While the increase in Internet usage has several positive benefits, including speed of transaction and reduction in costs, there is a price to be paid in terms of increased security threat. The underworld of Net-savvy criminals love to target financial institutions that have a large customer base in order to maximise the chance of a successful hit. So ICICI Bank, like all large financial organisations, has an entire team working round the clock on Internet security and to catch e-crime early enough to avoid serious damage. From hacking to phishing to cloning ICICIs website, it has faced it all. Today, its call centre executives are trained to sound an alert as soon as they get three calls with an unusual complaint or query. A corollary to such high Internet usage is growing concern about privacy issues and protection from identity theft.
Financial institutions, including banks, credit card companies and insurers, as well as government agencies such as depositories, tax authorities, hospitals, telephone companies and employers now sit on a vast amount of personal identifiable information (PII) in digitised form. This information can be easily stolen by hackers, sold and forwarded by delinquent employees or misused by companies as part of their sales strategy. Similarly, databases such as the Credit Information Bureau of India Ltd (Cibil) store credit histories of individuals, which are freely shared among their institutional subscribers. But the individual cannot access, challenge or update the contents. With biometric information beginning to be stored digitally for PAN cards, voter identity cards or for trading on stock exchanges, the danger of identity theft becomes chillingly real and has nightmarish consequences.
The fact that technology makes it so easy to misuse personal information and encroach on a persons privacy has triggered a debate over whether Indias privacy laws are adequate to protect people. One view is that there are provisions under different statutes, such as the Indian Contract Act, the Indian Penal Code, the IT Act, Consumer Protection Act and Special Relief Act, that deal with protection of the privacy guaranteed under Article 21 of our Constitution. The corporate strategy of articulating and publishing privacy policies or seeking customer approval (usually through a general check-box provision) for any future use of personal information is also considered adequate.
Others, including this writer, believe the right to privacy has to be clearly defined, delineated, protected and codified through statute so that affected individuals are not forced to clutch at inadequate provisions under different laws to prove their privacy has been violated and then hope that a judge or consumer court will concur with their claim. This is especially important with respect to government investigation and en-forcement ag- encies, that already tap telephones with impunity and even intercept personal e-mail communication on the slightest suspicion. While on the one hand it is important that these agencies have qu-ick access to information in times of increased terrorist threats, we need legislation to ensure officials are strictly liable if the information is misused or tampered with for harassment or extortion. We also need protection and proper recourse for victims of identity theft to be able to prove their innocence.
Digital privacy has to be clearly defined and codified so that affected individuals can readily find protection and redress
At the end of the animated discussion, it seemed clear that a well-defined privacy law was imperative and overdue. More important, Nasscom is best placed to take the discussion forward because the composition of its membership ensures they are most acutely aware of the dangers and consequences of not having privacy protection. Nasscom will also be able to bring on board the experiences of its members in dealing with privacy legislation in other countries and to point out the lacunaa or loopholes that may exist elsewhere.