Centre for Artificial Intelligence, Law & Society
(1) Nidhi Singh, Deputy Director, Centre for Competition Law & Policy AND Centre for Artificial Intelligence Law & Society, GLA University & Counsel, Supreme Court of India, Government, Asia-Pacific Group
(2) Prof. (Dr.) Avinash Dadhich, Director, Centre for Competition Law & Policy AND Centre for Artificial Intelligence Law & Society, GLA University, India, Academia, WEOG
(3) Utkarsh Leo, Lecturer in law, University of Lancashire, United Kingdom, Academia
(4) Jayanti Jaya, Research Fellow, Centre for Artificial Intelligence, Law and Society, GLA University, India, & National Law University, Odisha, Civil Society, WEOG (4) Anurag Vijay, Counsel, Supreme Court of India, Asia-Pacific Group, Civil Society
(1) Nidhi Singh, Counsel, Supreme Court of India, Government, Asia Pacific (2) Prof. (Dr.) Avinash Dadhich, Centre for Artificial Intelligence Law & Society, Civil Society, WEOG (3) Jayanti Jaya, Research Fellow, National Law University, Odisha, Academics, WEOG
Utkarsh Leo & Jayanti Jaya
Targets: It is related to SDG 8, 9 and 16 SDG 8 (Promote sustained, inclusive and sustainable economic growth, full and productive employment and decent work for all.)- Data protection is instrumental in ensuring sustainable development. Data which fuels AI is about to become the biggest job creating sector in the world , thus making policy intervention a necessity. Today data has an economic value so regulating it will promote economic growth without infringing the fundamental right of the citizens. SDG 9 (Build resilient infrastructure, promote inclusive and sustainable industrialisation and foster innovation)- AI is supposed to bring fourth industrial revolution in the world. Have a strong data protection can ensure better development and robust protection of privacy in any country. SDG 16 (Promote peaceful and inclusive societies for sustainable development, provide access to justice for all and build effective, and inclusive institutions at all)- Digital divide is a reality. To sustain our lives in this digital age one needs to be aware about their rights. This will only be possible through digital literacy which could create an inclusive society. Data protection, protecting privacy and adequate data governance mechanism can ensure justice and freedom of speech and expression.
The format of discussion shall be a mix of powerpoint presentation and dialogue to exchange a conversational tone on data privacy and governance. Further, there shall be a Q&A session at the end of the lightning talk to make the discussion all the more engaging.
Today privacy and data privacy are used interchangeably as data has a pervasive effect in our life. Personal data is now used to produce behavioral predictions and shape our choices. This makes privacy vulnerable to risks and abuse. Article 12 of the Universal Declaration for Human Rights declares privacy as a fundamental human right but it is not protected enough and incidents like Cambridge Analytica go on to prove this. A subsequent question would be how we can protect our sensitive personal data from the state and the data harvesters without a symmetric and standardized global approach. How do we define the sphere of personal data? How do we strike a balance between protecting privacy and promoting research in data? How do we frame policies which equally penalizes the state and the private parties? A wave of change came in the arena of privacy in India after the Aadhar Judgment. It established privacy as a fundamental right and laid emphasis on enacting a Data Protection Act which still needs to be passed. But is passing the Data Protection Bill enough? It is pivotal that with this Act a crusade for data awareness is also conducted simultaneously. So that even a common person can protect his/ her /their data. Any regulation can comprehensively deal with it but cannot cover every aspect of data protection. As data is an evolving subject which requires close scrutiny and periodic analysis.
Participation from the audience will be strongly encouraged. To help listeners participate and to collect their feedback easily, we are planning to use Wooclap, a user-friendly platform that helps to attract the attention of the audience. It is not our purpose to overload the audience with information, rather we aim to keep them engaged. We plan to do this also by showing a PowerPoint presentation, as visual support to our narrative, to improve the audience's focus. This shall help us in holding the attention span of the attendees and in simplifying the technical and legal elements of privacy, data protection and competition law that are essential to the dialogue. After the presentation, the audience will have time to interact with the presenters during the Q&A part of the session, by debating the issues pointed out and providing regional and local insights to the discussion.
The session was on the topic, ‘Walking the Tight Rope: Protecting Data and Promoting Democracy’under the theme Governing Data and Protecting Privacy on 1st December 2022 at 11:30 UTC to 12:00 UTC.
The session was conducted by two speakers and a moderator. The speakers for the session were Utkarsh Leo and Jayanti Jaya and the session was also moderated by Jayanti Jaya. Uttkarsh Leo is a Lecturer in Law at the School of Justice, University of Central Lancashire (UCLan) in the United Kingdom. His teaching and research related work addresses law and technology, mediation and dispute resolution, and economics and public policy. Jayanti Jaya is a final year student at National Law University Odisha.
Through the course of this session relevant topics related to protecting data and promoting democracy was discussed. They tried to answer the following questions which were significant for the topic:
1. How can we protect sensitive personal data from the State and data harvesters without a symmetric and standardised global approach?
2. How do we define the sphere of personal data?
3. How to strike a balance between protecting privacy and promoting innovation in data?
Professor Utkarsh answered the first two questions. His talk stressed on why data protection is crucial for democracy especially in the Indian context. He then went on to explain the need for a global approach to protect sensitive personal data from the State and data harvesters.
He said the world we live in is more wired than ever for example the ongoing Zoom call which shows that we live in an increasingly digital world. In fact, it is estimated that by the end of 2022 we will have produced and consumed 94 zettabytes of data (i.e., a trillion Gigabytes 10 to the 12 power is a trillion—fun fact, about a trillion seconds have passed since cave dwellers painted on cave walls).
Whenever we use the internet from online surfing to shopping to social media—we leave behind a digital footprint in the form of clicks, likes, views and purchases. This makes our online activities and devices susceptible to tracking and influencing and the Facebook-Cambridge Analytica scandal is the best example. This digital data or footprint is collected, processed and analysed by corporations and Governments either for targeted advertisement or mass surveillance and hence creating challenges for privacy and data protection.
That is why, a data protection law is important. A strong data protection law like the EU’s GDPR sets out detailed requirements for companies and organisations on collecting,storing and managing personal data. It guarantees tech users certain rights, including control and access to their data, and even the right to request their data deleted. Citizens in jurisdictions like the EU have better protection (and understanding) of personal data.
Whereas, in a developing country like India, informational privacy has not really been a top priority. As we stand today, India does not have a comprehensive data protection legislation. A fundamental right to privacy was recognised by the Supreme Court in 2017. Soon a Personal Data protection bill 2019 was proposed, the Joint Parliamentary Committee received around six extensions and interestingly it was recently scrapped in August 2022. Another Bill titled the Digital Personal Data Protection Bill 2022 has been proposed for public consultation in India.
Had the GDPR been in effect when Cambridge Analytica happened “Facebook would have been considered a data controller, obligated under the EU privacy law to ensure that third parties like Kogan honour their data sharing contract, i.e. that they only use personal data for the purposes outlined in the contract.” Take India as an example, the world largest democracy, a country with 1.39 billion people witnessing a digital revolution and rising state surveillance has little to no protection from targeted or direct marketing to state sponsored surveillance. Protests are run though facial recognition systems to identify protestors. This impacts democracy. Autonomy or the ability to make an informed, uncoerced decision is pivotal for democracy. And as Volker Nebler puts it, autonomy is not possible without privacy.
Therefore, a personal data protection law—protecting citizens personal data from ‘misuse’ and ‘abuse’ and that is built on the principle of processing data lawfully, fairly and in a transparent manner, with purpose limitation and data minimisation is fundamental.
Of course, big data is a big economic opportunity. But to properly capitalise on this economic opportunity requires data protection. Having effective and efficient data protection laws will help build trust in digital tools. This trust will translate to even greater acceptance of services that rely on data sharing and data use consequently fuelling more investment.
The problem today is that the world lacks a uniform data protection law. A global standard would likely address the most significant data privacy risks and protect individual rights while still facilitating the continued and inevitable cross-border flow of data worldwide. The United Nations can play a key role in strengthening ‘national legislative and regulatory frameworks concerning the collection, processing, retention or use of personal data’ and align UN policies with data protection Convention 108. Because as of now consumers in lax jurisdictions are facing data misuse. More importantly, a lack of uniformity is a challenge for businesses—who have keep complying in keeping up to data with the ever changing laws from jurisdiction to jurisdiction.
The GDPR is the benchmark that is available. However, for those that attempt to comply with GDPR, there are practical hurdles. Countries have found it challenging to acquire and maintain an adequacy decision from the European Commission.
However, there is a largely ignored data privacy international treaty, the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data known as Convention 108 (as it stands today as 108+). Joining “Convention 108+ 2 offers the possibility to rely on a strong network of peers providing assistance, advice and support.
Tailoring national laws in line with Convention 108 will bring in make data more harmonised. In an era of increasing digitalisation, it is crucial to allow the competent authorities to work hand in hand on common challenges.
But of course there will be challenges, especially with multilateralism on the rise. Some may also oppose this as European values. But the most important will be to bridge the digital divide so that citizens of developing nations understand the value of data that they possess.
His talk could be summarised as:
- Protection of data is a must for protecting democracy.
- Convention 108+ could be a steppingstone towards a global data protection treaty. However, it will certainly not be easy to bring everyone on board.
Jayanti answered the last question.
Huge amount of data is generated with the increasing digital footprints in the online space. Many big and small companies drive innovations through data. It is important to promote innovation by considering the interest of startups, and promotes innovation and sandbox. For instance the earlier Data Protection Bill mentions very little about innovation. It leaves it to the mercy of future policies for its promotion and places a heavy burden of compliance.
A robust compliance system is essential for protecting privacy. But overregulation is detrimental for economy and governance. With increasing the periphery of compliance the cost also increases. Research shows that an increasing compliance based system hinders innovation. For instance in India most of the firms are micro in nature. The report of the Ministry of Micro, Small and Medium Enterprise business says that out of the estimated number of enterprise only 4000 of them were large enterprise. It is eventually the small enterprise who will bear the brunt of regulations.
For ensuring privacy a consent-based system for using the data of a data principal may be created. But the increasing transparency may make the sharing of data a difficult process which will be detrimental to advancement in data technologies. The consent is often not given properly as (a) there is a small percentage of population which spends time on understanding the purpose of their data collection or the terms of an agreement and (b) the lack of capacity or tools to comprehend these technical terms.
This balance could be maintained by a strong, progressive and evolving data protection law. The very aim of data protection laws is to create a balance between privacy and free flow of information. Free flow of information is important for economy and innovation. Law maintains this free flow of information and protects privacy at the same time.
A strong law can regulate a sphere effectively. And for this the governments have to decide whether they want to introduce a law governing all sectors or a sectorial regulations.The law should be progressive enough to allow free flow of information for research and protect the privacy of the people.
The law should be evolving in nature so that it can be amended according to the changing needs and research of the society.
And it not only law which could be important in protecting the privacy but people themselves by making them aware about their rights, terms and usage of their data .
Her talk could be summarized as:
1) Overregulation should be avoided as it is detrimental to innovation and the data protection laws should be progressive and evolving in nature.
2) Even a common man should be made aware about their data rights to make a conscious choice and guard their own privacy.