Drawing The Digital Curtains
Sonal Khetarpal June 25, 2018
The purported leak of personal details of 27 million members of the Employees' Provident Fund Organisation (EPFO) earlier this year - confirmed by some stakeholders but denied by others - has sharpened concerns around digital privacy all over again. At the start of the year, the revelation that all the information provided by individuals to get their biometric Aadhaar identification numbers was being accessed by unauthorised agents, had caused a furore. These are only the most visible examples of the vulnerability of personal data that accumulate online - IT industry insiders are convinced that many more leaks take place, but to save face, organisations do not report them. Global digital security firm Gemalto has estimated that 3.24 million records were stolen, exposed or lost in India in 2017, a 783 per cent increase over the previous year.
The European Union has implemented its General Data Protection Regulations (GDPR) from May this year, but in India similar safeguards are still at the "white paper" stage - the paper formulated by a committee of experts led by Justice B.N. Srikrishna and released by the Ministry of Electronics and Information Technology (MeitY) a few months ago. However, the committee's draft of the Data Protection Bill is expected anytime now.
Sections 43 and 43A of the IT Act 2000, as well as the IT Rules 2011 relating to Reasonable Security Practices and Procedures (RSPPs) to protect Sensitive Personal Data or Information (SPDI) do make negligent parties liable to pay compensation to victims of data leaks, but they are clearly inadequate to counter the tsunami of illegal data grabbing that has since begun. Similarly, though the Supreme Court judgement in August last year affirming the fundamental right to privacy - including online privacy - is an important shield against data misuse, some crucial definitions and regulations still need to be spelt out. Even the Supreme Court judgement recognised that personal information may sometimes have to be divulged to the state in the interests of national security.
Contours of Personal Data
The IT Act has spelt out the contours of SPDI: "passwords, financial information, physical, physiological and mental health conditions, sexual orientation, medical records and history, and biometric information". Does the definition need to be expanded? The EU's GDPR, for instance, also includes "online identifiers, location data and genetic information". It is a tightrope walk because too broad a definition will impede legitimate commercial activity, but one too narrow would leave scope for personal data misuse. The right to privacy has to be balanced against competing rights, such as the right to do business or even a "right to innovate".
Again, India has some unique features, which need to be factored in while defining what personal or sensitive data is. "Sensitive information is different in India because of the importance people here attach to caste and religion, and this should be taken into account," says Kartik Shahani, Integrated Security Leader, IBM. Many felt, for instance, that the recent declaration of Class X and XII results by the Madhya Pradesh Board of Secondary Education, which also revealed which of the four categories - General, Other Backward Classes, Scheduled Caste and Scheduled Tribe - the successful students fell in, amounted to violating their privacy, and though technically not a leak, should never have been made public. (There is no reservation at the school level, unlike later - hence such categories should not matter.)
Further, a data privacy law needs to take cognisance of various nuances of personal data and its privacy protection. "Privacy protection mandates for Personal and Sensitive Personal data need to differentiated to minimise harm to the individual," says Rama Vedashree, CEO, Data Security Council of India, a NASSCOM initiative. But this should not translate into inhibitors for cross-border flow of data. "Banks, for instance, need to process and share information for credit rating, fraud detection, anti-money laundering, among others, warranting sharing of data that requires cross-border data flows."
India will also have to decide whether to take a "rights-based" approach as the EU has done - recognising privacy as a fundamental right - or a "protection-based" one like the US, which classifies some categories of information as private to protect the individual from excessive monitoring by the state, but allows collecting even this kind of information if the individual does not mind. There is also the question of deciding between a "principle-based" approach to data privacy and a "rule-based" one - the white paper is not clear about which it prefers. (The Indian Penal Code and Criminal Procedure Code, for instance, are both principle-based; the Companies Act is rule-based.)
While a few experts believe that a list of straightforward rules would be easier to implement, most plump for the principle-based formulation. "The data privacy law should espouse principles by which privacy is protected and not get into rules because the implications and usage of the law will be wide," says Pratibha Jain, Partner, Nishith Desai Associates. "Digital privacy cuts across industries, sectors, users, business to business (B2B) and business to customer (B2C). The rules would just be too many for a single law."
Besides, the rapid changes in technology of the last quarter century suggest it is impossible to predict the technology of the future. "How can we frame privacy rules for what we don't know?" says Jain. "But if there are broad principles, jurisprudence can develop around them. A rule-based law would only have to keep catching up with new technology." India can be influenced by the multilateral data privacy agreement Asia-Pacific Economic Community's (APEC) Cross-border Privacy Rules (CBPR) system that facilitates privacy respecting data flows among APEC economies.
Underlying the CBPR, for instance, are principles such as "cause no harm", "balanced approach", "reasonableness", "appropriateness of usage", accountability, and more, which India too could adopt. If a complaint of data misuse is made against a company, the APEC law considers the harm done to the complainant rather than the nature of the data referred to, and whether its collection should be constrained in future.
There is much to learn from the GDPR as well, which prescribes, for example, the appointment of a digital privacy officer for all companies beyond a certain size, but at the same time eschews any restrictions on the flow of data between countries so long as GDPR norms are observed. It is also worth noting that the GDPR, though finalised in mid-2016, was implemented only two years later, giving companies enough time to inculcate data protection policies - India can consider providing similar leeway.
Limits of Consent
Banks seeking out and processing financial information is an example of "legitimate interest" in personal data - one of the bases under which the GDPR allows accessing it. Another basis is consent - by and large, agencies should be able to access personal data if the individual concerned consents to it. However, keeping in mind the huge digital divide that exists in India, consent framework should focus on enabling informed and meaningful consent for all, says Vedashree. Privacy regulations should mandate creation of clear and easy to understand privacy notices. How these notices manifest should be left to the organisations. This would encourage organisations to develop innovative ways to bridge language and digital literacy barriers. The authority in charge of regulation of data privacy should also play a major role in driving privacy awareness that reaches the grassroot level.
If reliance is to be placed on consent, it has to be informed and unambiguous. Currently, those downloading a new programme are usually asked to tick a box at the end of a consent form before they can use the programme. They have no option to modify the contents of the consent form, which in any case appears to most users as gobbledegook, and are rarely read through. Often users sign away rights to use their contacts and friends' lists, and even videos and other files stored on their mobiles and laptops, to app development companies. Companies need to create different consent forms for different sets of users, as well as make them more comprehensible - having one comprehensive consent for allowing use of products may not always be fair.
Experts feel that, ultimately, even when consent has been obtained, responsibility for data use should be with the organisations and companies which have sought consent, not the individuals who gave it. It is the organisations which should be held accountable for privacy intrusions, if any. "Companies would do well to document the steps they are taking to safeguard privacy, as well as the impact of these actions," says Shaundra Watson, Director, Policy, at the global trade group, BSA Software Alliance. "If ever there's a problem, they can demonstrate to the regulator all they have done, to show they take accountability seriously."
However, experts maintain that with "anonymised" data - data related to personal matters, but without the people accessed being identified - access rules should be much less stringent, if restrictions are to be placed at all. "The National Sample Survey Organisation (NSSO) has been collecting all kinds of personal data over the years, but without identifying the respondents," says Jaspreet Singh, Partner, cybersecurity, at global professional services firm EY. "Companies should be allowed to process such information which does no harm to users, but will help companies understand consumer behaviour and improve their services. Countries like Japan and Singapore allow free use of data which has been 'anonymised'. "Access to anonymised data will not be hindered by the new regulations," said a MeitY spokesperson.
Encryption and Storage
The first step to guarding access to data is to encrypt it - store it in code. While there are minimum encryption standards, some sectors such as finance and telecom have to meet for their transactions. India does not have any overarching encryption law as yet. "Encryption should be part of overall policy so that even if data is hacked, the hacker will not be able to make sense of it," says Rana Gupta, Vice President, Identity and Data Protection, APAC Sales, at Gemalto. "A minimum level of encryption should be set for each industry, since some industries such as banking need higher encryption than, say, manufacturing or media companies. Unless encryption is made law, industries will avoid it, because it is an additional cost, just as auto companies do not lower their engines' emission standards unless legislation forces them to."
A related issue is the location of servers that store data of Indians. Should Indian data be stored only within Indian shores? Is it even feasible? Currently, most leading IT companies have their servers overseas. In April this year, Reserve Bank of India (RBI) mandated that payments companies at least should localise all their data, but has not responded after industry groups raised various concerns about the order. Two arguments are usually advanced in favour of localisation - first, in any kind of investigation, getting access to data stored overseas is difficult, despite the mutual legal assistance treaty (MLAT) which India has signed, and second, that data constitutes an asset and Indian assets should be held in India, so that benefit from any kind of monetisation of the asset accrues to India. But the case against enforcing localisation is also strong. First, insisting on localisation will drive up costs of storing data, and may well lead to smaller players going out of business. Nor does localisation address the central issue of data misuse - if affords no additional protection.
"The important thing is to have a law in place soon," says Singh of EY. "We should not waste time drafting a regimented law. We should start with a basic law and gradually expand it to cover Internet of Things (IoT) devices, sensors, wearables and more." The EU, for instance, may have passed its GDPR in 2016 and implemented it this year, but its forerunner the Data Protection Directive dates back to 1995.
Implementing the Law
Regulations are meaningless unless they can be rigorously implemented. The "Do Not Disturb" regulations, for instance, passed years ago, are still merrily flouted by telemarketers. "India should first see what it can enforce and frame its law accordingly," says Shahani of IBM. The MeitY official maintains successful enforcement would need the cooperation of those being regulated. "For any law to be successful, we need a culture in both companies and government of collecting and processing data responsibly," he says. "That will require re-engineering both processes and mindsets, and may take years."
All agreed that once the law was passed, it should be administered not by MeitY itself, but by an autonomous regulator, as several other sectors from the stock markets to power to telecom, have done. "It is important to have a regulator with its powers drawn from the legislation, instead of MeitY doing double duty," says Prasanth Sugathan, Technology Lawyer and Legal Director, Software Freedom and Law Centre (SFLC), India, which gives legal support to software companies. "The law should clearly define the regulator's powers, the redress mechanism for those with grievances, as well as the penalty for those who breach its orders." The MeitY official confirmed that the ministry was, in fact, looking at setting up an independent regulator for data privacy, as countries like Japan and Singapore have already done.
Finally, Indian users need to be educated on the importance of privacy. "For example, a person may share sensitive information with a stranger during a casual conversation," says Singh of EY. "Or it could be something as basic as sharing contact numbers with a travel agency or printing one's residential addresses on personal invitations, all of which can prove to be extremely risky. The Ministry of Consumer Affairs runs a consumer awareness campaign called Jago Grahak Jago and it would be a good idea for MeitY to run a similar one on the significance of privacy in today's times."