1. Introduction

“Data is the new oil”-Clive Humbly

The above quote reflects the value data holds in the contemporary World. With technological advancement, data has become central to our lives, controlling everything from food subsidies to our Instagram feed. Technology and the wide use of data have certainly improved our lives in innumerable ways. However, the benefits also brought dangers and risks along. The potential damage that can be inflicted by misuse of data is unthinkable. The Universal Declaration of Human Rights (“UDHR”) and other human rights treaties, such as the International Covenant on Civil and Political Rights (“ICCPR”), have recognized the right to privacy as a human right. In line with the Human Rights discourse, the Supreme Court of India has recognized the Right to Privacy as a fundamental Right under Article 21 of the Constitution. However, the discourse around privacy laws including statutes like the Digital Personal Data Protection Act, 2023 (“DPDPA”) is too individual-centric, which makes the usage of data contingent on the consent of the individual. However, in the age of Big Data and Artificial Intelligence, algorithms trained on data from some individuals can significantly impact the lives of other individuals. 

The DPDPA and the publication of the rules are welcome steps. However, there are grave concerns that the Act and the human rights discourse on privacy fail to account for. By highlighting these concerns, this article critiques the individual-centric view of the right to privacy and data protection laws and argues for a community-based understanding of privacy. The article is divided into three sections.  Section II briefly touches upon the development of Right to privacy as a Human Right and the discourse in India; Section III discusses Human Rights violations that can occur due to the individual-centric approach towards privacy and argues for a community right; Section IV draws the strings together and concludes.

2. Privacy Discourse: From Udhr To The Dpdpa

The Right to Privacy was recognized as an international human right for the first time by the UDHR in 1948. Back then, the word “Privacy” did not exist as a right in any national constitution. State Constitutions only protected specific features of privacy like the right against unreasonable searches and seizures.  During UDHR’s drafting, an umbrella term like “Privacy” was unknown. Article 17 of the ICCPR followed the UDHR with an almost identical provision on the Right to Privacy. The only difference is that the ICCPR widens the Right to Privacy by including a right not only against arbitrary interferences but also against unlawful ones. The discourse of the Right to Privacy in Human Rights evolved from only recognizing a right against unlawful search and seizure to a wider right to privacy. A similar move is reflected in the Indian jurisprudence as well. The Indian Supreme Court refused to recognize the Right to Privacy as a Constitutional Right in multiple judgments until the K.S. Puttaswamy case recognized it as a fundamental right under Article 21.  The K.S. Puttaswamy judgment ushered in a new debate for the implementation of a data protection law. The Digital Personal Data Protection Act, 2023 was passed by the Parliament in August 2023 with the aim of safeguarding individuals from unlawful interference with their personal data. The act defines “Data Principal” in terms of individuals only. The definition leaves out any scope of expanding its application to community privacy. All the necessary requirements in terms of providing notice and obtaining consent are linked to the Data Principal. Further, the Right to access information about personal data, or deletion of data, and remedies are provided to the data principal only. ‘A Community’ has no locus standi or recognition in the Act. Similarly, the optional protocol to the ICCPR only accepts individual complaints. In the next part, I shall discuss the risks associated with an individualized view of privacy and argue for a community right to privacy. 

3. A Community Right To Privacy

The right to privacy of an individual is based on the notion that an individual can be harmed by the dissemination and processing of their own personal data. Therefore, an individual should have the right to decide whether his personal data should be shared or processed. The Case of a Community’s Right to Privacy stems from the fact that data from people having shared vulnerabilities can affect each other. The effect of data analysis is no longer restricted to individual data processing. In the age of artificial intelligence, algorithms are trained on a set of data and are made to predict outcomes on similar but different sets of data. For example, researchers from Standford University trained a computer algorithm to identify homosexual persons by looking at their pictures. The algorithm was trained on publicly available pictures from dating sites of 36,630 men and 38,593 women. This had 81% accuracy for men and 74% accuracy for women. The DPDPA has an exclusion clause for publicly available data. Therefore, the act will not apply, and consent from the data principals is not required before using their pictures to train an algorithm like this. Sexual Orientation is an essential part of privacy. A community or individual has the right to not disclose their sexual orientation. This infringes the privacy of an entire community based on their sexuality. This way, shared vulnerabilities can be exploited by algorithms to put them in specific communities. The assumption that the personal data of one person can affect that individual only no longer holds true. Data from a handful of individuals can adversely affect the right to privacy of an entire community. Further, the fact that an individual has published a piece of personal information does not mean that they are comfortable with it being processed in different ways. Privacy is infringed at a community level by algorithms trained on data from individuals belonging to a community. The individual-centric privacy policy or an individual-based Right to Privacy fails to account for violations taking place at the community level.

The harms of having an individual-centric privacy policy are not restricted to community privacy alone. It can lead to the violation of other Human Rights as well. The set of data that is used to train the system determines the kind of outcomes it will provide. Here, the problem of bias comes in. The current privacy discourse and legislation fail to account for this. If a particular company collects data from consenting individuals whom they have hired or rejected in the past 50 years to train an algorithm that would be used to shortlist candidates later, the DPDPA will allow it. However, training of algorithms on data received from past applicants has implications for future applicants. Due to embedded patriarchy, casteism, and other social evils in society, persons from marginalized backgrounds may have been unfairly dealt with. If the datasets contain fewer people from marginalized backgrounds who have been successful, it can affect the way the algorithm views the applications of persons from marginalized backgrounds. A similar allegation was raised against Apple credit cards where women with similar assets and liabilities were offered lower credit scores than men. The excessive focus on individual consent in privacy discourse misses out on the potential of using published data or data from consenting individuals in a wrongful manner. This kind of gender-based discrimination infringes on the right against discrimination under Article 3 of the ICCPR. Hence, a lack of effective privacy and data protection policies can affect not only the right to privacy but also other human and constitutional rights.  

The above instances show how privacy violations can happen at the community level and there is a need for a community right to Privacy. However, the optional protocol to ICCPR provides for individual complaints. The Human Rights Commission also held that the Optional Protocol only envisages individual complaints. Therefore, the HRC has in effect ruled out any scope of justiciability of a collective right to privacy. Even in the absence of justifiability, a case can be made for the interpretation of Article 17 of ICCPR to include a collective right to privacy. A lone focus on framing laws that strive to protect the individual should be considered a violation of Article 17 of the ICCPR. 

4. Conclusion

From the above discussion it can be understood that a lone focus on individual privacy in the privacy discourse of Indian and international laws signals a narrow approach towards privacy. The effect of individual data collection over a community is much wider, as highlighted by the examples of discrimination and violation of community privacy. This affects not only privacy but other Human Rights as well. These ill effects on communities due to the collection of individual data and the subsequent training of AI are not dealt with in Human Rights discourse or domestic statutes like DPDPA. Therefore, it is imperative that community-based privacy should be taken into consideration in Indian and International laws. The primary condition towards achieving this discourse is taking a step ahead and recognizing the community’s right to privacy.