The International Association of Privacy Professionals (IAPP) and the Indian Bar Association (IBA) organized a conference in Bangalore on 23rd September 2015 and discussed several aspects related to Privacy in the emerging Digital India. Eminent speakers from the industry participated and interesting and useful information was exchanged.
The undersigned was part of a panel which discussed the theme “Privacy in Doldrums-Adapting to the Information Age”. The panel was moderated by Mr V.Rajesh Kumar of Infosys and consisted of the following members apart from Naavi.
Indranil Choudhary, Founder & CEO, Lexplosion Solutions, N.S.Nappinai, Advocate & Founder Technology law Fortum, Kavita Babu, Senior Attorney, Microsoft India and Suchanto Chatterji, Advocate & Cross Border Transaction Advisory, 5E Legal.
The panel was presented with several issues and Naavi’s views on the same are presented here for general information and academic debate. Some of these views were expressed during the panel discussion while some were answered by other members on the pane.l.
The views expressed here are Naavi’s personal views and not of the panel as a whole.
1.Is Adhaar a well-conceived initiative?
How can we bring more trust within its implementation?
How to bring accountability and transparency within its overall working?
Aadhar was conceived as a National ID program where the data about an individual along with his biometrics would be stored on a database and users would be able to query on individual parameters based on a biometric input and get a “Yes” or “No” answer. The scheme envisaged collection of data by authorized agents in a control environment and did not envisage transmission of the adhar linked information across the network.
There have been many issues in the registration process where information was compromised, aadhar numbers were issued to fake persons etc. Apart from these, presently, Aadhar is being used in a manner different from what it was conceived. UIDAI is sending a Aadhar letter with a perforation for cutting out a portion and making it into a “Card”. Also eadhaar is being issued online containing all the information except the biometric data. Many users are using aadhar for KYC purpose.
In view of the fact that e-aadhar information can be downloaded easily , we may consider that the aadhar information has already been compromised. We can do little about it. The problem therefore is not in how the scheme was conceived. But in how it is being used now.
We know that in India we donot have protection of Privacy as a a concept that Human Right Activists believe is a need of a democratic society. We try to provide indirect support to Privacy Right Concept through “Data Protection or Data Privacy”.
We try to protect the privacy of an individual in physical space by controlling the data available in the cyber space. Hence the link between the data and the identity of the person becomes the key to “Privacy”.
Aadhar being an identity instrument, it has an impact on Privacy since the aadhar data is identifyable to a living person in physical society. Hence protecting aadhar information from being accessed without appropriate control is necessary for Privacy protection. This however is not being done effectively at present.
What we can do however is that all intermediary users such as Banks should be mandated to use the biometric as the end point verification instead of the photograph. Also downloading of the entire aadhar particulars should not be allowed except to the aadhar holder and with the biometric.
This may not protect the privacy of Personal Information but may prevent identity theft possibilities to some extent.
2. How can we balance freedom of expression (Section 66A) guaranteed under the Indian Constitution with the growing thrust from government to sneak into every dataset created, shared and deleted?
Section 66A in my opinion did not address “Freedom of Expression”. It only addressed one to one communication through SMS and E Mail and was wrongly applied to cases of Facebook and Twitter posting. It was unfortunate that Supreme Court scrapped it since along with it offences such as phishing, spamming, Cyber Stalking, Cyber Bullying etc were also dropped.
Freedom of Expression is related to Right to Privacy. As between Right to Privacy and Freedom of Expression, Freedom of Expression has a higher value as protector of Democracy. However the real conflict is between Right to Privacy and the Need for Security. We need to balance between these two.
3. What are the current gaps that exist in the IT Act and IT Rules?
IT Act addresses protection of Personal data and Sensitive Personal data and treats the contract between the data supplier and the data processor as the basis of control. The IT rules generally follow the internationally accepted principles of Privacy protection though implementation is still at a low level. Companies tend to focus more on compliance of Best practices such as ISO standards rather than liability preventing ITA 2008 compliance.
4. Can privacy right become a means to achieve the balance between expression and encryption? What about anonymity?
It is not a question of “Can”. We should conceive the system in such a manner that Privacy and Security co-exist.
If we pitch Privacy Right directly against Need for National Security, Privacy will always lose out since individual right is always subordinate to community right. Hence if we want Privacy, we need to learn how we can build a system where the Privacy and Security coexist.
I have therefore been advocating the concept of “Regulated Anonymity” where “Anonymity” is provided to an individual as a protection to his privacy but will be regulated through a system which will ensure that national security will not be compromised.
This requires “Trusted Intermediaries” to hold the anonymizer data and a system to monitor the “Due Process” through which the identity may be revealed in times of necessity.
The system can ensure that the “Trusted Intermediaries” can be a combination of multiple entries so that no single person has access to the de-identification data.
The “Due Process Committee” needs to have public-private participation so that if this committee is convinced of national security needs then the identification of a person can be revealed.
What this system requires is therefore
a) Licensed Anonymizers
b) A Due Process Committee with right constitution
c) Data Distribution system which spreads control across multiple countries.
Now a word about this “Encryption Policy” or a draft which was put up for public comments. It has been withdrawn and is therefore only an issue for academic debate.
What the published draft policy indicated was that the departmental officials did not understand Section84A requirements. The section only wanted modes and methods of encryption to be indicated. CCA had already defined the modes and methods for asymmetric cryptosystem and if the “Notification” was at all necessary, it could have confined to stating that the algorithms to be used in any symmetric systems shall not be weaker than …..
There was no need to state that it should not be stronger than ….. and people should preserve plain text copy etc….. ITA 2008 already provides powers under Sec 69 to demand decrypted copy and ensure compliance. It could have reiterated this aspect and left it to the market players to use their own means to archive data for compliance of Section 69.
What may be more relevant is to take a second look at the procedures prescribed under Section 69 and refine it.
The MCIT has forgotten that there is a Cyber Regulatory Advisory Committee which has to mandatorily pass such modifications to ITA 2008 and could have cushioned the PR impact of this bad decision.
Hope they learn their lessons now.
5. Every business wants to create personalized experiences for their customers by ‘targeting’ and stalking them throughout their browsing sessions. May be its an acceptable way of doing business in many countries. What about the profiling that results due to such invasive data collection? There are many identifiers collected when Internet sessions are stalked. What can be done to tame the overzealous ambitions of such data brokers? Can self-regulation within Indian legal system be achieved?
The pull of business profit is too strong and policy cannot swim against this tide. The Big Data Industry is conceptualized on obtaining as much data as possible whether identified or otherwise and try to identify them in the back end and convert it into value propositions.
Privacy is a lost cause in this business dominated world. More than for security reasons privacy gets compromised for such profit considerations.
Solution is to tighten the screws on data breach and also protect the Netizens for identity theft consequences through a mandatory Cyber Insurance scheme.
6. Right to Privacy may soon become a court pronounced fundamental right. Till then, and even after that, will there ever be a statutory Right to Privacy? Technology is taking giant leaps forward while laws are crawling behind. Doesn’t this impede our efforts towards preparedness against a foreseeable cyber warfare? What will Digital India stand upon?
As I already said, Privacy cannot win the fight against National Security because we exist as individuals in a democratic society only if the society is healthy. In this matter, Privacy Right is different from Freedom of Expression right. Freedom of Expression is required to protect democracy. Privacy right abrogation may also be required for preserving democracy.
7. Our efforts towards gaining ‘adequacy’ of data protection law under the EU standards have been minimal. While the world waits for and anticipates a tougher GDPR, is India ready to showcase itself as a ‘safe’ country? While other Asian countries have already taken positive steps in this direction, what would India need to gain acceptance globally?
India is a country where if personal information is not protected as agreed to under a contractual agreement, the CEO of the data recipient company may go to jail for 3 years under Section 72A of ITA 2008. If out of the negligence of the recipient company security of PI or SPI is breached, there is financial compensation unlimited and 3 year jail under section 66.
Right to erasure is inbuilt in information security principles subject to the exception of law enforcement needs and data retention needs under Section 67C and 65 of ITA 2008.
We therefore have the necessary legal foundation to be a safe county.
What we lack is implementation and communication. If we all strive for ITA 2008 compliance more than what we do for ISO 27001 compliance, or PCI DSS Compliance, data in India would be safer.
8. Though the EU BCR and APEC CBPR have many things in common, will there be an even ‘better than good’ solution to the varying data protection rules and regulations? Can ‘Corporate Privacy Rules’ be standardized to make it easier for MNCs to apply single set of policies across different jurisdictions? What are the challenges?
Probably industry bodies may work towards standards which work for their specific industry based on ITA 2008. If a company is exposed to data security compliance requirements from other countries, the standards already implemented under iTA 2008 can be mapped to the other specific requirements.