The year 2016 saw one of the biggest ever breaches of financial data in India when 3.2 million debit cards of various leading banks were misused at a remote location in China. Closer home, in December 2016, the electronic medical records (EMR) of over 35,000 patients held by a Maharashtra-based pathology lab were leaked. Alarming, isn't it? In this highly connected world, the line between what is private and what is public is getting blurred.
Let's have a look at the numbers. India surpassed the US to become the No. 1 country in terms of Google Play downloads in 2016. There are over 300 million smartphone users using umpteen apps on their phones. On an average, users have 15-20 apps on their phones. And while we click on the "I agree" option to terms and conditions with the blink of an eye, we may be sharing our personal data with them. For any type of service that we use these apps for—from booking a cab, chatting, to ordering food online—there is an immense amount of digital data that is being created using complex algorithms to know the patterns and preferences of users. While the data can be used by advertisers to target a particular set of consumers, it may also be sold to new app developers or even be shared with law enforcement agencies for threat-profiling. But what if this information leaks or is hacked and reaches the wrong hands?
With the government seeking to develop a digital economy, it is extremely crucial that there is a law in place that protects the personal information of an individual.
It's not just popular chat apps and social media pages that are vulnerable to breaches. People tend to save their bank account numbers, usernames and passwords as part of their contact list or just in the common notes area. Once they use third-party apps, all these details could potentially get uploaded onto the app's cloud. What if an app you download on your smartphone wants access to your contact list, notes or any other data and you unknowingly agree to allow it?
The core progressive vision of Digital India is central to ensure that all citizens and users reap the benefits of technology and the Internet. It is a very bold step forward to connect the unconnected residing in the remotest parts of the country as well as driving the agenda of financial inclusion via digital transactions. Data privacy will play a very crucial part in building trust amongst users, while ensuring a digitised economy.
Data Privacy, as it is today
While incidents of data hacking or leaks indicate the lack of adequate safeguards to protect sensitive information, a recent report by Vidhi Centre for Legal Policy analysed the current rules and norms in place for data protection. The results of the report said that Indian data protection laws are inadequate and only address some of the security, privacy and other issues addressed by similar laws in other countries. From biometrics-based Aadhaar data to EMR (Electronic Medical Record)-based medical data, this includes sensitive information which can not only be sold to third party vendors for advertising but can have disastrous consequences if someone breaches the data and invades the privacy of users. Privacy being fundamental to the core of a digitised society, we need to re-look at this aspect as a whole rather than in conjunction with other aspects of information technology.
The need for a separate data privacy legislation
Talking about the laws on privacy, the Supreme Court concluded in the year 1963 that Article 21 of the Constitution includes "right to privacy" as a part of the right to "protection of life and personal liberty". The context in the said judgment was more of physical privacy. Then, Section 72 of the IT Act deals with protection of data and thereby privacy of data. After an amendment in 2008, personal data was also brought under this section. The IT Act outlines sensitive personal data and transfer of such data under a contract with other entities and imposes due diligence on corporates to provide for data security. However, on the ground, the Act needs to be implemented and a practical approach to redressal of privacy concerns should be formulated.
Privacy being fundamental to the core of a digitised society, we need to re-look at this aspect as a whole rather than in conjunction with other aspects of information technology.
With the rapid growth of digitisation, India needs to come out with laws and regulations to ensure every stakeholder—consumers, corporates, government—benefits from this shift towards a digital lifestyle without tripping on privacy issues. At this point of time, when the government is seeking to develop a digital economy, it is extremely crucial that there is a law in place that protects the personal information of an individual. The regulations need to define the privacy rights for citizens and security rights for governments. There should be flexibility around where network elements will be hosted to take advantage of scale and should give freedom to get consumer insights using data analytics.
The laws should be drafted to protect all forms of personal data, such as passwords, financial information, health conditions, medical history, biometric information along with a requirement to seek consent of individuals before collecting any personal information. If an app needs the personal information of the user, then that data needs to be destroyed soon after its use. This is the age of mobility and there is a substantial change in the way people access the internet. Hence, there is an intrinsic expectation that data be protected.
The most important thing is to educate the end user and simplify the language as much as possible.
The most important thing is to educate the end user and simplify the language as much as possible. Legal jargon confuses users and they tend to ignore the fine text. End user agreements need to be simpler and specific. The exclusions should be highlighted to show which data will be shared and which will not be. The user needs to be specifically informed about where and how his or her data will be used (purpose) and the data collected will be limited to the declared use solely.
It is also important for all users to be made aware of any data breach incidents, allowing them to change their username, passwords or take other measures to protect their digital assets. There is an increasing need to set up a nodal agency to reach out to for reporting any privacy breach or misuse.
Protection of data privacy is important to strengthen the digital ecosystem and the mobile environment of India. It will form the foundation of realising the Digital India dream and protect users from any kind of cyber harm. It is crucial to have in place an effective regime for the protection of personal information—only then can we win the trust of the users in our country and can witness more people becoming a part of the digital journey.