The clear and pre­sent dan­ger of per­sonal data be­ing leaked or stolen has been recog­nised. But In­dia’s pro­posed law to pre­vent it needs to work out sev­eral is­sues be­fore it can be fi­nalised.

Business Today - - CONTENTS - By Sonal Khetarpal Il­lus­tra­tion by Safia Zahid

The clear and pre­sent dan­ger of per­sonal data be­ing leaked or stolen has been recog­nised. But In­dia’s pro­posed law to pre­vent it needs to work out sev­eral is­sues be­fore it can be fi­nalised

THE pur­ported leak of per­sonal de­tails of 27 mil­lion mem­bers of the Em­ploy­ees’ Prov­i­dent Fund Or­gan­i­sa­tion (EPFO) ear­lier this year – con­firmed by some stake­hold­ers but de­nied by oth­ers – has sharp­ened con­cerns around dig­i­tal pri­vacy all over again. At the start of the year, the rev­e­la­tion that all the in­for­ma­tion pro­vided by in­di­vid­u­als to get their bio­met­ric Aad­haar iden­ti­fi­ca­tion num­bers was be­ing ac­cessed by unau­tho­rised agents, had caused a furore. These are only the most vis­i­ble ex­am­ples of the vul­ner­a­bil­ity of per­sonal data that ac­cu­mu­late on­line – IT in­dus­try in­sid­ers are con­vinced that many more leaks take place, but to save face, or­gan­i­sa­tions do not re­port them. Global dig­i­tal se­cu­rity firm Ge­malto has es­ti­mated that 3.24 mil­lion records were stolen, ex­posed or lost in In­dia in

2017, a 783 per cent in­crease over the pre­vi­ous year.

The Euro­pean Union has im­ple­mented its Gen­eral Data Pro­tec­tion Reg­u­la­tions (GDPR) from May this year, but in In­dia sim­i­lar safe­guards are still at the “white pa­per” stage – the pa­per for­mu­lated by a com­mit­tee of ex­perts led by Jus­tice B.N. Srikr­ishna and re­leased by the Min­istry of Elec­tron­ics and In­for­ma­tion Tech­nol­ogy (MeitY) a few months ago. How­ever, the com­mit­tee’s draft of the Data Pro­tec­tion Bill is ex­pected any­time now.

Sec­tions 43 and 43A of the IT Act 2000, as well as the IT Rules 2011 re­lat­ing to Rea­son­able Se­cu­rity Prac­tices and Pro­ce­dures (RSPPs) to pro­tect Sen­si­tive Per­sonal Data or In­for­ma­tion (SPDI) do make neg­li­gent par­ties li­able to pay com­pen­sa­tion to vic­tims of data leaks, but they are clearly in­ad­e­quate to counter the tsunami of il­le­gal data grab­bing that has since be­gun. Sim­i­larly, though the Supreme Court judge­ment in Au­gust last year af­firm­ing the fun­da­men­tal right to pri­vacy – in­clud­ing on­line pri­vacy – is an im­por­tant shield against data mis­use, some cru­cial def­i­ni­tions and reg­u­la­tions still need to be spelt out. Even the Supreme Court judge­ment recog­nised that per­sonal in­for­ma­tion may some­times have to be di­vulged to the state in the in­ter­ests of na­tional se­cu­rity.

Con­tours of Per­sonal Data

The IT Act has spelt out the con­tours of SPDI: “pass­words, fi­nan­cial in­for­ma­tion, phys­i­cal, phys­i­o­log­i­cal and men­tal health con­di­tions, sex­ual ori­en­ta­tion, med­i­cal records and his­tory, and bio­met­ric in­for­ma­tion”. Does the def­i­ni­tion need to be ex­panded? The EU’s GDPR, for in­stance, also in­cludes “on­line iden­ti­fiers, lo­ca­tion data and ge­netic in­for­ma­tion”. It is a tightrope walk be­cause too broad a def­i­ni­tion will im­pede le­git­i­mate com­mer­cial ac­tiv­ity, but one too nar­row would leave scope for per­sonal data mis­use. The right to pri­vacy has to be bal­anced against com­pet­ing rights, such as the right to do busi­ness or even a “right to in­no­vate”.

Again, In­dia has some unique fea­tures, which need to be fac­tored in while defin­ing what per­sonal or sen­si­tive data is. “Sen­si­tive in­for­ma­tion is dif­fer­ent in In­dia be­cause of the im­por­tance peo­ple here at­tach to caste and re­li­gion, and this should be taken into ac­count,” says Kar­tik Sha­hani, In­te­grated Se­cu­rity Leader, IBM. Many felt, for in­stance, that the re­cent dec­la­ra­tion of Class X and XII re­sults by the Mad­hya Pradesh Board of Sec­ondary Ed­u­ca­tion, which also re­vealed which of the four cat­e­gories – Gen­eral, Other Back­ward Classes, Sched­uled Caste and Sched­uled Tribe – the suc­cess­ful stu­dents fell in, amounted to vi­o­lat­ing their pri­vacy, and though tech­ni­cally not a leak, should never have been made pub­lic. (There is no reser­va­tion at the school level, un­like later – hence such cat­e­gories should not mat­ter.)

Fur­ther, a data pri­vacy law needs to take cog­ni­sance of var­i­ous nu­ances of per­sonal data and its pri­vacy pro­tec­tion. “Pri­vacy pro­tec­tion man­dates for Per­sonal and Sen­si­tive Per­sonal data need to dif­fer­en­ti­ated to min­imise harm to the in­di­vid­ual,” says Rama Vedashree, CEO, Data Se­cu­rity Coun­cil of In­dia, a NASS­COM ini­tia­tive. But this should not trans­late into in­hibitors for cross-bor­der flow of data. “Banks, for in­stance, need to process and share in­for­ma­tion for credit rat­ing, fraud de­tec­tion, an­ti­money laun­der­ing, among oth­ers, war­rant­ing shar­ing of data that re­quires cross-bor­der data flows.”

N ew Rule­book

In­dia will also have to de­cide whether to take a “rights-based” ap­proach as the EU has done – recog­nis­ing pri­vacy as a fun­da­men­tal right – or a “pro­tec­tion-based” one like the US, which clas­si­fies some cat­e­gories of in­for­ma­tion as pri­vate to pro­tect the in­di­vid­ual from ex­ces­sive mon­i­tor­ing by the state, but al­lows col­lect­ing even this kind of in­for­ma­tion if the in­di­vid­ual does not mind. There is also the ques­tion of de­cid­ing be­tween a “prin­ci­ple-based” ap­proach to data pri­vacy and a “rule-based” one – the white pa­per is not clear about which it prefers.

(The In­dian Pe­nal Code and Crim­i­nal Pro­ce­dure Code, for in­stance, are both prin­ci­ple-based; the Com­pa­nies Act is rule-based.)

While a few ex­perts be­lieve that a list of straight­for­ward rules would be eas­ier to im­ple­ment, most plump for the prin­ci­ple-based for­mu­la­tion. “The data pri­vacy law should es­pouse prin­ci­ples by which pri­vacy is pro­tected and not get into rules be­cause the im­pli­ca­tions and us­age of the law will be wide,” says Prat­i­bha Jain, Part­ner, Nishith De­sai As­so­ciates. “Dig­i­tal pri­vacy cuts across in­dus­tries, sec­tors, users, busi­ness to busi­ness (B2B) and busi­ness to cus­tomer (B2C). The rules would just be too many for a sin­gle law.”

Be­sides, the rapid changes in tech­nol­ogy of the last quar­ter cen­tury sug­gest it is im­pos­si­ble to pre­dict the tech­nol­ogy of the fu­ture. “How can we frame pri­vacy rules for what we don’t know?” says Jain. “But if there are broad prin­ci­ples, ju­rispru­dence can de­velop around them. A rule-based law would only have to keep catch­ing up with new tech­nol­ogy.” In­dia can be in­flu­enced by the mul­ti­lat­eral data pri­vacy agree­ment Asia-Pa­cific Eco­nomic Com­mu­nity’s (APEC) Cross-bor­der Pri­vacy Rules (CBPR) sys­tem that fa­cil­i­tates pri­vacy re­spect­ing data flows among APEC economies.

Un­der­ly­ing the CBPR, for in­stance, are prin­ci­ples such as “cause no harm”, “bal­anced ap­proach”, “rea­son­able­ness”, “ap­pro­pri­ate­ness of us­age”, ac­count­abil­ity, and more, which In­dia too could adopt. If a com­plaint of data mis­use is made against a com­pany, the APEC law con­sid­ers the harm done to the com­plainant rather than the na­ture of the data re­ferred to, and whether its col­lec­tion should be con­strained in fu­ture.

There is much to learn from the GDPR as well, which pre­scribes, for ex­am­ple, the ap­point­ment of a dig­i­tal pri­vacy of­fi­cer for all com­pa­nies be­yond a cer­tain size, but at the same time es­chews any re­stric­tions on the flow of data be­tween coun­tries so long as GDPR norms are ob­served. It is also worth not­ing that the GDPR, though fi­nalised in mid-2016, was im­ple­ment-

Lim­its of Con­sent

ed only two years later, giv­ing com­pa­nies enough time to in­cul­cate data pro­tec­tion poli­cies – In­dia can con­sider pro­vid­ing sim­i­lar lee­way. Banks seeking out and pro­cess­ing fi­nan­cial in­for­ma­tion is an ex­am­ple of “le­git­i­mate in­ter­est” in per­sonal data – one of the bases un­der which the GDPR al­lows ac­cess­ing it. An­other ba­sis is con­sent – by and large, agen­cies should be able to ac­cess per­sonal data if the in­di­vid­ual con­cerned con­sents to it. How­ever, keep­ing in mind the huge dig­i­tal di­vide that ex­ists in In­dia, con­sent frame­work should fo­cus on en­abling in­formed and mean­ing­ful con­sent for all, says Vedashree. Pri­vacy reg­u­la­tions should man­date cre­ation of clear and easy to un­der­stand pri­vacy no­tices. How these no­tices man­i­fest should be left to the or­gan­i­sa­tions. This would en­cour­age or­gan­i­sa­tions to de­velop in­no­va­tive ways to bridge lan­guage and dig­i­tal lit­er­acy bar­ri­ers. The author­ity in charge of reg­u­la­tion of data pri­vacy should also play a ma­jor role in driv­ing pri­vacy aware­ness that reaches the grass­root level.

If re­liance is to be placed on con­sent, it has to be in­formed and un­am­bigu­ous. Cur­rently, those down­load­ing a new pro­gramme are usu­ally asked to tick a box at the end of a con­sent form be­fore they can use the pro­gramme. They have no op­tion to mod­ify the con­tents of the con­sent form, which in any case ap­pears to most users as gob­blede­gook, and are rarely read through. Of­ten users sign away rights to use their con­tacts and friends’ lists, and even


videos and other files stored on their mo­biles and lap­tops, to app de­vel­op­ment com­pa­nies. Com­pa­nies need to cre­ate dif­fer­ent con­sent forms for dif­fer­ent sets of users, as well as make them more com­pre­hen­si­ble – hav­ing one com­pre­hen­sive con­sent for al­low­ing use of prod­ucts may not al­ways be fair.

Ex­perts feel that, ul­ti­mately, even when con­sent has been ob­tained, re­spon­si­bil­ity for data use should be with the or­gan­i­sa­tions and com­pa­nies which have sought con­sent, not the in­di­vid­u­als who gave it. It is the or­gan­i­sa­tions which should be held ac­count­able for pri­vacy in­tru­sions, if any. “Com­pa­nies would do well to doc­u­ment the steps they are tak­ing to safe­guard pri­vacy, as well as the im­pact of these ac­tions,” says Shaun­dra Wat­son, Di­rec­tor, Pol­icy, at the global trade group, BSA Soft­ware Al­liance. “If ever there’s a prob­lem, they can demon­strate to the reg­u­la­tor all they have done, to show they take ac­count­abil­ity se­ri­ously.”

How­ever, ex­perts main­tain that with “anonymised” data – data re­lated to per­sonal mat­ters, but with­out the peo­ple ac­cessed be­ing iden­ti­fied – ac­cess rules should be much less strin­gent, if re­stric­tions are to be placed at all. “The Na­tional Sam­ple Sur­vey Or­gan­i­sa­tion (NSSO) has been col­lect­ing all kinds of per­sonal data over the years, but with­out iden­ti­fy­ing the re­spon­dents,” says Jaspreet Singh, Part- ner, cy­ber­se­cu­rity, at global pro­fes­sional ser­vices firm EY. “Com­pa­nies should be al­lowed to process such in­for­ma­tion which does no harm to users, but will help com­pa­nies un­der­stand con­sumer be­hav­iour and im­prove their ser­vices. Coun­tries like Ja­pan and Sin­ga­pore al­low free use of data which has been ‘anonymised’. “Ac­cess to anonymised data will not be hin­dered by the new reg­u­la­tions,” said a MeitY spokesper­son.

En­cryp­tion and Stor­age

The first step to guard­ing ac­cess to data is to en­crypt it – store it in code. While there are min­i­mum en­cryp­tion stan­dards, some sec­tors such as fi­nance and tele­com have to meet for their trans­ac­tions. In­dia does not have any over­ar­ch­ing en­cryp­tion law as yet. “En­cryp­tion should be part of over­all pol­icy so that even if data is hacked, the hacker will not be able to make sense of it,” says Rana Gupta, Vice Pres­i­dent, Iden­tity and Data Pro­tec­tion, APAC Sales, at Ge­malto. “A min­i­mum level of en­cryp­tion should be set for each in­dus­try, since some in­dus­tries such as bank­ing need higher en­cryp­tion than, say, man­u­fac­tur­ing or me­dia com­pa­nies. Un­less en­cryp­tion is made law, in­dus­tries will avoid it, be­cause it is an ad­di­tional cost, just as auto com­pa­nies do not lower their en­gines’ emis­sion stan­dards un­less leg­is­la­tion forces them to.”

A re­lated is­sue is the lo­ca­tion of servers that store data of In­di­ans. Should In­dian data be stored only within In­dian shores? Is it even fea­si­ble? Cur­rently, most lead­ing IT com­pa­nies have their servers over­seas. In April this year, Re­serve Bank of In­dia (RBI) man­dated that pay­ments com­pa­nies at least should lo­calise all their data, but has not re­sponded af­ter in­dus­try groups raised var­i­ous con­cerns about the or­der. Two ar­gu­ments are usu­ally ad­vanced in favour of lo­cal­i­sa­tion – first, in any kind of in­ves­ti­ga­tion, get­ting ac­cess to data stored over­seas is dif­fi­cult, de­spite the mu­tual le­gal as­sis­tance treaty (MLAT) which In­dia has signed, and sec­ond, that data con­sti


tutes an as­set and In­dian as­sets should be held in In­dia, so that ben­e­fit from any kind of moneti­sa­tion of the as­set ac­crues to In­dia. But the case against en­forc­ing lo­cal­i­sa­tion is also strong. First, in­sist­ing on lo­cal­i­sa­tion will drive up costs of stor­ing data, and may well lead to smaller play­ers go­ing out of busi­ness. Nor does lo­cal­i­sa­tion ad­dress the cen­tral is­sue of data mis­use – if af­fords no ad­di­tional pro­tec­tion.

“The im­por­tant thing is to have a law in place soon,” says Singh of EY. “We should not waste time draft­ing a reg­i­mented law. We should start with a ba­sic law and grad­u­ally ex­pand it to cover In­ter­net of Things (IoT) de­vices, sen­sors, wear­ables and more.” The EU, for in­stance, may have passed its GDPR in 2016 and im­ple­mented it this year, but its fore­run­ner the Data Pro­tec­tion Di­rec­tive dates back to 1995.

Im­ple­ment­ing the Law

Reg­u­la­tions are mean­ing­less un­less they can be rig­or­ously im­ple­mented. The “Do Not Dis­turb” reg­u­la­tions, for in­stance, passed years ago, are still mer­rily flouted by tele­mar­keters. “In­dia should first see what it can en­force and frame its law ac­cord­ingly,” says Sha­hani of IBM. The MeitY of­fi­cial main­tains suc­cess­ful en­force­ment would need the co­op­er­a­tion of those be­ing reg­u­lated. “For any law to be suc­cess­ful, we need a cul­ture in both com­pa­nies and gov­ern­ment of col­lect­ing and pro­cess­ing data re­spon­si­bly,” he says. “That will re­quire re-en­gi­neer­ing both pro­cesses and mind­sets, and may take years.”

All agreed that once the law was passed, it should be ad­min­is­tered not by MeitY it­self, but by an au­ton­o­mous reg­u­la­tor, as sev­eral other sec­tors from the stock mar­kets to power to tele­com, have done. “It is im­por­tant to have a reg­u­la­tor with its pow­ers drawn from the leg­is­la­tion, in­stead of MeitY do­ing dou­ble duty,” says Pras­anth Su­gathan, Tech­nol­ogy Lawyer and Le­gal Di­rec­tor, Soft­ware Free­dom and Law Cen­tre (SFLC), In­dia, which gives le­gal sup­port to soft­ware com­pa­nies. “The law should clearly de­fine the reg­u­la­tor’s pow­ers, the re­dress mech­a­nism for those with griev­ances, as well as the penalty for those who breach its or­ders.” The MeitY of­fi­cial con­firmed that the min­istry was, in fact, look­ing at set­ting up an in­de­pen­dent reg­u­la­tor for data pri­vacy, as coun­tries like Ja­pan and Sin­ga­pore have al­ready done.

Fi­nally, In­dian users need to be ed­u­cated on the im­por­tance of pri­vacy. “For ex­am­ple, a per­son may share sen­si­tive in­for­ma­tion with a stranger dur­ing a ca­sual con­ver­sa­tion,” says Singh of EY. “Or it could be some­thing as ba­sic as shar­ing con­tact num­bers with a travel agency or print­ing one’s res­i­den­tial ad­dresses on per­sonal in­vi­ta­tions, all of which can prove to be ex­tremely risky. The Min­istry of Con­sumer Af­fairs runs a con­sumer aware­ness cam­paign called Jago Gra­hak Jago and it would be a good idea for MeitY to run a sim­i­lar one on the sig­nif­i­cance of pri­vacy in to­day’s times.”

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.