AUGMENTED REALITY AND DATA PROTECTION
This blog provides an insight into the concept of Augmented Reality. It goes on to classify the types of data collected by an AR service. Such collection/storage/transfer of user data has been analysed under the light of Indian cyber laws and global norms of data protection)
“Why shouldn’t people be able to teleport wherever they want?”
Palmer Luckey, Founder, Oculus VR
Presently, during these pandemic times, the outstanding performance of Keanu Reeves in “The Matrix” has become ever so relevant in our daily lives. For people who are slightly into the technology, which is outside the mundane sphere of online classes, the concept of Augmented Reality (henceforth referred to as “AR”) is not an imagination. From an event as accessible as a smartphone launch (OnePlus Nord) to the usage of the same in the field of defense and security by the U.S. Army (Synthetic Training Environment), AR has proliferated beyond the human intuit. What AR does is that it creates a digital and artificial environment, only partially in the backdrop of the naturally existing environment. Those of you, who have used Snapchat Lenses (with rear camera), or the Pokemon Go game, will surely be able to relate better now. We may have seen news articles on how tech giants like Google & Apple are vouching on this concept to maximize in terms of innovation. However, the galvanic coalesce of AR and Artificial Intelligence (henceforth referred to as “AI”) is also frightening because our shield, the law, is not matching up to the pace of evolution and therefore the sword can pass to the wrong hands.
AN EVOLVING HORIZON
Even though the concept of AR has struck at the technical ineptitude of multiple Indian laws, in this blog, we will keep us restricted within the cyber laws of India. With the introduction of the General Data Protection Regulation, India has been pushed towards the introduction of another flawed bill, the Personal Data Protection Bill, 2018. For example, when using Snapchat Lenses in your phone, a massive amount of data that includes everything your camera is seeing along with the sound it is hearing and other location data to the servers of Snapchat. Now, many of you will understand why, with every OS update, the Android OS and iOS are getting ever more serious with “app permissions”. Obviously, a data transaction like this has serious privacy implications.
AR SERVICES UNDER THE IT ACT, RULES & BILLS
Section 43-A of the Information Technology Act, 2000 (henceforth referred to as “IT Act”) mandates compliance to reasonable security practices and procedures’ in relation to the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (henceforth referred to as “SPDI Rules”) These rules apply only to sensitive data. What is meant by sensitive data is, however, a matter of debate. If the AR service does not collect sensitive data (like biometric data, health data, or financial data), the SPDI Rules will not apply to it. As per the said Rules, the “physical, physiological and mental health condition” is considered to be SPDI. If the AR service is collecting this data, they are covered. Apart from SPDI, there is another type of data that an AR service can collect, and that is Personal Data (henceforth referred to as “PD”). PD is the type of data that has the potency to directly/indirectly identify a natural person. So data that consists of physical characteristics, traits, and other relevant attributes. The PDP Bill, which is not yet enforced, aimed to cover both PD and SPDI. Had this Bill seen the light of the day, both the PD and SPDI collected by the AR service would come under legal compliances. As of the present cyber law framework, only the SPDI is under legal compliance. Presently, the law mandates only those corporates that are located within India, the PDP Bill would have brought under its control all the corporates that have even a slight nexus with India. In order to ensure that the privacy of the user is protected, the PDP Bill aims businesses and organizations to adopt a “privacy by design” approach which embeds user’s privacy to the very DNA of the organization. Now if an organization like this operates AR services, the data collected by it would normatively be under the absolute control of the user.
AR SERVICE BASED WITHIN INDIA
Presently, the PD collected by AR services is stored in the servers which may or may not be located in India. The PDP bill mandates data localization, which means that regardless of the origin of the service if the data is being collected from India, it has to be stored in servers that are located in India. The data collected may even be stored at the device itself. There also ought to be deeper integration of the user’s consent to which sort of data being collected by the AR service. For example, let’s consider Niantic’s AR game named “Wizards United” which is based on J.K. Rowling’s evergreen creation, Harry Potter. Had the PDP Bill been mutated to an Act, the same would mandate Niantic to ask for the user’s consent to collect something as minor as the avatar’s name to something as big as a service offered to the user. All these were mandated by the PDP Bill.
AR SERVICE BASED OUTSIDE INDIA
For those internet-based offerings, which have their corporate somewhere outside India, the GDPR would be the cornerstone for data compliance. The consent system under the GDPR is even more aggressive because it requires users to consent whether they want their data being transferred overseas or not. Joint compliance of the GDPR and the PDP Bill would lay down a contract between the user and the AR service which would be pre-approved by the Data Protection Authority, constituted under the PDP. If the user consents to such overseas transfer of user data, then the Government will be required to approve the location of transfer and the organization transferring it. And then, the Data Protection Authority will be required to approve of such transfer and finally, the Data Fiduciary will be allowed to disclose the user data to another party who is located overseas.
Submitted by,
Aritra Deb,
5th Year, B.B.A.LL.B.
