India’s data protection law may not be enough to secure people’s privacy
Subscribe to enjoy similar stories. Economists assume that individuals act rationally, always responding to incentives in their own self-interest. They are assumed by many economic models to have complete information and the ability to perfectly calculate costs and benefits.
French economist Jean-Baptiste Say called this axiomatic stereotype of the abstract individual who exercises rational choice Homo economicus. But, as Daniel Kahneman, Amos Tversky and Richard Thaler demonstrated, humans are not always rational in the way those economic models suggest or assume. They are driven by emotions, guided by intuition and influenced by bias.
Which is why, more often than not, they do not act in real life the way economists predict in their models. I’ve recently come to realize that privacy law has a stereotype of its own. One that is, in much the same way as Homo economicus, also fatally flawed.
Data protection laws rely on consent. Data fiduciaries are required to only process personal data if they have been permitted to do so by the data principal, who has the autonomy to decide for herself just what can and cannot be done with her personal data. This is an approach borrowed from contract law and therefore proceeds under the assumption that consent is provided freely.
This suggests that data protection law has a stereotype of its own—Homo privaticus if you will—for the ideal data principal who is fully capable of privacy self-management. But the reality is somewhat different. More often than not, consent is sought from us in binary terms—in the form of take-it-or-leave-it privacy notices that we have no ability to negotiate.
Read more on livemint.com
