The recent hacking of the Indian Railways’ website exposes the real and present risk posed when governments collect and hold data. Separately, there’s also under way a robust debate on individual and digital privacy, due to a multiplicity of events that have raised alarm.
The debate triggered off globally with the Snowden revelations, and is now taking baby steps here as people start wrapping their heads around the threat that lack of privacy protection represents, especially after recent legislative and policy developments, i.e. the Aadhaar initiative (which holds sensitive biometric data of over 100 crore Indians) gaining legislative backing and the government-appointed Additional Solicitor General raising many eyebrows when he argued in the Supreme Court last year that privacy is not a fundamental right. These events happened parallel to the introduction of the Human DNA Profiling Bill, 2014, which looks to create a DNA databank of Indian citizens.
As the government takes India closer towards becoming a digitally-empowered society and knowledge economy, the need for a robust and comprehensive privacy legislation to protect the rights of citizens is imminent. In fact, the Indian Railways’ hacking incident spotlights the real risks of a government that collects data, but is not legally accountable to maintain that data respecting privacy of the data giver.
Recently, in Parliament, I queried the communications and information technology minister on whether the government recognised the need for a privacy legislation in India, given the various official databases of the government which collects, holds and uses information about citizens.
The minister’s response in writing was that the licensing conditions of telecom service providers and certain sections of the IT Act already “adequately provide for the necessary safeguards to privacy.”
This response made on the floor of Parliament is worrying, as it is largely inaccurate. Several leading experts have contended that the IT Act, with its limited data protection and privacy-related provisions, does not provide for an all-encompassing, comprehensive legal framework for privacy and data security.
There are some glaring gaps in the existing privacy in the current legal data privacy protection framework as envisaged under the IT Act.
w Expansion of the definition of sensitive personal data under rule 3 of the Sensitive Personal Data Rules: The categories of sensitive personal information, as identified in rule 3 privacy rules (passwords, financial information, sexual orientation, etc) are too narrow, restrictive and inadequate. So, other categories of information like mobile big data, M2M data, user behaviour, etc, should also fall within the ambit of ‘sensitive personal data’. Emails and chat logs as well as records of internet activity, including online search histories, are particularly vulnerable to abuse and misuse, and should be accorded privacy protection.
w Data protection provisions to extend to government agencies, not-for-profits and others: Section 43A of the IT Act, which was quoted by the ministry in its response to my question as a “protective provision”, only covers the narrowly-defined ‘body corporates’ engaged in ‘commercial or professional activities’. Thus, government agencies and non-profit organisations are entirely excluded from the ambit of this section. This is a big hole, given that the government is a significant if not the biggest custodian of data relating to citizens.
w Flaws in the drafting of section 72A of the IT Act: Section 72A, another provision quoted in the ministry’s response, is a problematically-worded provision—it requires that third parties or intermediaries can only be held liable if it is proven that they have made a violation “with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract.”
This is a very flawed and broad test for privacy. It has to be much narrower—as in used for purposes other than that for which data was collected or unauthorised collection of data. In early 2015, Airtel was exposed as collecting user browsing information unauthorised, as did MTNL—and as both cases showed us, this is exactly the defence that most errant parties have invoked in order to escape being pinned on violations of privacy.
w Reissue affordable standards that are equivalent to ISO/IEC 27001: The current standard prescribed by rule 8(2) of the IT Rules is the IS/ISO/IEC 27001 on “Information Technology-Security Techniques-Information Security Management System-Requirements”. To achieve ISO/IEC 27001 compliance and certification, the implementing body must have access to the copy of the standard, which adds cost. The costs of implementing this prescribed standard are further inflated by the involved costs of literature and training, external assistance, technology, employees’ time and certification. This makes it beyond the reach of small and medium-sized Indian body corporates. In order to ensure adequate implementation of this, the ministry should, along with the BIS, reissue affordable standards that are equivalent to ISO/IEC 27001.
It’s clear that there is very little legal obligation placed on those who collect and use data—authorisedly or not. The Supreme Court has constituted a nine-member bench to examine the validity of the assertion that the Right to Privacy is a Constitutional Right under Article 21. The introduction of the Human DNA Profiling Bill in Parliament, which seeks to create a databank of DNA data of citizens, is also an indication that the government needs to immediately and urgently review the need for a legislation guaranteeing privacy of data to citizens. Most significantly, the minister of state for personnel, public grievances and pensions has recently made a statement indicating that the government is drafting a legislation that seeks to provide protection to individuals against breach of privacy through unlawful means.
This is a good opportunity for the government to go beyond the foggy and ambiguous telecom ministry view to a holistic, all-encompassing privacy legislation that covers all aspects of privacy—individual as well as data/digital privacy.
Some recent press reports have indicated that 2014-15 saw the largest number of incursions and hacks into government websites. It’s obvious that this lack of accountability to individual data poses a significant risk to the individual concerned. Privacy is a critical issue—as India leaps towards a new digital era, ensuring that a robust, overarching legislation on privacy is passed is absolutely necessary and will fortify the Prime Minister’s vision for Digital India. Let’s get a multi-stakeholder consultation on the Right to Privacy started.
The author is a Member of Parliament and a tech entrepreneur