Citizens are unaware of how their personally identifiable information is collected, stored, used and shared
On 28 January 1981, the European Council signed the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, popularly known as Convention 108. It is the first legally binding international treaty dealing with privacy and data protection. The day has since been celebrated as Data Protection Day in Europe and as International Data Privacy Day around the world. In today’s era of digitization, it is imperative that we understand the concept—and importance—of data privacy.
According to an Internet and Mobile Association of India report, India has around 400 million Internet users. This number took a decade to reach 100 million from 10 million, three years to reach 200 million and just another year to reach 300 million. The Internet is essentially a data ecosystem where every node is engaged in generation, transmission, consumption and storage of data. The scale of this data ecosystem can be gauged from the fact that by 2019, the gigabyte equivalent of all movies ever made will cross India’s Internet protocol networks every hour.
But the situation is such that while we are generating such high volumes of data—most of which is of the “identifier" type that is used to identify a person, a thing or an entity in the ecosystem—we do not have in place measures that safeguard the privacy of this data, nor regulate data retention by platforms collecting it. As a result, ordinary citizens are unaware of how their personally identifiable information is collected, stored, used and shared. Further, as governance-driven digitization (Aadhaar, digital lockers, direct account transfers) fuels large-scale sensitive data collection and storage, the Information Technology Act, with its limited scope to penalize government agencies for breach of data privacy, is the only legal instrument available to citizens against contravention of their privacy in the data ecosystem. This leaves citizens exposed—as in 2013, when the Maharashtra government simply lost the personal data of 300,000 Aadhaar card applicants.
The need of the hour is a comprehensive legislation that provides for a right to privacy as a fundamental entitlement to citizens. The groundwork for such legislation has already been laid in 2012 by a Justice A.P. Shah-headed group of experts constituted by the Planning Commission. The commission had proposed a set of national privacy principles that would place an obligation on data controllers to put in place safeguards and procedures that would enable and ensure protection of privacy rights. These include: notice (to be given to users while collecting data); choice and consent (of users while collecting data from them); collection limitation (to keep user data collected at the minimum necessary); purpose limitation (to keep the purpose as adequately defined and narrow as possible); access and correction (for end users to correct or delete their personal data as may be necessary); disclosure of information (private data should not be disclosed without explicit consent of end user); security (defining responsibility to ensure technical, administrative and physical safeguards for data collected); openness (informing end users of possible collection and utilization of personal data); accountability (institutionalize accountability for adherence to these principles).
The proposed framework aims at being technology neutral and compliant with international standards already in place to protect user privacy. It also recognizes the multiple dimensions of privacy and aims at establishing a national ethos for privacy protection, while remaining flexible to address emerging concerns. It seeks horizontal applicability with both the public and private sectors bought under the purview of privacy legislation. An attempt to introduce such legislation in Parliament failed in 2011 as there could not be a consensus on which government agencies could seek exclusion from such provisions and collect citizen data without any oversight.
Until such provisions are established by law, it will be necessary to adopt mechanisms that ensure compliance towards use of privacy enhancing technologies (PET). PETs are essentially processes and tools that allow end users to safeguard the privacy of their personally identifiable information that they willingly provide to government agencies and other service providers. PETs put the end user in control over what information to share, with whom to share and a clear knowledge of the recipients of this information. The use of data encryption and mandating multi-factor authentication for access to end user data can be examples of other PETs that can be implemented by service providers and government agencies alike.
Our government needs to start with aligning our technology laws with the evolving Internet landscape. User privacy concerns and secure designing should be integrated in the charters of respective standard-setting organizations. There needs to be active user education that makes them aware of their choices. Lengthy and complex privacy policies that practically hand over control of user data to the platforms collecting it need to be replaced with ones that are user friendly in draft and execution. Policy documents that address these concerns need to be widely discussed and debated in the public domain. Recently, the Indian government released its draft Internet of Things Policy and it devotes only one line to the need to have security and privacy standards. The policy document on Smart Cities is indifferent to these concerns as well.
Last year, the Supreme Court referred to a constitutional bench the petition seeking inclusion of the Right to Privacy under Article 21 (Right to Life). While the verdict of the honourable court is still awaited, we can take the first steps towards safeguarding ourselves by voluntarily inculcating digital privacy principles.
Ranjeet Rane works with the information protection team at Symantec India. These are his personal views. Comments are welcome at email@example.com.