PRIVACY & THE CAVE MAN - The Series - Part - ... A tribute to India's unsung Privacy Heroes
PRIVACY & THE CAVE MAN
- DHANANJAY ROKDE
The US Constitution made the first-ever reference to “Privacy” in 1789. While this fleeting reference did not define the concept of privacy, nor did it make any constitutional guarantees to its citizens. Subsequent amendments took place, and privacy eventually found its place in the first, third, fourth and fifth amendments; thanks to supreme court rulings.
However, it was in 1890 that Justice Brnadeis coined the term “The RIGHT to Privacy” – Thereby demanding a constitutional right “To be let alone”. His argument speaks of privacy infringement via the press and the state actors. In his essay “The Right to privacy” (published in the Harvard Law Review), he describes privacy as a sacred right.
This wasn’t the so-called digital era; citizens often relied on snail-mail (or the postal service) for correspondence. So what was stopping state actors, and intelligence agencies from eavesdropping on open envelopes?
Therefore in 1917 the first ruling on “protection of sealed envelopes/mail” was pronounced by Judge Lamar, against the opening of any mail, as it breached the privacy of the recipient and the sender.
This was the Cold War era, and obviously, this ruling did not go well with the investigative agencies convinced about foreign sabotage through postal mail.
Privacy issues and unwarranted invasions have now reached the world stage. State actors and agencies were running amok directly accessing banking, taxation, travel, purchase and social/habitual information of the common citizenry.
George Orwell’s novel “1984” (Published as a futuristic, science fiction and cautionary tale in 1948) was becoming a reality. Orwell describes a fantasy super-state where NO ONE has any privacy, and the state controls all activities using stealth cameras and microphones. So much so, that even the thoughts of the citizens are monitored by the state sleuths, known as the “Thought Police”. In the same year as Orwell’s fiction is published the UN takes cognizance of the fact and drafts the UDHU (UN Declaration of Human Rights) along with all its member states.
The most important outcome of the UDHU is Article 12 that states “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks”.
Privacy was no longer a privilege, it had now become a legitimate right of the common man, within the UN member states.
Now that the privacy rights had been established, one would beg to understand what the grounds for violation would be. Therefore the missing piece of the puzzle needed to be put in – “What are the circumstances under which damages can be for violation of privacy?”. And in 1960, William Prosser, a renowned legal expert laid down the four foundations of seeking damages –
1. Uncalled for intrusion into someone’s private affairs or interruption of seclusion
2. Disclosure of private embarrassing facts, causing awkwardness and public humiliation
3. False publicity in the public, demeaning the individual
4. Misuse of anyone’s name, namesake or likeness
Now that the torts were laid down by Prosser; various landmark judgements followed across the 60s & 70s. Interestingly contraception was illegal until then as per the Comstock Law (for both, men and women). The Supreme Court came down heavily upon this law and struck it down stating that “Right to marital privacy is sacred, and can not be intruded upon”.
Similarly, it tied the hands of state actors and agencies concerning search and seizure. And in 1972, the Supreme Court further tighten the screws around all investigative agencies, making it mandatory for a warrant to be signed and authorised by a Judge for ANY kind of surveillance to be conducted domestically. This decision of the Supreme Court was passed unanimously.
This top-down approach led to several legislations and new acts for citizen protection being passed. In 1973 the Secretary of Health, Education & Welfare was required to process citizen information for the distribution of subsidies and welfare funds.
Data of such volume had to be processed electronically. Hence to avoid any breach of privacy and bias a “Records, Computers, Rights of Citizens, Report of the Secretary’s Advisory Committee on Automated Personal Data Systems” was created. This report was the first-of-its-kind on Fair Information Practices, which laid the foundation of principles of modern privacy. Subsequently, FERPA (Family Education Rights and Privacy Act) was passed in 1974 for the protection of student education records.
A number of legislations and acts were passed across the US (For the protection of students, patients, retirees, veterans, government employees, doctors and attorneys), some varying from state to state, however a common national law was missing. And in the same year this gap was fulfilled by passing of the Privacy Act of 1974, a US Federal Law that established a protocol for agencies to collect, maintain, use and distribute citizen information. The term “Personally Identifiable Information” (PII) was coined and defined through this act, for the first time.
While agencies were disciplined by the courts and the legislature – The question now became, how about citizens and businesses violating the privacy of other citizens.
With the advent of telephones in the late 80s, telemarketing, lottery sales, lucky draws, business promotions and other sorts of unsolicited calls were on the rise. Hence The Telephone Consumer Protection Act was passed in 1986, and alongside the Act the Federal Government put into force the Do NOT Call Registry (DNCR).
Enrolling in the DNCR protected consumers from such unwanted calls, and fine would be levied on those who violated the terms of the DNCR.
Meanwhile on the other side of the pond … In 1995, The European Union woke up to the rude shock of mass identity thefts, frauds, money laundering, illegal cross-border funding of terror and terror-related activities. Clearly, their citizen identification program had failed, and a massive portion of the population had their identities stolen. In response to these negative developments, the EU member states got together and passed the Data Protection Directive (DPD).
The DPD was based on lessons learnt from the US, was much clear, easy to interpret and highly sophisticated. The DPD was then replaced by the General Data Protection Directive (GDPR) in 2018. Till date, GDPR remains the most stringent Act for privacy protection with the heaviest fines, and even mandatory imprisonment, in severe cases.
The traditional hot targets for cyber attackers have always been Banks, Insurance companies, investment houses, universities, government websites, scientific research facilities, and police and criminal databases. But since all these came under the gambit of the Privacy Act and watchdog agencies such as the SEC (US Securities & Exchange Commission), NIST (National Institute of Standards & Technology), FTC (Federal Trade Commission), United States Secret Service, United States Department of State and the FBI; the hot-targets weren’t so hot anymore. They were under continuous vigilance and monitoring, and the slightest anomaly would raise alarms everywhere.
Hence the attackers and identity thieves needed a softer target, a weak link per se. And Viola! they found it in the healthcare ecosystem. Hospitals (both government-funded and private) ran tight ship as far as their technology budgets were concerned. Their main focus was better medical equipment, more beds and more doctors. Information systems always took a back seat and were mostly obsolete and barely functioning in most cases. Delta Dental, GEDMatch, Quest Diagnostics, Premera, UCLA Health, Advocate Medical Group, NHS; and the king of healthcare breaches “The Anthem Breach”, which had a whopping 30M records leaked, deleted & permanently wiped in less than an hour.
Recommended by LinkedIn
The call to action was clear that the entire healthcare system needed a revamp right from the hospital, health insurance provider, third-party vendors, medical equipment suppliers, and software and hardware developers had to be brought under scrutiny, and bound by a set of laws. The Privacy Act of 1974 clearly defined PII, it was now time to enforce it on top of the healthcare system. The Act previously known as the Kennedy-Kassebaum Act, was renamed as the Health Insurance Portability and Accountability Act (HIPPA). It was passed by Congress and signed by President Bill Clinton in 1996. Similarly, tender age children are the biggest and easiest soft targets. Because once their identities are stolen, they undergo a lifetime of suffering. As a legal countermeasure the Children’s Online Privacy Protection Act (COPPA) was also passed alongside HIPPA in 1998. In 1999 President Clinton also appointed the first Chief Federal Privacy Counsellor, who is the equivalent of the Chief Information Commissioner in the Indian parlance. Under the provisions of the Freedom of Information Act (FOIA), the citizenry could request information from the Federal Government for legitimate purposes. This is similar to the process of Right to Information (RTI) followed in India.
Businesses can not exist or co-exist without the exchange of consumer information. An investment banker needs his client's PII to take it to the Bank, the Bank needs a third-party agency to perform the evaluation on properties and assets, and then the report has to go to an underwriter who finally authorises the mortgage or loan. There are too many cooks involved in making one dish. And any one of the cooks could be the weakest link.
To ensure streamlined business, aligned to privacy principles and laws The Gramm Leach Bliley Act (GLBA) was enforced in 1999. The GLBA empowered the FTC to ensure that consumer privacy is protected throughout the cycle, and the safeguards mentioned in the GLBA are in force at all times.
Data Security & Protection ARE NOT equal to Data Privacy - The birth of the DPO
Large corporations, multi-national banks and credit unions started feeling the heat of privacy violations, the lawsuits were getting expensive, the burden of fines was enormous and the workload was stretching the staff thin. Sometimes law suits would extend to multiple geographies, which meant an infinite time and money budget; over and above that was looming threat of imprisonment due to negligence.
Corporations and Board members realised that it is unfair to thrust the responsibility of privacy on the CISO. After all Privacy is a different science all together. Hence the birth of the CPO (Chief Privacy Officer) role took place. Lawyer Ray Everett is the first known CPO to be hired by the internet advertising form AllAdvantage, in 1999. The message and strategy was clear – while the CISO defends the organisation, the CPO advocates and protects consumer data, as per the prevailing laws.
Times of war – The war against privacy
September 11, 2001, changed everything for everyone.
One almost say that the towers or pillars of privacy fell on that dreadful day. President George W Bush sanctioned the US Patriot Act. Under the pretext of the circumstances prevailing at that time, it gave the government agencies carte blanche for monitoring any and every telephonic conversation, email communication and wire transfers. A total of 14 provisions of the Privacy Act were superseded by this Act. No exceptions – Citizen PII was fully made available to the designated agencies. And a new agency was born to compliment the existing NSA (National Security Agency), The Department of Homeland Security (DHS). Their powers superseded all other agencies involved in privacy control.
During this crisis several data processors, parsers, data mining tools and screening software were deployed. This was a rerun of the “Too many cooks” show. Now the problem was lack of ownership, and an even bigger problem was that in case there was a leak, who will take ownership, how to find it – forget about plugging it.
As things came under control around 2002, Congress realised the colossal mess it had got itself into, with an infinite liability, and open to lawsuits from all directions. Hence in 2002 an initiative was undertaken to self-assess and certify the agencies themselves.
This legislation was called e-Government Act of 2002. This legislation enforced upon all agencies to demonstrate improvement against a fixed metric called the “Privacy Impact Assessment”.
The scoring was based on how the new technology is being adopted, how does it collect PII, maintain it and distribute it to other agencies. This counter-measure was put in place to curtail the powers bestowed under the US Patriot Act, bring in a balance of authority, and restore the sanity lost in the crisis.
Shhhh! We have been breached.
By the early 2000s it had become common knowledge among security experts, computer users and even the legislators that a data breach is simply an eventuality. You can postpone it as much as you want, but it will happen, when you least expect it to. With that in mind the state of California was the first state to implement the State Data Breach Notification Law
This law required that businesses as well government agencies immediately report any security incidents and data breaches. This law comes from the ideology that businesses who have faced a data breach are already under duress, and that government agencies such as US-CERT (US Computer Emergency Response Team), CISA (CyberSecurity and Infrastructure Agency), along with the DoJ (Department of Justice) can collaborate with the affected business to help them recover, and return to business as usual.
Forget me! Please.
Coming back to the other side of the pond … The 2012 DPD underwent an unique amendment. Several search engines, social media sites, networking portals were fined for unsolicited personalization. The complaints from the citizens were admitted by the EU Chief Information Commissioner, as they were found to be genuine. Consumer profiling and serving customized advertising were deemed illegal, without consent.
Also searching up someone’s name would throw up the persons entire life history and chronology; which was a blatant violation of the privacy of citizens, and this data was sold and misused for consumer profiling. The EU made it mandatory for all search engines and social media sites to implement the “Right to be forgotten” controls and discontinue personalisation without explicit consent of the consumer.
This was obviously followed by a much more comprehensive and stricter law, The GDPR in 2018. GDPR not only applied to the EU members, but also to the European Economic Area (EEA) member countries. GDPR applies ANY and all kinds of data entering and leaving the EU & EEA.
AI is here. What now?
Research around GenAI began as early as 2020, however the first public release did not happen until 2023. The legal and privacy struggle with GenAI was that it was NOT an entity or a business or an agency. Very simply put it is a set of algorithms that surfs the web on your behalf and makes a best-effort attempt to solving the problem assigned, creating the image you need, correcting a piece of information or literature, collating information you ask for or even completing assignments for school and college kids.
While the technology has not been perfected yet; the results are pretty astounding, and near-accurate. Some of the problems that it brings along with are copyright infringement issues, reverse image lookup (advanced facial recognition technology), telephone number and address search, social security validation, unpublished results / books of the competition, system vulnerability information (encouraging non-ethical hacking), deceptive business and academic practices among others. Since these are closed systems – They lack transparency. And governments all over the world are afraid of the devastating effects an uncontrolled AI system can produce. When the model is trained maliciously, it can become a weapon of mass destruction by itself.
This year, 2024 marks the launch of the EU AI Control Act. This law clearly defines and demarcates the usage of AI applications based on a risk-based assessment. It clearly categorises what nature AI models can be used by government agencies, schools, banks, healthcare providers, NBFCs and others.
India: The Sleeping Giant Awakens
India has had the IT Act (2000) for a while now – known as the toothless tiger among most legal eagles. Toothless because it neither has the breadth, nor the depth in terms of coverage; and conviction rates are appalling. Although it has undergone amendments to include cyber-stalking, bullying, sextortion, and the punitive measures have been made harsher.
What it still lacked was a privacy clause, until in 2017 Mr. K.S. Puttaswamy set things straight in the Supreme Court of India; and got a unanimous judgement stating that “The right to privacy is a fundamental right of Indians, and it is safeguarded under Article 21”. This battle was no mean feat for Mr. Puttaswamy, as he had to rely on broken bits of the IT Act (2000) as well the IPC (1860). Little did he know that his victory would have long lasting effects, and his case and judgement would be etched in history.
A directive was issued to the Ministry of Electronics & Information Technology (MEITY) to implement an independent law for the enforcement of privacy and protection of the citizens. And seven years later on August, 9, 2023 both the houses passed the Digital Personal Data Protection Act, 2023.
But hang on … There is another unsung hero in the midst here. Based on the directives of the Supreme Court of India, MEITY appointed Retd. Justice B.R. Krishna (Supreme Court), and a team ten experts under him to prepare the draft of the bill. Justice Krishna quickly realised that while it is good to seek inspiration from foreign privacy laws; they would be ineffective in a country like India. And ineffective laws are made a mockery of, never adhered to or people simply find means to bypass them. Therefore, he took a very unique approach to this problem.
The first step was classification of personal data with a clear definition and distinction – (a) Sensitive Personal Data and (b) Critical Personal Data. And thereby clearly stating procedures and processes for collection, usage, transmission and disposal of each data type. Sensitive personal data would qualify as any data used to partially identify an individual, directly or indirectly; such as Name, Address, Age, a recent authenticated photo. Critical personal data would contain attributes such as caste, religion, reservation category, disability, HIV status, sexual orientation, marital status/history, registered phone number(s), account details.
The next step was to finalise on the data localisation – It was decided that the critical personal data would remain localised strictly within Indian territorial bounds only. It would never bew transmitted overseas under any circumstances. Therefore a new entity entered the picture “The Data Processor”. The data processor has the full onus of ensuring ... To Be Continued - Stay Tuned !!!