Architecture for privacy
Red Book
Red Book

Pre-cum-Mains GS Foundation Program for UPSC 2026 | Starting from 5th Dec. 2024 Click Here for more information

Architecture for privacy

Context: Privacy protection

Data protection requires a strong regulatory framework with a hierarchy of regulators to protect basic rights

Fear of Digitization: Mass surveillance

  • Databases linked by unique identities can possibly create an infrastructure for totalitarian observation of citizens’ activities across different domains
  • The mere existence of such infrastructure, if unrestricted, can potentially disturb the balance of power between the citizens and the state, stifle dissent and be a threat to civil liberty and democracy

Data misuse

  • Not only can personal information leach out and be used by unpredictable entities in unpredictable ways, but one can also be mis-profiled, wrongly assessed or even influenced using out-of-context data, without being able to control such actions or sometimes even being aware of them
  • Exclusions and denials because of poorly thought out use cases, like perhaps because fingerprints do not match, are more direct violations.

What India needs to do?

  • We should have stricter provisions than the sector-specific standards in the US
  • India should ideally have a more innovation-friendly setup than what the European General Data Protection Regulation (GDPR) can offer, which perhaps is unduly restrictive but is unlikely to be commensurately effective
  • Our designs need to be especially sensitive to our large under-privileged population, which may not have the necessary cultural capital to deal with overly complex digital setups
  • Not only do the data regulators require independent authority, but they also need to actively participate in the data protection architecture
  • Apart from determining the fairness of algorithms and use cases, they need to play two other main roles
  • The first should be to determine, and explicitly list out, authorisations for data access for various data processing functions based on a rights-based principle in addition to consent
  • Purpose limitation needs to be built into such authorisations, and all-purpose extension requirements must be explicitly considered
  • The second role should be to ensure that data can be accessed only through audited, pre-approved and digitally signed computer programs after online authentication and verification of the authorisations presented
  • Both the data regulator and the data controller should maintain non-repudiable logs of all data accesses, and neither should be able to access the data independent of the other 

Conclusion

The technology to support such regulatory functions exists, what is necessary now is an effective and rights-based data protection law, and the will to build the required regulatory capacity 


Discover more from Free UPSC IAS Preparation For Aspirants

Subscribe to get the latest posts sent to your email.

Print Friendly and PDF
Blog
Academy
Community