Privacy - 8 - Theatre of privacy - notice and consent
The Government of India has tabled a proposed bill titled
Digital Personal Data Protection Bill or DPDP 2022 for short.
You can find the draft bill at the MeitY website - https://www.meity.gov.in/data-protection-framework.
There are really detailed explanations of the bill in its current form by newspaper
TheHindu at -
- A first look at the new data protection bill
- New draft of Data Protection Bill is fundamentally flawed
And two podcasts -
There is enough information in these sources from eminent legal and policy scholars to suggest that this bill is legally unsound in its terminology and how it gives the government (not the legislature or the judiciary) overarching powers and essentially a free-hand over anything in the act as it is written in its current form. I will not explain this in detail as it is already been clearly discussed in the above articles and podcasts.
What do I want to discuss ?
The central theme to this draft bill and most such regulation (including the European GDPR regulation) is the theme of
I want to delve into this seemingly simple/naive yet conniving concept.
A relevant definition of “notice”, as per the dictionary, says -
a displayed sheet or placard giving news or information
When it comes to any company that collects your personal data, this
notice can take many forms -
- Privacy Policies - this is what most apps/websites show you when you sign-up for an acccount the first time. Also, they’ll usually email your registered email address whenever their policies are updated. Usually, this is a small checkbox which says “I accept….”.
- Cookie Banners - usually seen on websites where you get options like
rejector if the website designer is nice, you can probably choose which cookies you want to accept and which not to accept.
- App Permissions - on mobile apps when you first install them, it’ll say that this app will use for e.g. location, camera, microphone, wifi data etc.
and ask for your permission with an
Consent is when you take an action against a
notice. For e.g. you click/press a button or tick a checkbox.
Think of this as you signing at the bottom of an agreement/contract that is legally enforceable.
Any such “consent” serves as a
legal basis for the collection and processing of your data.
Isn’t this a known problem ?
Yes, it is. Everyone knows that nobody reads any of this legalese that is thrown at us whenever we visit a website or signup for a service or install a mobile app. But still, we haven’t been able to move past this style of notice/consent because it provides a clear/actionable way to say that
Someone agreed to our data practices and here's their consent. We are not doing anything illegal.
Difference b/w something being illegal and protecting privacy ?
The key idea that these regulations (including this proposed bill) exploit is that, by structuring the whole argument of privacy around ‘if its legal, it is ok’, the burden is shifted heavily towards a lay person.
A lay person is expected to -
- Read and understand the language of these complicated policies/banners/app permission notices.
- Understand technical terms like ‘cookies’ or ‘data brokers’ or read up on it.
- Understand how the data is shared with other 3rd parties in a complex web of data brokers and ad networks.
Isn’t anyone working towards fixing this ?
Lots of people are working on this. This includes work on -
- Improving the readability of the privacy policies - making them more accessible without loosing the detail.
- Making Cookie banners more usable and easy to navigate and understand.
- Making mobile app permissions clear and easy to understand through pictorial forms as well as through minimization of required permissions as and when they are needed (or not).
India - a world within a country
Things get more complicated when you look at India’s localization needs in terms of plethora of languages. We do not even know if there are appropriate words in all these languages to express (and with clarity) the complex language, which is one of the things mentioned in the proposed draft bill). Maybe there are existing solutions that can be used in this context but it is an additional complexity.
Now what ?
It’s a million/billion dollar question - everyone knows/understands that providing
is a sham and no one is going to read it (forget understanding it). This translates into a
consent that was given to god knows what.
Theatre of Privacy
I see this a public theatre of privacy or
data protection, where everyone is trying to save
their backs - using a legal framework as a cover - when the whole
choice falls on
the unassuming user.