At the IAMAI India Digital Summit yesterday, MP Baijant “Jay” Panda spoke about what he expects from a privacy bill, and his views on Aadhaar. (Sometimes paraphrased) Excerpts from his discussion with Chetan Krishnaswamy, Country Head (Public Policy) of Google India:

On Aadhaar

“I’ve been engaged with Aadhaar for a dozen years, initially asking tough questions to Nandan [Nilekani] and others, and then a proponent of it. We’ve had increasing digitisation and violation of privacy,and so it made sense that I champion privacy. Too often the debate is black or white. Either you’re pro-privacy or pro-aadhaar. In the 21st century, we have to make some concessions, but that should not be wanton or casual, and it should be defined by consent and the law.”

“On the ground, I see the humongous abuse of, say enlisting school children on aadhaar. I’ve been doing a quarterly review, and every review has shown a huge number of fake schools with bills for uniforms, mid day meals [and other entitlements]. Deduplication is what aadhaar does best. Most of which has been claimed as breach is not biometric data but someones aadhaar number has been leaked. We should take, steps like, they go further about making aadhaar more secure. We shouldn’t get cocky that it shouldn’t be breach, but we shouldn’t create a panic situation that it should be done away with.”

On the Srikrishna Committee

“It’s good that we have a public dialogue now. There was no public discussion in case of IT Act and 66A. What is happening with the committee is in line with what I want. That doesn’t mean I’ve made up my mind.

On the current privacy debate

“I was gratified that the SC judgment almost mirrors the stand that I had taken: that we have a right to privacy, and exceptions should be narrowly defined.”

“I’m glad that the discussion is coming to a point that it’s not a binary. Yo can’t have absolute privacy. We have agreed as a society to have body scanning at airports, cctv, facial recognition on our phones. That shouldn’t enable govt and companies to wantonly invade peoples privacy. My focus is on what are the narrow exceptions we should prescribe in the law. The SC has determined 5 different areas. National security shouldn’t be used as an excuse to do surveillance without due cause. Democracies have ways of dealing with it. We should be much more relaxed about metadata being available, whether it is state agencies [who need to monitor criminals] or it is for a google to have predictions about, say crime in a particular city on the weekend. When you look at an individuals data, there have to be strict checks and balances regarding consent that everyone should have to abide by law.”

Judicial oversight?

“Pre Internet, wire tapping required checks and balances. It required a magistrates approval. The same principle should apply. We have many colonial era laws which don’t provide for checks and balances, surveillance authorisations are only in the bureaucratic realm without checks. However surveillance of metadata which doesn’t compromise an individuals privacy should be allowed.”

Flexible regulatory regime or prescriptive?

“We need flexibility. We have 19th century laws on the books today and we have an attitude that if something is on a gazette notification it’s like a tablet handed down from heaven. Technology evolves and we must learn to adapt. Technology can make earlier laws completely redundant. We don’t want the kind of regulations that are enormous documentation that are impossible to implement and squelch innovation. We [as a country] believe in overdoing the prescriptive part of it and under-do the implementation. I would rather that we get to the core principles and put much more emphasis on enforcement. I would like to shift the emphasis on enforcement, and simplify regulation.

Data localisation? Extra-territorial application of law?

“It takes a particular kind of hubris that you can have laws that you can enforce on the rest of the world. The US can do it, because they have global reach. If you extend this argument, there’s an aspect of localisation of data which is relevant to this conversation. I haven’t made up my mind on this yet. I’ve heard advocates for data localisation who want to boost their business, and startups who saw that we need to have data elsewhere. We need a different prism when looking at the startup ecosystem and larger companies and government agencies, based on impact.

Is privacy an elitist concept?

“The fact is that we routinely compromise our privacy for convenience. we give approval for apps we download giving up privacy. We must simplify the process and not require everyone to read a 40 page [notice].Even people in rural India might give up privacy for convenience. Informed consent is an important part of this, but it is not enough. We shouldn’t expect that people who may not be as savvy as the people in this room will read. We should have standards based regulations, so that even is large rural audience can’t ready it, every citizen irrespective of their literacy and privacy should have certain basic rights. They shouldn’t be so extreme that they squelch innovation. We need to find the right balance. We shouldn’t treat privacy as an elitist concept but also not deny ourselves the benefits of innovation and technology.”

What happens to privacy with voice?

“[Voice] breaks the literacy barrier. Even we don’t read the T&C. If everything is voice driven, they can use the services, and it becomes tremendously more relevant, and what should be the obligations of the players is what we need to discuss.”

“In the Hindu [Newspaper] there was a piece that let commercial innovation not take over citizens privacy.”

“I love the Hindu for ethical stands that it takes, [but] they have a certain stand which is very rigid and binary. If we take that rigid a stand, we should not compromise any privacy, we should not have CCTV cameras. Airport security has facial recognition based on internet images to recognise threat. If we don’t agree to give locational data, we can’t use Uber to travel. We can’t take a hard line, and we need defined legally regulated

On Metadata & Ownership of data

“We should not be as rigid as europe is. I have no issue is metadata. I want certain privacy parameters, so that my privacy is compromised. If we have an epidemic like Dengue, we can use data to identify. When individualised data is taken, sometimes it is needed, and it is secured for profiling and marketing. As more rural Indians start using digital payments we have huge risks if we don’t regulate that. If an individuals data is leaked out, it is much more serious

[Resonding to my question of this idea floating around that data is co-created and thus users should have a share of the benefits, and if we have the right to erasure, do we own the data we give?] There’s a thought in country sometimes, and this is unique to India, that if someone becomes a billionaire, we all own a part of his wealth. That’s stretching it a bit too far. Where I do agree with that line of thinking, an individual does has ownership of his or own data, and the manner in which it is profiled. I have it in my private members bill, about ownership. On Metadata: there is individualised metadata as far as individual data goes, and I am in support of giving users control over that.”

On Data portability

“This is a subject I haven’t dwelt enough on and haven’t made up my mind. We should have some rights over our data, but if you’ve done significant work on top of that…I haven’t made up my mind on this yet. Data portability is relevant to the question that Nikhil was asking (about ownership of data). I’m open to listening to counter arguments, but where someone has added value, that should not be portable.”

Regulating Google and Facebook for data collection

“If a service becomes so big that it is like a public utility, regulations can treat them differently from others that are optional. certain services become to ubiquitous, and they should have a higher bar for regulation. you can have a standard of ubiquity where it is difficult to live a life without it. We need to have higher standards for them and greater regulatory rigour.”

Should criminal penalties be introduced for privacy violations? Or penalty levels should be in tune with the size of the company?

“This shouldn’t be a binary. We should discuss it carefully. [At a recent discussion] I was shocked to hear that over 100 criminal cases have been filed on startup founders for minor violations or slip-ups. That’s worrisome and comes in the way of innovation, to throw the book at anyone for any kind of violation. I’m not saying that there shouldn’t be a criminal violation. If someone is violating privacy laws to steal your data, there should be a criminal penalty. That doesn’t mean that you have criminal penalties for any kind of slip ups. In my bill I’ve suggested a graded level of penalties, both civil and criminal. There are certain aspects that could be unintentional or minor, and deserve a slap on the wrist. You should have some civil and some minor and some middling level of penalties depending on the nature.”

Q: We want to built a farmer stack, and the other is getting their consent, because they’re not digital, and things that they might not understand. What’s the balance on getting consent for better solutions, but where the consent becomes difficult. Also the privacy in sharing that data with other providers.

“Consent is a primary requirement but no longer sufficient. We will have to evolve standards as to certain areas where data can be accessed as a legal standard. You should be able to use certain data without compromising privacy. I would imagine that the grouped data is possible but to target an individual farmer, you should have to have a higher standard of consent. We need to have the same set of standards for surveillance and commercial profiling.”