The Pandemic has created a real danger to the society, apart from the casualty there have been some major political-legal changes, with the emphatic rise of populism and concentration of power, the legal landscape has been at the receiving end. One such right which demands mention in this changing scenario is the right to privacy; due to its nascent origin, privacy is at the receiving end, who could forget the last year issue of contact-tracing applications, all these issues have raised essential questions pertaining to individual privacy.
When Supreme Court recognised privacy as a part of the fundamental right, the Court also recognised privacy of mind, bodily privacy, and informational privacy as a facet of privacy. However, the Supreme Court did emphasise much on the origin of informational privacy; the Court regarded informational privacy as part and parcel of the Privacy (which itself is a facet of human dignity) (special reference to Justice Sanjay Kishan Kaul's opinion on privacy). Yet, to safeguard informational privacy, an adequate mechanism must be put in place, which we call the Personal Data Protection mechanism, which is still lacking in Indian ecosystem.
So, India recognized the right of Informational Privacy, but the mechanism through which it could be protected is still not there (Personal Data Protection Law). One point of addition that is relevant from the perspective of the data-protection angle is that in European Jurisprudence Right to Data Protection is recognized as a Fundamental Right but not so in the case of India.
Class Recordings & Data Minimalism
Now why this Data-Protection principle becomes important from the angle of the Class Recording perspective (and when I say Class recordings, I literally mean recorded lectures for students). Firstly, it needs to be understood that certain tenets are recognised as indicators of Sound Data Protection Law, in the absence of those tenets, there would be no data-protection as such, it is like the basic structure of Data Protection, for example, Purpose Limitation, Data Minimalisation, Consent of Individual, Notice, Pseudonymisation and others. These features are regarded as essential facets of data protection, and all of them are mentioned in the Indian Personal Data Protection Bill, 2019. They are also well recognised fundamental rights under the General Data Protection Regulation (GDPR). Yet under the Indian scenario, they are not enforceable rights because the Indian data protection endeavour is still a bill (PDP Bill, 2019).
But for further argument, I will emphasise what Purpose Limitation, and Data Minimalisation is. Purpose limitation, as the name suggests, means that every information collected by the Data-Fiduciary (Like Social Media Websites, Search Engine Websites, Government Offices, or any other third party intermediary which is processing your personal data) should be processed only for a particular purpose, for example, if a Social Media Website is asking for access to your email for verifying your age, that access to your email can only be utilised for that particular purpose (that is verifying your age) not beyond it and once that purpose of that information is complete that information needs to be deleted by the Data Fiduciary. In consonant to the principle of Purpose Limitation is the principle of Data Minimalisation, which means only that much information needs to be collected by the Data Fiduciary as much is necessary for processing of personal data and not beyond it, so let's take the earlier example in a different context if a Government Intermediary wants to process some of your personal data and requires an official identification card for verifying your age, giving of one personal I.D. (Like Aadhar or Pan card) would be sufficient for that processing. So, the underlying principle of Data Minimalisation is the minor exposure of one's personal data for processing.
Online Classes and exposure of the sanctuary
It is a well-known fact that amid Pandemic, the lectures have turned online, and recorded lectures have turned into a panacea for the current situation. However, online classes are also opening the spaces of data-processing, knowing that a mixed model has been adopted across several Universities, with some Universities going for recorded lectures and some for live-streaming lectures. Yet, it won't be a wrong statement to make that most of the Universities are recording the lectures (even the live-streaming lectures) and sharing them with students; this idea of recording and sharing lectures qualifies as the processing of personal data. Now let us analyse this situation more deeply; amid online Lecture, most of the students have to open their cameras (either for evaluation like viva or simply just for interaction with teachers), now because the students are sitting in their homes, the opening of the camera and sharing a part of their house (what we jurisprudentially call as a sanctuary, deriving its value from the famous idiom 'My Home is My Castle') and thus by default sharing their personal data. So, let's imagine I being a teacher, ask one student to open his/her camera for evaluation, and interestingly in the background of the student is a bookshelf (most of the people today sit in front of bookshelves). Now not only can I see the student, but I can also see the bookshelf behind him/her and probably able to read the names of the books on the shelf. That piece of information could work as an insight into the likes or dislikes of the student or what we famously call as Individual-Profiling (something which was alleged to have had happened in the 2016-U.S. elections but on a different model), this does not end here; its just one example of several other possible cases. A student who might be a fan of English Pop Band and has a poster of that band on the wall or a Student in whose background there are noises of domestic violence, all this information is excessive information that can be utilised for profiling the student as an Individual. The same analogy applies to teachers as well. However, there is a means of tackling it, as many of the online video-conferencing applications provide for the blurring of background options; this can indeed tackle the situation of excessive access of the information in one's sanctuary. This surely creates a case for Data Minimalisation.
This is one aspect of Class-Recordings; the other aspect is the keeping of Class-Recordings for a longer time, which would be a violation of the tenet of Purpose Limitation. As already discussed earlier, the idea of Purpose Limitation is a limitation onto the usage of personal information for a particular purpose for which the information was collected. That means in the context of the article, the Online-Classes are happening as a substitute for the physical classes, but this additional feature of recorded lectures allows the teacher and the institution to store the information about students for a more extended period than the purpose of classes. For example, I take a lecture today in May 2021 and record that Lecture. I can easily keep that recorded Lecture with me for a month, for a year, for a decade, and that recorded Lecture again would possibly give access to excessive information about the student. All this information is like meta-data; if you are a constant user of Shopping-Applications, you probably might have seen targeted advertisements on Social Media Websites or Search Engine Websites; the reason behind this is that they too are collecting information about their possible customer from different sources.
But this tells us something about our educational institutions and particularly about our legal jurisprudence; we have not reached that level of consciousness to understand this perspective of privacy. Mainly because we are too involved in the idea of physical right so much that psychological rights such as privacy or informational privacy are of the least concern. In fact, it has been four years since the privacy judgment had come out, yet the Data Protection Law in India is still a bill.
However, the picture is not all gloomy; there are institutions that are working upon this area of concern; for example, the Hungarian Data Protection Authority (National Authority for Data Protection and Freedom of Information) has issued guidelines to the Educational Institutions in a matter of data privacy of the students pertaining to online classes and has categorically laid down criteria which the educational institutions should follow: such as the setting of cameras in such a manner to ensure less exposure of the environment of the house, or dedicated email I.D.s for the teachers, dedicated platforms for sharing of material and recorded lectures and limited-time access to those Lecture, all this and many more guidelines are given by the Authority which will help create a safe data-protection environment.
Thus, this could be a great learning experience not only from the jurisprudential perspective but also from the perspective of a stakeholder in the education system. Setting up a of data protection mechanism in the form of Data Protection Authority would possibly be the first step forward towards a secure data-environment.
Views are personal.
The Author is an Assistant Professor of Law at National Law University, Jabalpur.