Wednesday, April 12, 2017

Emerging themes around privacy and data protection

Issues of data protection and privacy have become the subject of intense discussion and debate, in India as in the rest of the world. In this post, we identify certain key themes that arise in the context of these issues, that can augment our understanding of privacy and data protection and help towards forging safeguards in the form of a privacy law. Many of these were discussed recently at a round table organised at NIPFP on 24th March 2017. The key themes that emerged are summarised below.

What do we understand by privacy?

The term privacy has many connotations, takes different forms in different contexts and is viewed differently depending on the individuals own subjectivity. Defining it has been a challenge, with many scholars leaning towards more conceptual, and less rigid formulations. In philosophical debates, privacy can be characterised in terms of defining a sphere of private life that is separate from political activity and government interference. The sociological argument traces its roots in the fundamental haracteristics of social life - social context determines what is considered private in different circumstances.

Others, like Solove 2006), however, move away from these conceptual discussions to identify specific privacy harms that have been recognised by society. His taxonomy of privacy encompasses four aspects - first, information collection (through surveillance and interrogation); second, information processing (through aggregation, identification etc.); third, information dissemination (through disclosure, exposure, breach of confidentiality etc.); and fourth, invasion (through intrusion and decisional interference).

Taking a slightly broader view, Calo (2011) speaks about privacy through the boundaries of subjective and objective harms. A subjective harm is internal to the person harmed, and is caused by unwanted observation. This encompasses, for instance, the knowledge or perception that some negative information about oneself is out there, which leads to distress and anxiety. Conversely, objective harm is external to the person harmed, when coerced or unanticipated information about oneself is used by other persons. Understanding of the potential harms is extremely important for the design of a policy response.

Another debate that emerges is whether privacy should be viewed as a right, an interest, or a property? Interestingly, the early parameters of what is now regarded as privacy evolved in the context of property rights. In 1890 Warren and Brandeis argued in a seminal paper that the right to privacy goes much beyond the concept of personal property rights, and must be recognised as such (to include for instance, the principle of an inviolate personality). By now most countries view privacy through a rights lens, because property, by its very nature, once bought, can be destroyed, transacted, and shared without the consent of the original owner. The economic dimensions of private data in the digital age have, however, once again triggered these rights versus property debates focused around the concept of "propertarian privacy".

Discussions on privacy also raise the question of privacy from whom. Traditionally, privacy was viewed in the context of the surveillance and law enforcement powers of the State. However, with the rise in big data and the explosion of social media, we now have to think of privacy from private actors as well, whether in the context of data mining, data retention, or data sharing arrangements. Surveillance, in this context, includes what Roger Clarke terms dataveillance - systematic monitoring of actions or communications using information technology.

Do people in India really value privacy?

While a lot has been written about the value of privacy (for example, Westin (1968)), it is often argued that people do not really know how to gauge the value of their own privacy. Many view the debates on privacy protection as the privilege of the elite who do not have to worry about accessing basic services, or as refuge for those who have "something to hide".

It is, however, important to remember that privacy is context specific. It is not always about what one may have to hide, but also what one may have to lose. These considerations vary across class, gender, caste, age and are often be different for different intersections of these categories. For each person, there are aspects of their life that are "personal", that they do not wish to be revealed to the public at large- and the control over which is integral to their sense of autonomy. In the digital context, the oft-heard lament is that privacy does not seem to be valued enough perhaps because people either don't know or feel ambivalent about how much data they are sharing (unwittingly), to which entities and the picture of themselves that their data is able to generate to these entities.

For awareness to be effective it must move from the risks to the harm. Sunil Abraham offers a useful analogy of tobacco use. Most smokers are well aware of the risks of smoking, but do not bother to stop, until they face a health crisis. Similarly, most people, while well aware of the privacy risks associated with their activities, for instance careless use of social media, do not take any remedial action until and unless they face a data breach. Therefore, just as health policy workers have tried to change the attitudes of smokers by scaring them through the inclusion of graphic images on the cigarette packs, it might be useful to alert people to the harms caused by the loss of privacy.

"Privacy by design" holds important lessons

The principles of Privacy by Design (PBD) developed by Ann Cavoukian are worth emphasising. The approach highlights that measures to protect privacy should be proactive and preventive, and not remedial. Privacy should be the default setting, embedded into design of technologies and services.
This overcomes many of the problems associated with choice/consent based regimes although adoption still depends on voluntary buy-in from businesses and users. So far, businesses in India are said to find an unwillingness among users to pay for privacy. For this reason, most privacy-enhancing technologies (PET) based solutions are B2B rather than B2C, and even these are far and few. We, in India, need to think of innovative ways to bring about a regime of data protection. A law on the subject and privacy-enhancing design elements are both part of the solution.

Issues of surveillance

Perhaps the most contentious of all issues is the one on where to draw the line between privacy and security, which often requires the use of various surveillance tools by the state. The PBD framework calls for "full functionality" in this context, i.e. it seeks to accommodate all legitimate interests in a positive-sum manner. Instead of a dated zero-sum approach with unnecessary trade offs of privacy vs. security, PBD says that it is possible, and far more desirable, to have both.

Yet, in reality there remains no consensus on a) the extent to which the state is engaging in surveillance, b) the extent to which Aadhaar and other big data techniques are being deployed, and c) the relationship between national security and privacy (is balance the appropriate metaphor? what is the trade-off, if any).

The State claims that surveillance fears are misguided and overstated, while civil society argues that surveillance is broad based, and inadequate checks and balances leave citizens vulnerable. Given that both national security and privacy remain nebulous terms, there is no clarity on when one gives way to the other, and it is undeniably the rhetoric of national security that invariably overwhelms privacy.

This issue requires unpacking and principles-based resolution as unchecked intrusions by the State can damage the very essence of what it means to be a liberal democracy.

Problems of Aadhaar

Given the pervasiveness of Aadhaar in our lives today, a debate on data protection cannot be complete without evaluating the legal framework surrounding it. The current legal framework of Aadhaar is weak. The Act delegates a number of core functions to be specified by the regulations, and these regulations further defer these functions as matters 'to be specified' by the UIDAI in some undefined future. This suggests that Aadhaar is currently functioning in some sort of a legal vacuum in terms of the nuts and bolts of important issues such as enrollment, storage, and sharing of data.

The regulations that have been issued by UIDAI did not go though a rigorous consultative process - both while preparing the draft, and in seeking comments from the public. The UIDAI should voluntarily opt for greater transparency on issues that have implications for privacy and data protection.

There is a case for a horizontal law

In India, the Supreme Court is yet to decide, what was until recently regarded a settled position - whether the right to privacy constitutes a fundamental right under Part III of our Constitution. While this is being debated, we have sector specific frameworks, like Section 43A of the IT Act, for protection of personal information and data security. More recently, the Ministry of Electronics and Information Technology (MeitY) has released the draft Information Technology (Security of Prepaid Payment Instruments) Rules 2017 for public comments.

The draft rules aim to ensure the integrity, security and confidentiality of electronic payments through prepaid instruments, although amid concerns over the scope of the draft rules, MeitY's jurisdiction, and overlaps and conflicts with existing laws. Several other regulators such as the RBI, telecom authorities and health departments also have, or are in the process of developing, privacy/data protection norms pertaining to their jurisdictions.

These are all notable moves, but in the absence of a horizontal law, they will lead to the development of certain pockets of protection in certain sectors, while many other facets of private data will remain unprotected. Another concern is that the current legal framework does not hold meta data to the same standards as data in privacy and data protection debates.

There is a case for a comprehensive, principles-based, horizontal privacy law with basic minimum standards of privacy. These standards can then be tuned further to meet the requirements of different sectors. Thus, regardless of whether the Supreme Court of India considers privacy as a fundamental right, the State must define the circumstances in which it, as well as other private sector entities, may intervene with an individual's rights. Work on the draft privacy bill which began a few years back needs to be pursued with haste.

This post is co-authored with Vrinda Bhandari, Amba Kak and Smriti Parsheera. It first appeared on Ajay Shah's blog on 12th April, 2017.

Tuesday, April 11, 2017

Budgeting for the police

Higher allocations by themselves are not enough, the structure of budgetary allocations can have an impact on police performance

As the law enforcement agency of the government and the first point of contact in the criminal justice system, the police is critical for sound law and order, and a good quality of life. There is perceptible dissatisfaction with policing in India today. It is often argued that poor resourcing is part of the problem, and that the police require a higher quantum of budgetary allocations.

While the police need to be well-resourced, higher allocations by themselves are not enough. The structure of budgetary allocations can have a disproportionate impact on the operations of the department, and consequently on police performance. It is, therefore, useful to analyse how police departments structure their budgets, and the manner in which the budgetary allocations are actually spent.

Our first example is that of Maharashtra Police. The data on budgets was collected from the Budget Estimation, Allocation and Monitoring System (BEAMS) of the department of finance under the government of Maharashtra. Our analysis suggests that budget outlays for the police only meet the establishment cost. Salary is the main component of budget, consuming almost 90% of the total allocation. The residual amount covers costs of domestic travel, maintenance of motor vehicles and petrol cost. Budgets, as they stand, barely allocate funds for operational expenses of running police stations, or maintenance costs for computer systems, arms and ammunition.

The analysis suggests that police budgets have focused solely on manpower. On an annual basis, budgets do not have allocations towards capacity building, and are not structured to achieve desired outcomes. The police also suffers from inadequate expenditure management. Expenses on items other than salary are not monitored frequently enough. Maharashtra Police recently launched an internal intelligence tool to monitor expenditure. The tool will track fund allocation and utilization across all units, i.e. districts, ranges and commissionerate under Maharashtra Police. The intelligence tool will also provide comparative metrics like expenditure per crime, per police station and per employee. While this is a step in the right direction and should be replicated by other states, its effects remain to be seen.

Our next example is that of spending on the modernization of police through grants. In the year 2000, an assessment of police infrastructure deficiency by the Bureau of Police Research and Development (BPR&D), a federal agency under the ministry of home affairs, estimated that Rs30,000 crore was needed over 10 years to fill the identified gaps in infrastructure.

Notably, the Modernisation of Police Forces Scheme to fund deficiency in state police infrastructure has been in existence since 1969-70, the cost of which is shared by the Centre and states. Annual allocations to this fund were raised substantially, following the BPR&D study. Since 2000, the focus has been to build secure police stations, increase the supply of police housing, improve forensic laboratory, equipment, training infrastructure, communication systems and mobility of the police force.

The scheme has had limited success. An impact evaluation of the scheme, conducted by consultants EY, for BPR&D in 2010, acknowledged the positive impact of the scheme, but stated that it “has been able to fill very limited gaps compared to the actual requirements of the police forces”. The assessment also pointed to inadequate training and lack of funds for repair and maintenance of assets created under the scheme. Despite the short supply of resources, the study found under-utilization of funds as a result of delays in release of funds and cumbersome asset-procurement processes.

The two examples demonstrate different problems with police budgets. Either funds are spent entirely on salaries, with little left for capacity building, or are underutilized even though they are not enough to begin with. As with any budget, police budgets too need to be tied to outcomes. Broadly, the desired outcomes of policing are 1) safety and security of citizens; 2) collection of intelligence; 3) investigation of crime; and 4) sound public order. In the current form, budgets only fund salaries, and thus are not fully aligned to create conditions conducive for outcomes.

First and foremost, aligning budgets to these outcomes will require outlays to fully cover the office or operating expenses of the police station. It is estimated that office or operation costs for running a police station in an urban area are around Rs5–6 lakh per year, while the figure for rural areas is between Rs4-5 lakh per year. This cost estimate covers expenses on any item of miscellaneous nature, such as stationery, translations, etc., while performing police duty.

The second input to achieve these outcomes is to build capacity within the police. This may be through focused training to keep pace with the changing nature of crime and prevention techniques, or the creation of IT infrastructure for tracking cases to tackle delays due to mounting pendency. It will also require investment in management techniques, soft skills, new technology, and building of databases to allow for seamless access to information, among other heads.
A dynamic process of evaluating the needs of effective policing, and aligning the budgets accordingly is an important step towards achieving a well-functioning police.

(This post is co-authored with Neha Sinha. If first appeared on Mint, 11 April, 2017.)

Why Rajasthan government’s decision to return to old pension scheme is a fiscal disaster

 by Rajiv Mehrishi and Renuka Sane We wrote in the Indian Express about the Rajasthan government decision to revert back to the Old Pension...