[dropcap]T[/dropcap]HE term “ides of March” symbolise an uncertain bad event though originally it meant the 15thday of the Roman Calendar. It was used by Shakespeare to mark the day Julius Caesar was assassinated by members of the Roman Senate. A soothsayer, or psychic, cautioned Caesar to beware the day, but Caesar paid no heed. March 2019 had two “ideas” over privacy within its “ides”: Mark Zuckerberg presenting “A Privacy-Focused Vision for Social Networking” and India with “The Aadhaar and Other Laws (Amendment) Ordinance, 2019.” The prime focus of this debate and contention is the commercial shadow attached to both these “ideas”.
In the last half a decade, there has been growing awareness for personal privacy and data protection. Data is the new oil and people around the world want to make the flow of data voluntary and consent-based. The Cambridge Analytica controversy over Facebook (FB) and the Supreme Court decision on Aadhar have made the balance of privacy tilt in favour of protectionists. The onus was on Facebook and UIDAI to come forward with a position of dilution and improvise the ever-shifting public perception.
Facebook’s future of privacy
Zuckerberg in a note published on March 7, 2019, gave a four-point agenda to the future of privacy on Facebook: (i)all the FB related activities will be made end-to-end encrypted. This will imply that no third-party including FB can have access to our messages sent via messenger. (ii) all the posts by default will be “ephemeral” and will get deleted automatically after a certain time unless specified otherwise. This is to eliminate the problem of permanence. (iii) Zuckerberg aims to provide choice to people and thus connect all the platforms he owns: Messenger (FB), WhatsApp and Direct (Instagram). This is called “interoperability” i.e., the ability to operate on interconnected platforms. (iv) secured data storage whereby FB will shift its servers from “countries that have a track record of violating human rights like privacy or freedom of expression”. The ultimate aim attached to this fourth limb is no storage of data as WhatsApp does. (It does not store any encryption keys)
But is this all as perfect as it sounds? In a clarification, Zuckerberg said his focus, for now, was on the private side of his social media services viz, Messenger, stories and small groups perhaps because he sees faster growth here and the incumbent policy is more centred on it.
Facebook is still a data mine when it comes to public information and there is no new protection policy for news platforms or online communities sharing their information publicly. Further, there is a lot of fuss around the issue of interconnecting different social media platforms as it can risk profiling by interconnecting users’ otherwise private messages. In such situation encryption of data becomes indispensable and the strong onus lies on Data Fiduciaries to protect the same. Much ambiguity exists on the revenue model Facebook will be using if these policy goals are implemented and unless that is made clear, scepticism will persist on the pragmatism of this new privacy approach.
Aadhar and the new offline verification seeking an entity
Meanwhile, in India, the Union Cabinet cleared the Aadhaar Ordinance and was signed by the President on March 2, 2019. The original Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016vide Section 57 allowed any “body corporate” to use Aadhaar for any purpose allowed by law. This acted as the gateway for private companies to access Aadhar information through KYC (Know Your Customer). Taking cognisance of the exploitative potential of such a law, the Supreme Court in Justice K.S. Puttaswamy (Retd.) and another v Union of India and others held this section as unconstitutional. The majority held that section 57 did not “pass the muster of proportionality doctrine” and was “susceptible to misuse.”The ordinance repeals Section 57 and brings in a new definition of the “Aadhaar ecosystem” under Section 2(aa). This ecosystem includes requesting entities and offline verification seeking entities, thus bringing in the body corporate back into the Aadhaar system. The definition of the offline verification seeking entity is vague and broad to include any legal personality in this domain:
2(pb) “offline verification-seeking entity” means any entity desirous of undertaking offline verification of an Aadhar number holder
This offline verification is not to be confused with personal visits to customers for verification but rather using the system provided by UIDAI on its website called Aadhaar Paperless Offline e-KYC. The same is availed by companies to perform KYC now and is completely within the ambit of the law. The ordinance though provides for certain protection measures like voluntary use, consent-based approach or no collection, use or store of Aadhaar number or biometric information but cannot be termed foolproof as corporates can again access the information and potentially profile customers. The essence and intent of the ordinance are apparently questionable for firstly, it overrules the apex court judgment and secondly, takes the executive mode of lawmaking. If any law required much debate and discussion from Parliament, the incumbent ordinance was the one. The ordinance will stay in force for the next six months and will be subject to ratification of Parliament post-election only.
All in all, with these two major developments happening around the issue of privacy and data protection, it can be inferred that neither social media nor the government is ready to let go of the commercial aspect of data.
