Privacy Infringement through Automated Data Processing

Privacy infringement through automated data processing

Data is processed each single moment of a person’s life. Even before he starts making sense of the world around him, he is assigned a name by the proximate lovers, which is followed by numerous other names as per the convenience and personal preferences of the extended lovers. Some jilted lovers also assign obnoxious names like Pappu and Feku. For the majority, all names but one vanish into obscurity along with the lovers. But, of course, now with the advent of advanced technology, Facebooks and Twitters can archive these names into the eternal cloud accessible with a click of the mouse. So, the name “Taimur”, which might just have been an act of indiscretion, gets carved on stone. References are made, memes are created, jokes are cracked, media reports are filed, trolls are let loose, and a public personality is triggered off. By the time a child becomes an adult, he is already a strong public personality with a religion, an ideology, a race, a caste, a class, a sexual orientation, an education, etc. Private personality is a myth. A person is private only inside the womb of his mother that too if the sex determination test hasn’t been carried out — of course, a person can stump the world by choosing his sexual orientation followed by changing his sex, but that’s rare.

Now with advanced technology, all the above data processing has become automated; therefore, much more can be processed and compared. COMPARED! That’s the problem kid. It hardly matters how much she may know about me if I am the only one. But she has plenty of options, and, with advanced technology, she can possibly get access to each single vital of each single one of us, including what bet we made on her. Well…since she has access to so much data, she outsources some of her work to the computer. Yet she finds the results thrown by the computer are too overwhelming for her cute mind to make any sense out of it. So, she allows the computer to take over her intelligence through its “artificial intelligence”. And this is troubling! This is troubling because I have not even met her once and she has already decided that I am her true lover, for her intelligent computer informed her that I wept a lot when I lost the 2000 Rs bet, which I did because that was my first 2000 Rs note during the de-monetisation era — thankfully, since there was a cap on the marriage expense, we couldn’t marry. The above data processing was a deep intrusion into my mind without my permission and thus privacy infringement, and it deprived me of my Free Will. Needless to say, this was also an attack on my reputation and thus privacy, for I don’t weep for girls.

This is precisely what data processing and artificial intelligence can do to a person. As I said, every individual is a public personality, some little less and some little more. And why shouldn’t they be! Man is a social animal and has every right to present himself as a public personality. The problem arises when he is judged wrongly or unwarrantedly, and the wrong judgment is passed onto others through FB, Twitter, WhatsApp, and whatever else. Since not everybody has access to the sophisticated technology, the have-nots blindly believe in the “artificial intelligence” of the computer “God” passed onto them through the agents comprising controllers, processors, transmitters, users, et al, who might also be adding their own gloss as per their own convenience.  And once the “Gods” have ordained true love on a girl, no other girl dare challenge the decision, but who me who is deprived of his opportunities to love, courtesy Modi and his de-monetisation exercise — Does it make any sense? In fact, the man becomes the slave of the “artificial intelligence” of the computer “God”. Ironically, Upanishads, which deny the identity of individuals, are vindicated through technology. Why does it look like a very big conspiracy to me!

European Union has tried challenging this conspiracy. I tried reading the EU regulations on data protection, which will come into force from May 2018. But let me state at the outset it is an extremely lengthy legal document running into 80+ pages, of which the first thirty pages are just introductory clauses. And I have not perused it comprehensively and diligently enough. Nevertheless, I have got the gist of the regulations. The basic aim of the regulations is to provide for responsible controllers, who should ensure the protection of data of the natural persons during its processing. It touches upon very many aspects of data processing, but in the limited scope of this article, I am only interested in gauging how the EU plans to checkmate the conspiracy. In the above context, the relevant portions of the regulations are Articles 22 and 9, which are reproduced below:

Article 22
Automated individual decision-making, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
(c) is based on the data subject’s explicit consent.
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

(Emphasis Supplied)

 

Article 9
Processing of special categories of personal data
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies:
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e) processing relates to personal data which are manifestly made public by the data subject;
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be propor tionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

(Emphasis Supplied)

Article 22(1) clearly bars decisions based entirely on automated data processing, including profiling. Three exceptions are contract, legislation, and explicit consent. However, the exceptions won’t apply if the decision concerns “[p]rocessing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” However, there are exceptions to this also, which are explicit consent and public interest.

From the above, it is clear that the EU has tried to checkmate the conspiracy by not allowing any decision based on automated data processing. The EU regulations apply to “private persons” as well. Therefore, it seems an exception of private contract and explicit consent has been carved out, for the government can always frame and force law. But wouldn’t the government do it in any case in the era of Crony Capitalism! Of course, they would, and the EU regulations, in fact, provides for such a possibility by making the law/legislation also an exception. However, the exceptions are made inapplicable in certain categories of processing, which include processing of biometric data for uniquely identifying a person. In other words, processing of biometric data for uniquely identifying a person just can’t be done, leave aside making a decision on the basis of such identification –this is very relevant in the context of the Aadhaar debate. But exceptions would be applicable if there is explicit consent or public interest (as laid down in a law/legislation).

From the above, it is pretty much clear that the EU won’t help an individual who is himself yeilding to the conspiracy, or, in other words, if he is a “Bhakt“. But the EU also won’t help if the Parliament passes the law, even then when some conspirators would take over the Parliament and pass the law making processing of prohibited classified data, including biometric data, valid in public interest. Interestingly, the Aadhaar Act, does precisely this: Section 7 of the Act provides for processing of the biometric data for identification of individuals for availing services. There is a debate whether section 7 is mandatory or voluntary. The SC in its recent Aadhaar-Pan judgment has left it unanswered. Nevertheless, the SC  in the same judgment has upheld the mandatory provisioning of Aadhaar u/s 139AA of the Income Tax Act, albeit without looking into the issue of privacy. My worry is that I have no knowledge of the conspirators though I have indeed identified the parliamentarians who passed the Aadhaar Act. In any case, it doesn’t look like the EU regulation can work in India because here the “Bhakts” have multiplied like virus making Anti-Vegiterarianism, Love-Jehad, Romeo-Squads, Anti-Pak Sloganeering, National Anthem in Cinemas, and even Trolling on Twitter, the matters of public interest. Compared to them, Aadhaar looks like a cute baby deserving the love and attention not only of the “Bhakts” but also of the liberals, in public interest of course.

I am back to the square one. If it was just about finding true love, I would have accepted the conspiracy — for, at the end of the day, all love is true. But this automated processing of data can make wrong judgments also about my character, my financial status, my intelligence, my skills, my wealth, my social status, my ambitions, my career prospects, my sleeping habits, my preferred hair style, my favorite books/movies/songs, and what not. And then I can be profiled into a category and consigned to a pigeonhole with no opportunities to innovate. If I am lucky there wouldn’t be enough abberations in the judgments of the “Gods” (who would now also include some privileged men, for as per the Hindu religion, “God” manifests himself in human forms) and I would adjust in my pigeonhole. But if I am unlucky — which I always am — I would become a living dead body awaiting real death in the pigeonhole, whose walls, unlike the mother’s womb, are made up of heavy duty steel.

 

 

About the Author

Ankur Mutreja
Ankur Mutreja is an advocate-cum-writer, and his blogs are amongst his modes of expression. He has also authored six books: "Kerala Hugged"; "Light: Philosophy"; "Flare: Opinions"; "Sparks: Satire and Reviews"; "Writings @ Ankur Mutreja"; and "Nine Poems"; which can be downloaded free from the links on the top menu.

Be the first to comment on "Privacy Infringement through Automated Data Processing"

Trolls Welcomed :-)

%d bloggers like this: