Expert Speak Digital Frontiers
Published on Aug 02, 2022
Embedded privacy by design can help build consumer trust instead of systems that seek privacy as an additional feature.
Leveraging data privacy by design After two long years of deliberations and consultations, the Joint Parliamentary Committee on Personal Data Protection Bill 2019 submitted and tabled its report in the 17th Lok Sabha, in December 2021. While the provisions of the report continue to be debated, the submission of the report is a step closer to enacting the first comprehensive data protection law in India. Before the 2019 Bill, personal data protection in India was primarily governed by the Information Technology Act, 2000, which mostly deals with cybercrime and e-commerce. Given that the IT Act, 2000, which was last amended in 2008, has largely been sectoral in its application, the enactment of the PDP Bill 2019 will be a landmark event in India’s digital economy space. The trade representatives in India and abroad are eagerly calculating the Bill’s implications on the booming digital industry. Moreover, the Bill comes at a juncture when India’s internet economy is on the road to becoming a US$1-trillion ecosystem by 2030. At the same time, against the backdrop of the Bill, the Indian government has launched the ambitious ‘Digital India’ programme that aims to transform India by building digital infrastructure, integrating governance and services using technology platforms, and digitally empowering the citizens. Together the evolving business environment and government welfare plans based on digitisation signal a social and economic ecosystem that is highly data dependent, and will generate a vast amount of personal information of individuals. On one hand, a digitally enabled data-dependent socio-economic ecosystem engenders security and privacy concerns and on the other, digitally enabled services provide tremendous opportunities for businesses to grow and enable the delivery of essential welfare services efficiently at a large scale. In such a scenario, it becomes imperative for national and international data protection regulatory frameworks to balance concerns of security and privacy as well as allow space for innovation and growth. Most importantly, like any other economic transaction, digital economic transactions are based on trust. As per the economic theory, trust is at the core of any relationship of exchange. When warranted through the institutional legal and regulatory mechanism, it leads to greater economic efficiency and growth. A digital economy, characterised by information relationships and privacy is the credit of trust in these relationships. In this context, this note discusses compliance versus design approach to privacy, and how can businesses enhance consumer trust by deploying privacy by design approach. The proposed PDP Bill 2019 creates several obligations for data fiduciaries (companies, organisations etc. in requirement of data) as they store or manage personal data based on its sensitivity. Failure to comply with these norms can incur hefty penalties. The compliance approach to privacy is ensured by introducing added privacy and security measures to stored data or personal information related to individuals. Here, privacy is an afterthought to the system of data storage and processing. As opposed to the compliance approach, privacy or data protection by design can be conceptualised as an ex-ante method of protecting information privacy whereby personal data is automatically protected in any given information technology system.

The compliance approach to privacy is ensured by introducing added privacy and security measures to stored data or personal information related to individuals. Here, privacy is an afterthought to the system of data storage and processing.

Embedded privacy by design mechanisms are aimed at building consumer trust into data collection and processing systems instead of systems that seek privacy as an additional feature as part of their product experience to gain regulatory compliance, or systems that provide privacy security measures when demanded by users.  For technological systems, how software designs used for data collection and processing are architected, how they function, and how they communicate to users can hinder or facilitate information exchange. For this, software systems have to be built in a way that privacy features are incorporated into them from the very beginning, as building systems from scratch opens up more possibilities than changing existing systems since basic properties of an information system may limit improvements in existing systems. Digital data is itself a result of certain technological design that makes it easier to recall information as the data may be preserved in a persistent, searchable state at marginal cost. Similarly, technological design can make it difficult to access data if there are technological barriers to access information, thereby, driving up the transaction costs in terms of time and resource expenses required to access information. In the marketplace, many examples involve the concept of privacy by design. The tech giant Apple has devised its encryption system for mobile devices to secure information on its phone. Similarly, Amnesty International helped develop a ‘mutant’ font for internet users who want to ensure that their writing is only read by humans and not computer bots. ‘Mutant’ font’s design includes small graphic interventions that prevent machines from viewing its shapes, thus, making the task of data processing more difficult. In a separate example, Gizmodo, a tech media outlet configured its services to prevent the storage of IP addresses of users visiting its website. Recently, Google has announced new privacy measures including the provision for users to quickly delete the last 15 minutes of their search history, a new photos folder locked with password protection on Pixel and other Android devices, and reminders on location tracking in Google Maps. Design decisions, thus, determine the ease with which information can be accessed. Privacy laws and regulations, therefore, can include guidelines for facilitating industry standards, benchmarks for privacy enhancing technologies and funding privacy by design research to incentivise technology designers to enhance privacy safeguard measures in the product designs; thereby promoting technological models that are privacy savvy. However, developing and incorporating these technological models will have cost implications for businesses. Costs may include technological upgradation to incorporate privacy by design principles, and expenditures incurred as businesses align their practices and procedures under new information collection practices. A large part of the transition may involve sunk costs if businesses fail to adequately embed these costs in future product designs and solely focus on compliance efforts.

Privacy laws and regulations, therefore, can include guidelines for facilitating industry standards, benchmarks for privacy enhancing technologies and funding privacy by design research to incentivise technology designers to enhance privacy safeguard measures in the product designs; thereby promoting technological models that are privacy savvy.

The above can be better understood from the following example. For instance, the price paid for a helmet by a motorbike rider is compliance cost as it is an additional purchase requirement for safety over and above his immediate need for using a bike as a tool for commutation. However, a seat belt that is subsumed as a component of a car and not an additional requirement is perceived differently by the owner. Thus, compliance requirements that are perceived as additional obligations result in the perception of increased compliance costs whereas compliance requirements embedded in the design of the product itself are considered as part of the total product price and not separate costs. Privacy by design can thus prompt a shift in a business model whereby through the incorporation of privacy features within the technological design of the product itself, which then can be priced appropriately, can enable companies to recover, or to an extent, minimise the sunk costs imposed by compliance efforts. At the same time, companies can have an added advantage by offering products that are privacy savvy. At a time when India juggles to transform its digital economic space to infuse greater capital, promote growth, accelerate innovation, and also bridge the digital divide in the country to improve skilling, connectivity, and accessibility, the legal and regulatory institutional mechanisms will have a crucial role to play in managing the digital economic transition. Subsequently, legislation incentivising innovative thinking at the technological design level can ensure longer-term solutions to problems of both data security and privacy without hindering prospects for growth and innovation.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.

Contributor

Meenakshi Sinha

Meenakshi Sinha

Meenakshi Sinha is an Assistant Professor in Humanities and Applied Sciences at the Indian Institute of Management Ranchi. She previously held research positions at the ...

Read More +