who is getting influenced. And there lies the trap of crossing the line.
For the State, it is far more complex. It needs to protect the user from being exploited by the market, while it also has to delicately balance the act of defining policies that enable or disable business innovation. Not to mention the State’s own needs of surveillance for security reasons. Unlike Europe or United States, India never had a privacy law, because of social, cultural, and political reasons. The Data Protection bill had well-thought-through four key features: 1) principles of data protection (only essential data must be collected, limited purpose use, no recycling and repurposing, must be purged), 2) use of personal data (must be based on consent), 3) defining rights of individual (right to review, right to access, seek correction and deletion), and 4) formation of a data protection authority for compliance. After months of deliberations, a Joint Parliamentary Committee and recommendation of large number of amendments, it is back to drawing board for a ‘comprehensive legal framework.’ While a lot of criticism has been raised (key being the broad exceptions given for the State) on delaying the bill, the fact remains that it is certainly not an easy task.
Perhaps, at the heart of it all is the challenge of defining what is privacy in the current social and technology context. And what is owned by the individual and what is private to the person.
Privacy is a human construct that started appearing in mainstream discussions only by late 17th or early 18th century. In nature, there is no concept of privacy. Some of the early debates on privacy were centred around instances of printing/publishing personal information, photographs, telegraph, and in the context of a growing newspaper industry. All, a result of some or other new technology being adopted by the society. The credit of building a business model out of personal data goes to Lewis Tappan, an American business man born in 1788. As a trader, he used his business transactions and his network to publish credit ratings of individuals, which rest of the business community and tradesman loved. Modern credit rating agencies can trace its genesis to his firm, the Mercantile Agency, which operated in multiple cities in the United States.
As technologies evolved, so did societies and the notions of privacy. With digital technologies and the conveniences that it brought along, the creation of digital footprints and data has gone beyond anyone’s comprehension. With every action (and even a loud thought, courtesy the Alexas and Siris) now leaving digital traces, petabytes of data are getting created every day. It is not just the data created by actions, but it is also about algorithmic capabilities that can work on these data, interpret patterns, mix with other data sources, and create rich profiles of individuals. In a way turning ‘personal information’ to ‘sensitive data.’ On the other hand, new technologies like AI gets better at it when it has access to maximum raw data. In areas like healthcare, access to data can create meaningful innovation. Data privacy and protection currently hinges on ‘consent.’ In other words, the long fine print we all conveniently skip, before clicking the ‘I Agree’ button in all our digital interfaces.
Widespread availability of personal information is not just restricted to our digital encounters. We are generous with our mobile numbers to everyone. From the bouncers standing at the bar to the wildlife safaris at the national park. In many modern, swanky corporate offices, the entry requires mandatory disclosure of telephone number and often, the Aadhar number. In rural areas, health workers are expected to scribble health and treatment details at the door front.
All this makes drafting the right policy daunting. Not to mention the challenges of enforcement. Technology always precedes policy and it is a tough catch up game for the State.
Though privacy was not a constitutional right in India, it is around Aadhar that the debates and discussions gathered steam. In a landmark judgement in 2017, a nine-judge bench of Supreme Court of India held unanimously that the right to privacy was a constitutionally protected right in India, while also acknowledging the complexities brought about by digital technologies and the need for a data protection regime in India.
As technology advances even further, where real and virtual life becomes undistinguishable, we are yet to see the magnitude of challenges in defining privacy and enforcing the protection of it.
(Reference: Many of the historical facts quoted here is credited to the book ‘Privacy 3.0’ by Rahul Matthan, published in 2018 by Harper Collins India)