Data Privacy is a complex issue in the age of Artificial Intelligence and the internet. As the privacy of students on the internet continues to be compromised during the Covid-19 pandemic, the author examines its legal and ethical aspects.
Amidst the Covid-19 crisis, one may note that the world has come to a halt, and everything that happened within the infrastructure of institutions has now largely shifted to the comforts of everyone’s homes. Since this pandemic was unforeseen and one of its kind, the world was not prepared and armed to fight it and it surely did not have an action plan in place.
There is no statute or legislation which remained unharmed in the light of Covid-19. Educational institutions suffered a similar fate. Due to myriad reasons, some educational institutions decided not to conduct examinations while some decided in favour of examinations. Since written examinations in schools and colleges were struck off due to government notifications, these institutions decided to go forward with their decisions through online examination platforms.
There is a multitude of online platforms and software now which help institutes conduct online exams. Platforms, like Mettl and MeritTrac, are engaged by institutions and used as a medium to conduct examinations. Since the entire objective of conducting exams is to ascertain a fair amount of efficacy and hard work on the part of the student, clubbed with no cheating, all these online platforms share a middle ground and that is Proctoring.
Proctoring of exams is either done entirely through artificial intelligence or human proctors. Apart from proctoring or observing the student through a live camera, a lot of personal data such as name, address, IP address, cookie data, etc., is collected from the student as well. The gravity of the issue can be best understood when individual proctoring platforms are considered alongside their privacy policies.
When asked about how long they retain the personal and vulnerable data that they collect, Mettl responds by stating unclearly, “as long as it is needed for legal, regulatory and technical reasons”. There is however no specific and clear time limit as to how long this data will be retained on their database.
The conversation concerning the protection of personal data of third parties is not a new one. Privacy has been an issue since time immemorial. It is even more important to stress on this issue now that the world has increasingly moved on to a digital realm, something which comes with far many drawbacks than ever imagined.
Our country is yet to move ahead with a Personal Data Protection Act, better digital infrastructure and checks to curb this kind of a threat to the privacy of the common man. There are myriad open-ended questions to ponder upon. Some are mentioned below:
- The absence of a composite data protection Act
As of today, one can safely assume that there is no composite Act for the protection of sensitive personal data or personal information of an individual.
India isn’t a party to the international efforts to curb the misuse and leakage of personal information or data such as EU’s General Data Protection Regulation (GDPR) and the Data Protection Directive.
There are a variety of rules and a few concerned Sections within the Information Technology Act, 2000. However, there is no umbrella Act which is solely dedicated to the protection of sensitive personal information.
While weighing the efforts of legislators with regard to the protection of sensitive personal data, one must not overlook the contribution of the Information Technology Act, 2000. In order to incorporate the complexities that cropped up in the digital arena with time, the Act was amended to include Sections 43A and 72A, which enable the aggrieved to seek compensation if her/her personal information is disclosed. However, it contains a big loophole. An entity or a body corporate may claim to be an “intermediary” and avoid being liable as a party that hosts or stores any personal information given to them by a third party.
Following similar lines of the GDPR, the Indian government called for Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which talk about further requirements for private business and commercial entities in India for disclosure of sensitive personal data.
Furthermore, in 2017, the government formed a Data Protection Committee chaired by Justice B. N. Srikrishna to analyse the issues about data protection in India. The committee submitted its report within 1 year of its appointment. However, it failed to look at the issue through an economic standpoint and failed to analyse the costs and benefits of a GDPR inspired Act.
The Personal Data Protection Bill (PDP Bill), however, tries to fill all these loopholes by containing striking and uncanny similarities to the GDPR. Despite that, the PDP bill too has its own shortcomings. For instance, Section 25 of the bill gives the discretion to the Data Protection Authority whether or not to inform the individual whose privacy has been breached. This gives the State the power to be a surveillance state which does not allow an individual to be in control or in the least, be aware of the status of his personal data.
Moreover, the government’s vast and unending powers should be stressed upon. The government is allowed an exemption to process personal data under some circumstances under the statute. The circumstances are highly subjective and there have been cases abroad where such personal data has been misused by the government itself. If the aforementioned points were considered while crafting this Bill, it would have had a seamless effect on the general public as well.
- Who will the liability be on?
The second most unsettling question to ponder upon here is-who will be ultimately liable in case such sensitive data is leaked? Logic would dictate that the liability be placed on the party that leaked the data first hand. Yet, there are many provisions that one could gladly rely on in order to dodge penalties ( for example, Section 79 exempts intermediaries from liability).
It is a settled position in law that the only party bound to be liable here is the third party or the party that provides the hosting party with such information. This is because a third party is always assumed to have conducted proper due diligence of the hosting party before providing them with any sensitive information of another individual. Thus, the party that divulges the given data can get off scot-free and without any punitive actions against them. The Bill, however, in this case, is a long-awaited messiah since it will penalize the leaking party first hand.
- Who will be the worst sufferer?
The worst sufferer in this scenario will without a doubt be the individual whose data has been divulged. No amount of compensation or reparations would erase the data that is out there in each and every platform already. Monetary compensation will not fix the sufferer’s image and loss of privacy, in case sensitive personal information is divulged. Laws have to be made in order to prevent such leakage of data, and a good number of restrictions must be placed on the hosting/storing party in order to make them liable for the leakage of personal data.
One may deduce that it is extremely important at this juncture to demand farsighted and advanced legislations for the protection of personal data. An individual must have the highest level of control over his/her own sensitive personal information, and not a statutory authority or even the government.
As of today, the Personal Data Protection Bill has been further delayed and hasn’t become an Act yet. Before it becomes an Act, it would be extremely wise to do away with some redundant aspects of the bill and allow an individual to have control over his own information and data privacy. Only time will tell if the said Act will be able to address the complexities and intricacies that data privacy entails.