NATIONAL GEOSPATIAL DATA POLICY 2022: A DEATH KNELL TO PRIVACY
NATIONAL GEOSPATIAL DATA POLICY 2022: A DEATH KNELL TO PRIVACY IN THE ERA OF DARK PATTERNS
By: Dhanshitha Ravi and Kosha Doshi
INTRODUCTION
The Indian government introduced the National Geospatial Policy 2022, with the aim of establishing a comprehensive framework to harmonize the implementation of the ‘Guidelines for Acquiring and Producing Geospatial Data and Geospatial Data Services including Maps’ 2021. Geospatial data refers to information that is linked to a specific location on the Earth’s surface, such as maps, satellite images, and GPS data. Geospatial data puts them at risk of having their location and movements tracked and monitored. In an era where cookie walls and dark patterns are prevalent, the implementation of the 2022 policy raises serious concerns about the potential consequences for the privacy of individuals. Cookie walls are essentially pop-ups that block access to websites unless the user agrees to accept cookies, and dark patterns are manipulative user interface designs that trick individuals into making unintended choices or divulging personal information.
GEOSPATIAL POLICY AND ITS FRAMEWORK
The 2022 policy promotes the involvement of private enterprises in collaboration with the government to acquire, process, store, share, and disseminate the geospatial data. Surprisingly, it authorizes the sale of sensitive geospatial data without prior permission/license, along with the sale/licensing of such data to foreign entities. The policy justifies the activities as creating a framework to ‘democratize data’, by treating it as a ‘common good’ to be stored in the National Geospatial Data Registry. This ‘democratized collection’ goes to the extent of empowering the law enforcement agencies to utilize the cloud data for secured operations, without imposing the slightest amount of restrictions on the contingencies for such usage.
DARK PATTERNS AS A THREAT TO GEOSPATIAL DATA
Cookie walls and dark patterns threaten sensitive geospatial data as they collect personal information from devices, such as geolocation APIs, IP address tracking, GPS tracking, and Software Development Kits that track real-time location and and even movements. Drawing a parallel with the EU, wherein this issue has been the center of attention in recent times, helps understand the implications of dark patterns in cookie walls from the perspective of location data. For instance, French Data Protection Authority (2021) and Belgian Data Protection Authority (2022) ruled that deceptive methods to collect sensitive personal data through cookies, regardless of ‘legitimate interest’ , was not permissible. The authorities found entities violating GDPR’s consent requirements (Article 4) by: setting cookies on user devices before consent was given; lacking a clear opt-out process; and not providing enough information about data collection and storage.
We draw on GoogleMaps as an example to understand the violations of the aforementioned rationales through its surreptitious practices in handling geospatial and sensitive personal data. Herein data continues to be collected unless the person goes to the cookie privacy settings and manually pauses ‘location history’, which is not at all easy for reasonable consumers to find. Furthermore, it unscrupulously shares the consumers’ data with third parties. These practices were found to be violative of the consent requirements and privacy, for which Google was sued and fined.
The government has failed to consider the risk of misusing sensitive data under the guise of democratization of data which can potentially single out an individual. Policy for handling geospatial data cannot allow uncontrolled sharing with the government or private entities, unless clear circumstances are outlined. Sharing or selling geospatial data obtained manipulatively is illegal and violates GDPR, constituting a ‘personal data breach’, thereby encroaching on the rights of the data subject (Article 3).
GEOSPATIAL DATA AS A SURVEILLANCE TOOL
Geospatial data collected by government agencies in India was previously not available to the public, but the 2022 Policy encourages its collection, analysis and sharing, including data obtained through cookies. The policy also authorizes law enforcement to use this data for surveillance purposes. Location data can be collected through dark patterns, Wi-Fi triangulation and Bluetooth tracking, enabling digital contact tracing without consent. The COVID-19 pandemic prompted governments to deploy surveillance tools such as the Aarogya Setu app. The Strava global heatmap incident highlighted the security threats posed by geospatial data as locations of military bases were disclosed. Additionally, surveillance can continue indefinitely, and without a concrete data protection framework, a person’s right to be forgotten is compromised. This opens a Pandora’s Box, as the authorities are granted power to collect and store data centrally for an eternally lasting time period.
RECOMMENDATIONS & CONCLUDING REMARKS
India’s geospatial data deregulation has raised privacy concerns due to the lack of a comprehensive data protection law with no accountability or list of data collectors and processors. Location data is not protected under the SPDI Rules, 2011; and although the Personal Data Protection Bill provides a higher threshold for data processing, its validity remains inconsistent.
To preserve the right to privacy while handling geospatial data, recommendations include:
Include geospatial data in the definition of ‘sensitive personal data’ under IT Rules, 2011.
Pass a comprehensive data protection law with safeguards ensuring clear consent, processing methods, and withdrawal options. For example: France’s Cookie wall regulation.
Require government warrant for accessing cell site location data and lay down clear circumstances for using geospatial data.
Provide a time limit for storage of data under the Geospatial Policy to balance legitimate use and privacy. For example: 75 years under Criminal Procedure (Identification) Act, 2022.