“Our data and our body are so intimately interwoven that what we call our virtual bodies and our physical bodies, the line that is supposedly dividing these two becomes irrelevant, even if you can argue that maybe it exists,” Dr. Anja Kovacs said during the inaugural session of PrivacyNama 2021, a global conference on privacy regulations held by MediaNama on October 6 and 7. The session was focused on the use of biometric technology like facial recognition, thermal scanning, fingerprint scanning, etc., and what it takes to govern them.
Beni Chugh of Dvara Research, Director of the Internet Democracy Project Dr. Anja Kovacs, Executive Director of the Centre for Internet and Society Amber Sinha, Executive Director at the Centre for Communication Governance Jhalak Kakkar, and professor at Monash University Mark Andrejevic in a discussion moderated by Nehaa Chaudhari, a partner at Ikigai Law, spoke about the obstacles to effective regulation of biometric tech and data collection in India, such as:
Lack of incentives for clear privacy policies
Ambiguous legal standing leaves room for SOPs
Referring to the ambiguity around the legal standing of any biometric-based technology deployed by the government, Jhalak Kakkar said, “Typically these kind of technologies in the Indian context have certainly worked on SOPs which are not even usually in the public domain and I think another first thing I really liked to see is actually legislation that is in the public domain to which I can hold the government accountable…”
Kakkar further said that she would want them to disclose information on the storage processes used by such a system, the duration the data is retained, processing it is subject to, how it is being shared, etc. She also asked for more disclosures around the procurement of such technology as well.
Stakeholders not being given enough chances to submit feedback
“I would really wonder if civil society and interested stakeholders are going to have a chance to really come to the table and give their perspective and push back against some of the thinking that may emerge in a new version of the bill…” Kakkar said, about India’s Personal Data Protection Bill which was first introduced in 2019 and is currently under consideration by a Joint Parliamentary Committee. Later, Sinha also expressed his reservations about the draft of the bill saying, “Essentially what the draft does is it takes power away from the private sector and gives it to the government – that needs to change.”
Lack of will to ensure compliance with Puttaswamy judgement
While talking about the landmark Puttaswamy judgement being violated by the government with no consequences due to minimal judicial review and legislative oversight, Sinha said, “We are certainly in a position where we have truly a epochal judgment and fairly well-established judicial standard that is not really being followed.” He further said that there isn’t any political will and power with other stakeholders to address this non-compliance as well.
Varying interpretations of Puttaswamy judgement
“I do think where I see the whole confusion coming from is the early interpretation of Puttaswamy itself, the privacy judgment, where there seems to be the three-prong test laid out but nobody seems to be applying it,” Chugh said while commenting on the compliance with the Puttaswamy judgement by the private sector. “So is there something in between which is missing that, this is the constitutional wisdom but what does the person on the ground who wants to run a business take away from it right? How do they apply it, how do they internalise it?” she added. According to Chugh, there needs to be frameworks that guide the industry on complying with the judgement’s three-prong test.
Support MediaNama’s endeavor to enable meaningful conversations around technology policy. Subscribe here.
Taking stock of the problem
During the discussion, the participants raised points on the consequences of biometric data collection and the deployment of related technology.
“There are levels of control that we are now seeing and supposedly accepting that we just didn’t do earlier,” Kovacs said while referring to biometric and location-based data collection by apps, employers, and governments. During the session, Kovacs also referred to feminist theories and concepts to make the point that consent is relative. “You have to create the conditions that enable them to be free and equal conditions and so to express consent meaningfully,” she said, adding that this is not being followed in the current practices around consenting to e-governance programs, leading to power relationships.
In children, impacting development
Kakkar raised concerns over childrens’ development if surveillance took place in their schools, referring to a study that found that children as young as one and a half years old change their behaviour when they are being watched.
Can you imagine what impact this is going to have on the child’s psyche growing up? — Kakkar on CCTVs being installed in Delhi’s government schools.
“Notions of autonomy, you know, and beyond privacy, beyond autonomy, like our ability to function as human beings and the society and….and you know, we’re going to be monitoring them in a place where they learn and that’s just going to undermine setting a strong foundation for a free and Democratic Society,” Kakkar said.
Re-inforcing old prejudices
“All of this kind of inferential use, which seems quite, I don’t know, far-fetched and an attempt to resuscitate long-debunked ways of thinking about how our bodies work, are being explored and built into these systems,” Andrejevic said, talking about facial recognition and other biometric technology that claim to be able to infer a person’s mood, sexual orientation, or criminal tendency. He also said that much of the legislation he had seen around such technologies concerned themselves more with identification than inferential and possible discriminatory uses, and flagged the collection of such data by discreet mechanisms. “Automation makes that form of data collection very powerful,” he said.
“We use bias training data sets of flawed sampling, which overall under-represents minority communities and then AI systems make decisions based on their training on these data sets which sort of perpetuate and really embed historical bias and discrimination into our society,” Kakkar said. She further said these were often transferred from high resource contexts (such as western countries) to low resource contexts — something that regulators must think about.
What does effective regulation look like?
Effective regulation depends on the context: “In the regulation of AI systems, context really matters. AI systems are being developed in the western world and very often just being translated fairly blindly into other contexts, right. They are being translated from high resource context to low resource context. They are being translated from the context where they are trained on particular kinds of data sets […] to being deployed in an Indian context where we have such a diverse society with many ethnic groups,” Kakkar said.
Effective regulation makes privacy competitive: “The best thing that regulation can do is to make a market out of privacy which is to say that make privacy a parameter on which private providers kind of compete,” said Chugh.
Risk-based regulation is the best we have: “Risk-based regulation is like an educated compromise because we know that we’re not going to have enough State capacity and enough institutional bandwidth to go and regulate every person out there who has data,” said Chugh. “So what we do is we kind of filter through to see who are the biggest kind of carriers of data, collectors of data and see if we can enforce the regulatory regime on to them pretty well and then a significant share of the market is covered. So is risk-based regulation the best approach? No, but it’s probably the best that we have,” she added.
MediaNama hosted PrivacyNama 2021 with support from Facebook, Flipkart, Internet Society, Mozilla, Mobile Premier League, Omidyar Network, Paytm, Star India, and Xiaomi. We are also thankful to our community partners — the CyberBRICS Project, the Centre for Internet and Society, and the Centre for Communication Governance (NLU Delhi).
Comments have been lightly edited for the purposes of clarity and brevity.
- European Parliament votes for ban on biometric mass surveillance
- Why A UN Body Is Raising The Alarm On Biometric Recognition Tech In Public Spaces
- Lucknow Safe City Project: Uttar Pradesh To Deploy Facial Recognition, ‘Label’ Faces Of Suspects
- The Use Of Facial Recognition Technology For Policing In Delhi: An Empirical Study Of Potential Religion-Based Discrimination
Have something to add? Subscribe to MediaNama here and post your comment.