In the implementation of DPDPA in India, “Consent” is an important instrument of establishing the legal basis for processing. Such consent has to be “Purpose Specific”. It is the purpose that also determines “Data Minimization” and “Data Retention Minimisation”.
In this background, let us look at the needs of the “Data Analytics Industry” where “Data” is the raw material from which value added products need to be generated. The very existence of the Data Scientists in an organization is for increasing the productivity of available data through research and finding new uses. Even the Business Managers concerned with the “Data Governance” also would like to get more value of available data by using data analytics.
Not all “Data Analytics” can be worked on anonymized data since the company would like to apply its learning to its customer set and therefore would like the precise profiling of every one of their customers. The marketing efforts would be unproductive if we do not understand the behaviour of our prospective customers.
Digital Marketing Companies therefore need to develop “Insights” on customers from out of the data available in transactions and combined with data collected from elsewhere. But this is the classic definition of “Profiling” which is impossible under the strict interpretation of the Right to Privacy.
The process of analysing personal data to discover uses which were not identified when the data was collected will therefore be a problem the industry has to contend with. One school of thought is that “No Personal Data shall be subject to experimentation of a Data Analyst” without consent. While this is acceptable as a strong Privacy principle, we need to also consider if this will curb innovation and technical progress.
Just as we are trying to recognize the problem of Consent Fatigue with individuals and trying to find a solution through Consent Manager, we need to also recognize that businesses do have a legitimate requirement of customer profiling, behaviour monitoring and monetization of personal data.
We therefore consider how we use the “Consent” in such a manner that the individual feels that the data fiduciary has been transparent enough for him to give consent for “Discovery of unknown uses” including “Profiling” and “Monetization”.
One way by which this “Consent” can be made acceptable is to introduce the system of “Witnessed Consent”.
Currently we bring in parental consent for minors because we feel that the minor is not capable of taking a decision. In Medical circles, it is common for doctors to take the consent witnessed by relatives when a surgery is performed or when drug research is permitted.
Similarly we need to have a system of “Witnessed Consent” where certain uses can be subjected to the witness of another adult so that the personal providing consent is not mislead or cheated. As long as a person is willing to submit himself to profiling and monetization of his personal data, it should be a “Right of Choice”.
There is a view that a Constitutional Right cannot not be over ridden with a contract and hence Right to Privacy cannot be over written by the consent.
I would like to challenge this principle.
The world is today discussing Euthanasia, the Right to end one’s life by choice. In such a context, there is a case for a data principal to expect a right to submit himself to profiling or monetization without affecting the constitutional right as long as precautions are taken to get the consent witnessed suitably so that he is not “Cheated”.
The DPDPA Rules should therefore suggest a process of “Witnessed Consent” to be used for “Discovery of Purpose” as well as “Profiling” and “Monetization” purposes and set processes of how such consents can be provided and by whom.
This is the “Shaping the Future” debate and therefore established principles need to be questioned and solutions found.
Comments are welcome…
Naavi
.