Cognitive decline and privacy law: three concerns and a way forward
KS Roshan Menon argues why, and how, global privacy law must account for ageing and cognitive decline.
Statistics reveal the emergence of a global cognitive decline problem. The World Health Organization notes, in its Guidelines on Risk Reduction of Cognitive Decline and Dementia, that 152 million people are poised to have dementia by 2050. Population growth and population ageing are likely to serve as principal contributors to this pandemic. Scholarship attributes increases in cognitive impairment in sub-Saharan Africa to the former factor; the latter is likely to impact increases in East Asia.
The cognitive health crisis is also a digital health concern. Older people have become increasingly accepting of technology. Work done by the Pew Research Centre on this subject is instructive – the number of Americans over sixty-five on social media has nearly quadrupled since 2010. Similarly, 42% of Chinese adults over sixty used the Internet in 2020. Only 4.2% of such adults used the Internet in 2010.
The experience of cognitive decline among such users may impair their exercise of digital rights. Specifically, it will impact their experience of privacy, as guaranteed by domestic and cross-border privacy regulation. This concern is understudied in the legal literature and requires careful consideration.
Privacy Regulation and Cognitive Decline
Modern privacy law is principle-driven. The OECD Guidelines on the Protection of Privacy and the Transborder Flow of Personal Data (‘Guidelines’) recognize twelve privacy principles – eight of national application, and four of international application. The national application principles are substantive – they delineate new rights that apply to individuals. These rights have significant standing; the APEC Privacy Framework notes that the Guidelines, “represent the international consensus on what constitutes honest and trustworthy treatment of personal information.”
Among these, two principles are best positioned to address cognitive decline. The collection limitation principle codifies transparency of processing – it allows, inter alia, individuals to consent to the processing of the personal data. Concurrently, the individual participation principle enables effective control over such data. It guarantees individuals, the rights to confirm, erase, rectify, complete, or amend their personal data under processing. Collectively, the two principles codify autonomy as a pillar of privacy protection. A well-formed privacy right in accordance with these principles will enable two things – an individual in cognitive decline will be appraised of his data footprint, and they will be allowed to modify the same.
A host of jurisdictions have embraced these principles. While this move must inspire confidence, for the promise they hold in justly navigating cognitive impairment, a closer interrogation of the principles and their enforcement reveals flaws.
First, the collection limitation principle does not comprehensively account for diminishing capacity to consent. While privacy laws carve out special categories of individuals that require others to consent for their processing (such as children), they do not require entities to consider the consent-worthiness of ageing persons. Consequently, individuals above eighty are likely to be subject to the same consent tokens as individuals above eighteen. Consent so obtained is pervasive; individuals suffering cognitive decline are likely to be governed by the consent tokens authorized at a time of relatively robust cognitive capacity.
Second, rights guaranteed under the individual participation principle do not robustly account for access. Consider the EU’s General Data Protection Regulation, 2016 (‘GDPR’). Article 15(2) of the GDPR empowers a data subject – the individual whose personal data is under processing – to obtain a copy of their personal data undergoing processing. The right is particularly useful for those experiencing cognitive decline; a person may simply access his health information contained in one database and share it with multiple service providers to avail healthcare.
Vexingly, the right to access does not account for accessibility. Article 15 does not illuminate a pathway to operationalize such access. Businesses may, consequently, create pathways that frustrate the exercise of such rights. They may require users to write detailed requests to access their data. Alternatively, they may nudge individuals to travel to remote parts of a website/application to enable such access. Such travel is likely to further burden individuals experiencing cognitive decline.
Third, the principles, collectively, fail to account for privacy expectations among the ageing. The construct of privacy has lingered pervasively on sensitivity – health data or financial data have often, for instance, been considered more sensitive than other forms of data. However, such appraisals of sensitivity are need-blind. Often, individuals may require the easy sharing of personal data deemed to be sensitive. This contradicts a privacy regulator’s traditional expectations; regulations often imbue rigorous consent paradigms into frameworks governing the sharing of sensitive personal data.
As an example, consider an old-age home that relies on technology to assist the elderly. To guarantee state-of-art care to its inhabitants, the old-age home deploys a variety of wearables, fitted with sensors. Such sensors, expectedly, process a wide variety of sensitive personal data, including health data and biometric data.
Naturally, the processing of such data contains several privacy pain-points. Modern privacy regulation resorts to resolving these pain-points using an elaborate consent-and-notice framework. This is undesirable for the elderly, for it can lead to a situation where they do not fully understand the data processing contexts to which they consent. More pertinently, if consent obtained is sought to be explicit – this was the case in India’s Data Protection Bill, 2021 – it may require cognitively impaired individuals to exercise enhanced diligence. An individual in a care home may be asked to ‘sign’ several forms every time a new gadget is introduced to the smart home.
These drawbacks must not be interpreted to mean that privacy regulation is ill-intentioned. Instead, they must inspire the development of frameworks that code cognitive capacity into privacy law. A well-written privacy law will account for ageing and cognitive competence, and suitably modify its scope and application to guarantee privacy.
Accounting for Privacy: Way Forward and Solutions
Baby steps must mark the journey towards creating meaningful privacy frameworks for persons experiencing cognitive decline. These steps may rest on the following strategy. First, identify the impact of cognitive decline on an individual’s privacy expectations. Second, study whether such expectations are reasonable under extant privacy law. Third, if such expectations are reasonable but not covered under laws, code appropriate safeguards into the law.
Acting on the first step requires policy competence. A well-staffed, research-competent entity or a state-level privacy regulator may undertake a study on how cognitive decline impacts an individual’s ability to understand personal data processing. The study must focus on the following aspects: the ability to understand consent, to comprehend privacy notices, and to exercise privacy rights.
Once completed, the study may usefully inform the changes required in domestic/global instruments on privacy law. A discussion on how these laws must be modified will necessarily depend on the structure of the relevant law, and hence is beyond the scope of this article.
Ultimately, research efforts will guide our understanding of how cognitive decline interacts with privacy. Fleshing out such interaction kindles hope for a meaningfully built right to privacy.
KS Roshan Menon is a Research Fellow at Shardul Amarchand Mangaldas & Co. The author is grateful to Shahana Chatterji and Siddharth Nair for their inputs. The views expressed by the author are personal.
Photo by Marcus Aurelius