Why the Srikrishna Committee Rejected Ownership of Data in Favour of Fiduciary Duty

Data ownership, though clearly motivated by good intentions, is philosophically flawed, legally counter-productive and practically unimplementable.

In response to the report of the Srikrishna Committee on data protection, the civil society has commented that the report and the Personal Data Protection Bill, 2018 have shortchanged the citizen by not making her the owner of her own personal data.

Writing in Business TodayRajeev Dubey called the Bill “a whimper”, pointing out that it failed to recognise the individual as the owner of her data; Nikhil Pahwa termed the bill “a failure” on 12 grounds, the first of which was its failure to recognise data ownership; a report in The Wire referred to “data ownership” as the golden principle which had not been recognised by the committee.

Many of these objections have their basis in TRAI’s recommendation that the individual ought to be the owner of her personal data and the entity collecting the data “a mere custodian”.

As a member of the Srikrishna Committee, I can assure all commentators that after due deliberation, the committee felt that the interests of the citizen would be better protected were she a data principal rather than a data owner. In fact, data ownership – though clearly motivated by good intentions – is philosophically flawed, legally counter-productive and practically unimplementable. Further, TRAI has made a category mistake as its intention, much like the Srikrishna Committee’s, is to give control over personal data to the individual. To make the individual an owner detracts from this goal and does not advance it. Let me explain this in a bit more detail.

Philosophical follies

Personal data refers to attributes of an individual by which she is directly or indirectly identifiable. Straightforward attributes include her name, address and phone number, whereas other facets of her identity such as her sexual orientation, health information, credit history also qualify. Now ask yourself a question – do you own your name? Do you own your sexual orientation? Now reflect on the consequences of ownership – can you sell your address? Or gift your health information? What about leasing your credit history?

If you were an ordinary individual, you’d just be staring blankly if these questions were asked. That’s because they simply don’t make sense. If you were dutiful in answering the questions, you’d probably say ‘no’ to each of them; but if you were truly reflective and honest, you’d possibly comment on the absurdity of the questions in the first place. We do not own our names or our addresses. Neither can we gift them or lease them to anyone for any purpose.

You might however say that ownership is not simply about alienation, it is about autonomy. In this sense, you may “own” your sexual orientation even though you cannot sell it, because it has intrinsic value to you and you can choose with whom to share this information. This is precisely what the requirement of informed consent coupled with a fiduciary relationship achieves. You can decide with whom you want to share your sexual orientation and once you do, you don’t lose all rights over such data. The recipient has to constantly act in the manner that you have authorised her to.

Were this requirement to be replaced by ownership – understood as a property right over the information – not only can the state exercise eminent domain powers over your sexual orientation (take it for a public purpose on payment of compensation) but can also exercise full control over the personal data without following any privacy principles. The fiduciary relationship in the bill avoids this counter-productive result by binding the state to using any information it receives to those necessary for a public function and mandating that it accords with privacy principles.

Legal tangles

Someone might object that it is not my name that I own but the bit-sized packet that contains my name that is transferred over the internet. While this appears to have some merit, on further reflection, this gets us into an almighty legal tangle. First, the packet that contains my name isn’t my personal data – my name is my personal data and the packet is the means by which it is delivered. Think about an envelope in which a letter is enclosed – the envelope is not the same thing as the letter.

Even assuming that the packet is my personal data, that packet has been created by a provider in a certain context. Say, for example, I provide my name to an email service provider to get email services. Now the packet containing my name (as opposed to my name itself) has been created by the service provider in order to provide me the service. So even if we want to force the language of ownership into this state of affairs, the packet is plausibly jointly owned by the service provider and the individual. That does not take us very far in protecting the rights of the individual.

The Personal Data Protection Bill 2018 was submitted last week to the government by the Srikrishna Committee. In this photo, Justice B.N. Srikrishna hands over the report to IT minister R.S. Prasad. Credit: PTI

Further, even if one were to assume that the individual is the sole owner of her personal data (casting aside philosophical or legal objections), this will mean that the individual can do as she pleases with her data. Contrary to the physical world, where such control vests individuals with certain exclusionary rights, in the digital world, with its opaque practices of data sharing, ownership of data will simply open up the floodgates for its alienation. Contracts will routinely get written which involve, as a condition of service, selling of personal data of an individual. Needless to say, once personal data is sold, even if there is some consideration, an individual loses all her rights over it absolutely.

Even if such an unconscionable contract is never written, an individual will have to alienate her personal data, i.e. her property, in some way before receiving a service she wants. Owing to the constant stream of data sharing needed for services on the internet to function, such alienation will be so ubiquitous that it is unlikely any genuine market with rights for individuals will evolve. Even if some rights were to be granted, they would be contained in contract, which as everyone who has attempted to read a contract on the internet knows, is written entirely to the advantage of the entity collecting and using data. Despite trying to protect individuals, ownership will end up significantly hurting them.

Practical problems

If the above aren’t good enough reasons to doubt the usefulness of data ownership for individuals, the potential nightmare in attempting to implement such an idea in practice will itself render it a non-starter. If Sumi clicks a photograph with Krish and Tania in it, who owns the photograph? Sumi, who took it or Krish and Tania who are in it? If it has Krish in the foreground and Tania in the background, is Krish a majority owner and Tania a minority owner? These are difficult questions with no easy answers.

Further, on the internet, not all personal data about me might have been created by me. By accessing my browsing history, a website using its algorithm gets some behavioural insights about me – that I watch football and love beaches. Each of these is undoubtedly my personal data but can I, who have had only some role in its creation, be said to own this insight? And if I do own it, how do we get to the consequent question of pricing every click or like or status update or purchase that I have made? This is a practical nightmare that should hopefully dissolve any half-baked data ownership idea in the oven.

Right ideas, wrong concepts

One can understand the clarion call for data ownership as a call for individual rights over data to be secured. This, after deliberations of a year, can only happen if the individual is a data principal and the entity processing the data, a fiduciary. This makes the fiduciary owe a duty of care to the individual and the individual, irrespective of what might be written in the contract between herself and the fiduciary, expect a certain degree of trust and loyalty from the fiduciary. If such expectation were betrayed, the individual will be entitled to compensation.

This language of a fiduciary relation, is well known to us in the context of the doctor-patient or lawyer-client relationship. The client parts with sensitive information to her lawyer, the patient with health information to her doctor – in neither case does she own that information – she simply gives it trusting that it will be used for a specific purpose. It is this relation that the committee has extended to the digital world.

This is not the genesis of a new idea but the culmination of a realisation that began with constitutional scholar Jack Balkin, travelled through Mark Zuckerberg’s Senate hearings and has been advocated by several commentators. This is what TRAI was intending when it wanted to make data controllers custodians of data – they were to be fiduciaries who would have to act in the best interests of the principal. That isn’t a necessary attribute of ownership, it’s a function of trust.

In another day and age, one might have expected members of civil society to have read Karl Marx before blithely championing data ownership as the panacea for the ills afflicting the little man, the ordinary citizen in the digital age. After all, data ownership is about using the construct of private property to protect ordinary individuals. Even an elementary understanding of Marx tells us that private property does not work in the interests of such persons.

To quote him, “Private property has made us so stupid and one-sided that an object is only ours when we have it.”

A fiduciary relationship is a powerful framing device to protect the data principal from misuse of her personal data.

I can only hope that this concept of data ownership as the messiah of individual rights is either pursued through argument instead of assertion, or, if no decent argument is forthcoming, dies a timely death.

Arghya Sengupta is research director at Vidhi Centre for Legal Policy and a Member of the Srikrishna Committee of Experts which drafted the Personal Data Protection Bill, 2018.