Privacy is a concept of “Right” of an individual in a democratic society that respects Civil Rights. It is considered as a “Right” to be “Left Alone”. “Privacy Right” is closely related to “Right or Freedom of Expression”. Freedom of expression of one person may interfere with the Right to Privacy of another individual and hence it needs to be understood that the “Right to Privacy” is not “absolute” and is always subject to “Reasonable restrictions”.
The Security requirements of the society some times dictate the subordination of Privacy Rights of individual Citizens to the security needs of the society and the nation and this debate of Privacy Vs Security dominates any legislatory support that Privacy protection demands.
It is this clash of interest that lead to the breaking of the “Safe Harbor” arrangement and its replacement with the Privacy Shield regime. This is one of the reasons why India still does not have a specific law on Privacy and has to make good with whatever is interpreted as Constitutional right and whatever is provided under Information Technology Act 2000 as amended in 2008 (ITA2000/8) for Privacy related data in electronic form.
When we try to identify the stakeholders in a Privacy debate, two prominent camps emerge.
One is the camp of the “Privacy Activists” who fight for the rights of citizens and try to protect their rights against being infringed by either the Government or the business. This camp mainly comes from the legal fraternity.
The second camp is that of the “Privacy Practitioners” who work in the Commercial organizations and try to comply with the legal provisions pertaining to Privacy. The Privacy Practitioners are some times collectively represented by their industry associations. They are typically the IT professionals who have strayed into the Privacy regime through “Data Protection” and “Information Security” responsibilities.
Citizen is at the center of focus for the Privacy Activist. But for the Privacy professional, the center of focus is “Personal Data” and not the “Citizen”. Unless we understand and appreciate this difference, the two camps cannot appreciate each other’s stand and live together in harmony.
The “Regulators” try to frame laws, monitor, adjudicate infringement, enforce compliance etc. and some times are seen more to favour one camp or the other. Judiciary is no better as some times they take the side of the citizens and some times the side of the business. Often both the regulators and judiciary donot know exactly whether their stand is pro-people or pro-industry. Advocates can easily argue on both sides and have no issue. The Police proceed on their own interpretation of law and expect that their mistakes if any will be corrected by the judicial process.
As a result of the presence of multiple stakeholders with differing objectives, there is always confusion and disharmony in the domain of Privacy and this stares across the face of people like the undersigned who as “Techno Legal Consultants with an Activist bent of mind”, try to work with both lawyers and citizens on the one hand and industry professionals and the industry on the other hand.
Since I am not a traditional lawyer who is happy to don different hats at different times, I try to work in the difficult domain of trying to negotiate a collaboration of the Privacy Activists and Privacy Professionals. This requires the intervention of the regulators and law makers in the form of a fair regulation being drafted and implemented. What Naavi would like to do is to catalyze the process of building a harmonious relationship between Personal Data owners (Citizens) at one end and Personal Data Consumers (Business and Government) at the other end, operating through the prism of Privacy Activists and Privacy Professionals.
Privacy Knowledge Center represents an attempt to fill up this space where an attempt can be made to present a platform where different stakeholders of the Privacy Eco System can come together, understand each other and learn to live together without conflict.
Distinct from the three entities in the Privacy eco-system, namely the Privacy Activists, Privacy Professionals and Regulators. there exists the intermediaries such as Naavi, Naavi.org and services such as Ceac.in, odrglobal.in, cyber-notice.in, e-ombudsman.in, CLCC etc which consists of people, organizations and services which provide education, guidance, and services for assisting the Citizens, Privacy Activists and Privacy Professionals.
Now Privacy Knowledge Center joins as the nodal establishment that can coordinate all activities related to compliance of Privacy Regulations.
Presently Naavi.org has already been representing the Citizen’s and Privacy Activists to a certain extent. One of the key thoughts that Naavi projected was the concept of “Regulated Anonymity” which is often referred to in a lesser version in the name of “Pseudonomous Identity” in the industry. The days of “Regulated Anonymity” as conceived by me may be some where ahead in time and it may be more practical for the time being to focus on the concepts of de-identification or pseudonomity in a limited environment.
After the recent thrust given to Aadhaar, it appears that certain developments in privacy place in India has already froze the situation and we cannot reverse the time back. Privacy information which has been linked to Aadhaar including the mobile numbers which are one of the biggest repositories of private information in India has already been substantially compromised. This generation of citizens of India therefore will not be able to fully get back their privacy without reinventing their physical identity different from the current identity linked to Aadhaar and the current mobile numbers.
However, as a new generation of privacy conscious persons come in there is still a possibility that “Privacy” may be protected for them. This part of the activity will be the responsibility of the Privacy activists and Naavi.org will continue to support such privacy initiatives.
On the other hand, this new initiative of Privacy Knowledge Center was motivated by the frequent interactions that Naavi has with the IT industry since as a Techno Legal Consultant and Cyber Dispute Management consultant he operates in the overlapping field where Privacy Activists and Privacy Practitioners often clash with their differing end objectives of their activity.
While the Privacy activist tries to enforce the “Privacy Right” of an individual against the Government and the Business, the privacy activists working within the industry environments such as the Googles, Facebooks, WhatsApps, Flipkarts etc focus on how to harness the data of their customers for betterment of their business prospects. A whole new industry of “Big Data” is waiting on the wings to compromise the Privacy of the general population along with the IOT population for the general good of the community in the commercial perspective.
The Government of India promoting Aadhaar has also taken a stand similar to the Business as they find that Aadhaar has more benefits for managing the efficiency of e-Governance in projects such as distribution of Government subsidies to avoid duplication and for greater Cyber Security requirements. Naavi has often highlighted that Privacy activists should not confront the Security requirements since “Privacy Right” exists only if people exist and “Security of existence” is under threat unless we give primacy to Security in a Privacy Vs Security debate.
People who work in the intermediary domain where they encounter both the Citizen’s interest and Corporate interests often confront a situation where both the opposing parties have a case and neither is wrong. There may not even be a win-win solution for the problem. There is only a “Compromise Formula” to which both should willingly agree and abide.
It is in this context that “Compliance” to “Fair Regulatory Practice” is the middle path which both the Privacy Activists and the Privacy Practitioners need to work for. It is of course the responsibility of the “Regulators” to work with both Privacy Practitioners and the Privacy Practitioners to arrive at a regulation which is “Fair” and not skewed to either the Privacy activists harming business interests nor that of the Privacy Practitioners which could harm the basic privacy objectives of a democratic society.
Privacy Knowledge Center therefore brings a focus on the global Privacy Compliance Regime and will discuss the regulatory mechanisms that are being presented by different authorities in the form of ITA 2008 in India, the GDPR in EU, the EU-US privacy shield mechanisms, as well as the other frameworks. There will be various regulators in these different regimes who may or may not frame regulations fairly or may or may not implement them fairly and in the process bring disrepute to the regulation and cause disharmony in the community.
The chief objective of this Privacy Knowledge Center will therefore be to evolve as a platform where all the stakeholders of Privacy Regulation regime share their thoughts and how it plays out in theory and practice so that the community tries to maintain harmony without hactivists and tough regulators trying to fight out and destroy each other.
Naavi.org was born in 1998 with the mission “Let’s Build a Responsible Cyber Society” and has been continuing this objective till date. I feel that “Privacy Knowledge Center” will continue this objective of “Building a Responsible Cyber Society” by trying to establish harmony in the Privacy implementation space.
The mission objective therefore is considered as “Towards Building and Maintain harmony in Privacy Space”. The tag line adopted is therefore “Building Harmony in Privacy Space”. Achieving “Compliance” to the existing regulations assuming they are “Fair” is therefore one of the focus areas of this exercise and hence this site will try to address the needs of collating the multiple views and regulations that may be overlapping and confusing in implementation, in one single platform.
Obviously, at some point of time there will be a debate on whether a regulation is fair or not and hopefully such discussions will be taken in good spirit by the regulators who can bring in changes and modifications to the regulations to improve compliance.
I am placing these views before the community and invite comments and suggestions. It is my desire that soon this site will evolve as a “Portal” with contributions from many professionals. The present status of a blog is therefore transitory and hence I seek the participation of the community including Privacy Activists, Privacy Practitioners, Regulators and Citizens to contribute their views and make this content rich and useful.
Naavi