The price of privacy in the data bazaar

If the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 (2021 Rules) herald the anticipated Data Privacy Law for India, then the inevitable conundrum of data ownership by the Data Principal will expectedly soon follow suit. Is data ownership the solution to protecting information privacy?

Intuitively, people believe they ‘own’ their own content. Will data need to be licensed by the Data Principal before it is used by anyone else? Will the consequent corollary be to expect or seek compensation from intermediaries for sharing the Data Principal’s data? This argument engenders a flip side, too: The typical David and Goliath syndrome, in which a person unwittingly shares data unaware of its value, but the recipient of the data can, alone or as a collective, realise a huge profit from that data. In an egalitarian, utopian worldview, Big Tech would share the wealth created from such data with the Data Principal.

GDPR and other privacy laws recognize several aspects that reflect ‘ownership’ of data, such as the right to control, delete, edit, and manage an individual’s information, and decide how, to what extent, and when the information is communicated to others. If the information is owned, it can be sold as a commodity. Does data, however, possess the inherent qualities of ‘property’? Or is the value of personal information different? Should it not be more logical to treat data merely as ‘information’, and not as ‘property’? By doing so, suddenly, data is not owned by anyone!

If someone’s personal information is of value to others, and to society, in general, does it necessarily have to be licensed or sold? In addition to causing friction by placing obvious roadblocks in the smooth functioning of the Internet, how would anyone ascribe an exact value to a particular piece of information? A high valuation may stall the free flow of information, and a lower than fair valuation would deprive the ‘owner’ of money that is due to him/her.

Freedom, so intrinsically associated with the Internet, should not be restricted by reducing personal data to a commodity that may be bought or sold.

Consider a simple example. Does a person have exclusive interest in his/her name? A person’s name has critical social and economic significance to them. In fact, society regulates the naming process. From birth, hospital, municipality onwards, a name is an intrinsic part of the individual’s identity. An individual who desires to change his/her name must follow a process prescribed by law, which may involve mandatory public announcements. If blocks are put on individuals being identified by their name on the Internet, how will they be identified by friends, family, business associates, and for broader social, economic, and civic purposes?

The intersection and interconnectedness of personal information and public interest may also be, similarly, analysed for apps, cell phone records, banking transactions, credit reporting, KYC compliance, e-commerce transactions, messaging, etc. Courts will acknowledge the right to privacy, but, concurrently, will not do so at the cost of curbing business or law enforcement.

Next on the data privacy menu are concerns about cybersecurity, online fraud, and other forms of online crime. As the world moves toward a stronger digital economy, it must recognize the pillar on which it operates, namely, data-sharing. Post-Covid-19, few sectors have been left untouched by the digital economy. Cloud services, outsourcing, and remote sensing are deployed everywhere. Safety and security of the digital world would not be possible without free flow of data and information.

Another critical data privacy area is the much-maligned world of ad tech, targeted advertising, and other tools of online marketing. Consumer awareness, thanks to cyber-vigilantes, online tracking, advertising identifiers, cookies and data-sharing, is high. There is general awareness that tracking occurs across sites and devices; often without the Data Principal’s knowledge and, sometimes, despite implementing preemptive avoidance measures. Again, regulating data brokers and others in the chain of command should not be likened to trespassers using someone else’s property. While collection of information may be intrusive, it cannot be treated as a violation of property rights. It is worth noting that marketing and advertising support for-profit as well as not-for-profit causes. Personal information may provide the basis for medical research, identifying discrimination, solving crime, impact assessment, and anthropological and other useful purposes. These data sets form the basis for any government to create public policy.

No doubt, there are two clear interests at stake: i) Sharing personal information that is useful for social, economic, and government systems, and ii) protecting the Data Principal’s interests in utilising his/her personal information. These are not necessarily competing interests. Further, safeguarding these interests does not necessarily result from assigning ownership rights to data. Aligning privacy rights to an intellectual (intangible) property rights regime creates a transactional model for monetisation, and is technically (and legally) complicated to implement.

The consent provisions in the Personal Data Privacy Bill (last draft available for public comment) do not assist Data Principals in estimating privacy risks. Clicking through privacy and consent notices is not what the government intended in terms of informed consent. Since a majority of data subjects will neither be aware of the economic benefits or privacy harms related to sharing their personal data, should such data be commoditised in the first place? Will they really be better off licensing their data for monetary consideration in this data bazaar? And what or who determines the valuation?

Should the government set the value for personal information? As it does in the case of tangible property. Should valuation be determined by the bazaar, using an unsuspecting, click-fatigued, service-hungry Data Principal? Once valued, will the Data Principal have any (residual) interests left in the personal information?

Flipping the discussion to the online retailer, would the retailer have any rights to the transaction data? What if the retailer refuses to transact business with a consumer, unless, as a condition of sale, the consumer grants a license to the retailer to use the information for specified purposes? This puts an interesting twist on the pain of reading fine print and the power of the Big (online) Brother.

Finally, what happens to information exchanged between two Data Principals on an end-to-end encrypted platform, such as Signal, Telegram, and WhatsApp? Would both Data Principals have property interests in the personal information about an activity they planned together? Would they need each other’s express consent to share any part or the whole of the interaction with a third party?

In the data bazaar, privacy maybe a challenge, but recent and upcoming legislations may trigger complex challenges of adoption, consent, and implementation management across many different contexts, interests, and platforms.

Ultimately, it is important to protect the Data Principal’s interests when sharing their personal information. The Personal Data Protection Law should empower individuals through more layered and meaningful transparency instead of endeavouring to reinforce control with a property interest that is likely to fail society. Data sharing is an arranged marriage between the interests of the Data Principal in owning their personal information and the social benefits that result from a free flow of information sharing.

Views are personal. The author is Partner, J. Sagar Associates.