Personal data Protection : A Wakeup Call

-


The challenge of computer and network security is not new. Individuals as well as Companies  have spent decades trying to prevent unauthorized access and avoid compromise or infection. Both the threat landscape and the tools and technologies designed to guard against it have evolved significantly over time, but even today it remains an elusive game of cat and mouse.

The idea of a network perimeter—where the devices and data on the inside are inherently trusted and protected against any access from the outside— is almost dead as. Laptops and mobile devices have empowered people to connect to the Internet from virtually anywhere and anytime, which all but negates the concept of inside and outside the network, or “us vs. them.”

In this background it has become very important to protect personal data.  It would be ideal to prevent unauthorized access to a network or device entirely, but—assuming attackers do infiltrate—how much damage can they actually do if they are unable to access or extract any of the data?

What is precisely Personal Data

 Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.

Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.

The law protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.

Examples of personal data
  • a name and surname;
  • a home address;
  • an email address such as name.surname@company.com;
  • an identification card number;
  • location data (for example the location data function on a mobile phone)*;
  • an Internet Protocol (IP) address;
  • a cookie ID;
  • the advertising identifier of your phone;
  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
Examples of data not considered personal data
  • a company registration number;
  • an email address such as info@company.com;
  • anonymised data.

How countries are safeguarding Personal Data
Gradually, governments all over the world are waking up about right of individuals for protecting personal data. For example,  EU recently aimed at imposing ever tougher privacy rules on governments and companies from San Francisco to Seoul.

When the region’s regulators roll out the changes — known as the General Data Protection Regulation, or GDPR — on May 25 , it will represent the biggest overhaul of the world’s privacy rules in more than 20 years.

The new regulations offer EU citizens sweeping new powers over how their data can be collected, used and stored, presenting global leaders outside the 28-country block with a stark choice: bring their domestic laws in line with the EU’s new rules, or risk being shut out of a market of 500 million well-heeled consumers.

Data protection is a good example of Europe trying to extend its influence over other countries.

Indian Government's Initiative
In August 2017, the Supreme Court of India passed a judgment in the case of Justice K S Puttuswamy vs Union of India (Supreme Court of India, WRIT PETITION (CIVIL) NO 494 OF 2012), in which fundamental rights, as provided in the Constitution of India, were interpreted to include the right to privacy. As a consequence of this judgment, the Government of India has an obligation both to ensure that its actions do not violate a citizen’s privacy and to ensure that such rights are not violated as a result of its inaction—including its failure to enact suitable legislation.
The case had its inception in 2012, when Justice K S Puttuswamy, a former Karnataka High Court judge, filed a petition before the Supreme Court questioning the validity of the “Aadhaar” project on grounds of, among other things, its transgression on the Indian citizen’s fundamental rights. The “Aadhaar” project is a 12-digit unique identification number that is issued to Indian citizens based on their biometric and demographic data. It is the largest biometric database in the world, with over 1.25 billion Indian citizens registered. The project raised several privacy concerns due to the almost mandatory requirement of enrolement and the lack of safeguards provided by the Government to protect the data collected. The argument made by the Government was that there was no constitutionally guaranteed right to privacy in India. Reliance was placed on two earlier Supreme Court judgments, M ​P ​Sharma ​v. Satish ​Chandra (AIR ​1954 ​SC ​30) and Kharak ​Singh ​v. State ​of ​Uttar ​Pradesh (AIR ​1963 ​SC ​1295), which denied the existence of a constitutional right to privacy. Since these cases were decided by six- and eight-judge benches, respectively, the Supreme Court referred the matter to a constitutional bench of nine judges in 2015. Two years later, this bench overruled the two cases to the extent that they decided that privacy is not a constitutionally guaranteed right.
The Decision and Data Protection
The Court decided that the protection of individual autonomy was a valid justification for the right to privacy, especially in the context of a global, information based society. The judgment recognised the right of an individual to exercise control over his/her personal data. The Court opined that the ability of a person to control his/her own life would also encompass his/her right to control his/her existence on the internet. The Court further recognised the complexity involved in data protection and directed the Government to enact a comprehensive data protection law.
Another important aspect of the Court’s ruling was the implicit recognition of a “right to be forgotten.” The Court stated as follows:
People change and an individual should be able to determine the path of his life and not be stuck only on a path of which he/she treaded initially. An individual should have the capacity to change his/her beliefs and evolve as a person. Individuals should not live in fear that the views they expressed will forever be associated with them and thus refrain from expressing themselves….
Thus, The European Union Regulation of 2016 has recognized what has been termed as ‘the right to be forgotten.’ This does not mean that all aspects of earlier existence are to be obliterated, as some may have a social ramification. If we were to recognize a similar right, it would only mean that an individual who is no longer desirous of his personal data to be processed or stored, should be able to remove it from the system where the personal data/ information is no longer necessary, relevant, or is incorrect and serves no legitimate interest. Such a right cannot be exercised where the information/ data is necessary, for exercising the right of freedom of expression and information, for compliance with legal obligations, for the performance of a task carried out in public interest, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims. Such justifications would be valid in all cases of breach of privacy, including breaches of data privacy.”
These observations may increase the likelihood of the right to be forgotten or a similar right being incorporated into the forthcoming law. This right is distinct from the right to privacy which involves information that is not publicly known. It involves the removal of information that was publicly known at a certain time so that third parties cannot access it. Opinions about the right to be forgotten, which is a relatively new concept, differ significantly between the European Union, where it has more historical support, and the United States, where the right of free speech and the right to know have typically been favoured over the deletion of truthfully published information.
If the right to be forgotten is codified into Indian law, search engines, social media platforms and media companies operating in India will be most affected. These entities may need to reconsider their internal processes and procedures for receiving and processing requests from members of the general public for the deletion of data. Google’s ongoing dispute with the French data protection agency, CNIL, illustrates how complex matters can become. Now that the phrase “fake news” has become so common, the debate will become more urgent globally.
Current Data Protection Laws
India’s existing laws on data privacy are much narrower in scope. The primary statutes governing data privacy are the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules).
First, Indian laws primarily regulate the processing of “sensitive personal data or information” (SPDI) which is a subset of personal information. SPDI includes, among other things, information relating to passwords, financial information, medical records, sexual orientation, and biometric information. Non-sensitive personal information is still subject to little regulation in India. Second, under the Indian legal framework, the requirement for consent from the individual citizen is vague enough to allow for implied consent. Further, while Indian laws do confer limited extra-territorial jurisdiction, the applicability of these laws in certain scenarios remains unclear. For instance, it is questionable whether the IT Act or the Privacy Rules would apply to a United States company that collects an Indian citizen’s/resident’s SPDI while the latter is travelling in the United States.
White Paper By Government of India
The Government appointed a committee in August 2017, headed by a former Supreme Court judge, Justice B N Srikrishna, to examine issues related to data protection, to recommend methods to address them, and to draft a new data protection law. The committee released a white paper on November 27, 2017 and requested comments from the public by January 31, 2018. The objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.” The committee suggested seven principles on which the proposed data protection law should be framed:
 (i) the law must be technology-agnostic; i.e., it should be flexible to take into account evolving technologies; 
(ii) the law must apply to both private sector entities and governments; (iii) any consent should be genuine, informed, and meaningful; (iv) the processing of data should be minimal and only for the purpose for which it is sought; (v) any entity controlling data should be accountable for any data processing; (vi) the enforcement of the data protection framework should be by a high-powered statutory authority; and (vii) the penalties should be adequate to discourage any wrongful acts.
Addressing the issues of the current data protection regime, the white paper has raised questions in relation to the territorial scope of the proposed data protection law and measures that should be included in the law to ensure compliance by foreign entities. Among other things, the white paper noted that it may be “worthwhile considering making the law applicable to any entity, no matter where they may be located that process personal data of Indian citizens or residents.” (White Paper, Chapter 1: Territorial and Personal Scope, Section 1.5(4) (Provisional Views)) Further, it has raised questions in relation to the definition of personal data and sensitive personal data. The white paper also addresses the concern of determining valid consent for processing of personal data and of enforcement models.

Role of You as an Individual

Users have big role to play  as the data protection begins with them. They should clearly understand that there is nothing called a freebie. When we use a free app, we are actually paying for it with our data. So if we hesitate to pay for services, we should be mindful of our privacy needs.
 While a regulatory framework is a need of hour, But the Government alone can not solve the problem. Industry also has big role to play, it needs to step up as much of the technology development. The data lifecycle is fairly complex, with various stakeholders at numerous touch points.
A comprehensive regulatory framework that defines the guarding fences to prevent misuse across the value chain, including the intermediary touch points is needed. But we also need a framework that leave space for innovation because stringent regulationscan also prove to be punitive and may constrict innovation and development.
 There is no escaping the new reality. It is not merely about deleting an app but about fundamental change in behavior. Your data protection matters as it is valuable.
Significantly, India appears to be moving towards a position similar to the European Union rather than the United States so that privacy will be seen as a fundamental right where the ability of the government to derogate from it will require substantial justification. Companies that collect, process or store data of Indian residents—whether or not these activities take place within or outside India—would be well advised to keep abreast of legislative developments in this area.


Comments

Post a Comment

Popular posts from this blog

Is Kedli Mother of Idli : Tried To Find Out Answer In Indonesia

-
Image
Recently I traveled to Indonesia and surprised to learn that culturally Indonesian are very close to us. Even their food has certain commonality. And interestingly I come to know that our very own Idli has its origin in Indonesia. Let us start with religion. Hindu and Budhist influences arrived in this archipelago much before birth of Jesus Christ. It is however unclear that how the cultural and spiritual ideas from India were diffused in the area. It appears that there had been regular trade links between southern part of India with Ceylon, Java, Sumatra, Bali as well as many other Islands in Indian as well as Pacific ocean. The traders from India brought their cultural, culinary and religious influences. Java legends refer to Saka-era, traced to 78 AD . Stories from the famous epic Mahabharat have been traced in Indonesian islands to the 1st century; whose versions mirror those found in southeast Indian peninsular region. The Javanese prose work Tantu Pagelaran of the 14th cent...
Read more

A Peep Into Life Of A Stand-up Comedian - Punit Pania

-
Image
I met Punit Pania yesterday at Independence Brewing Company. an happening watering hole in Lokhandwala area just before his stand-up comedy act. In fact he was generous enough to share his space with The Book  Club event on first floor of pub, he shared his journey from a safe Corporate Den to the wild world of stand-up comedians. Punit is a Non-Gujju born and broughtup in Gujju dominated Society in Kandivali East as a protected child, where his parents did not allow him to travel any place beyond the reach of auto rikshaw ! Not only that her mother was so protective that she was happy to concede her son's intent to start a pathological lab in the area so that he come every day for maa ke haath kaa dopahar ka khana ! But destiny thought otherwise, after spending seven years in Corporate World , Punit became a stand-up comedian.  Protected, safe and secured years of salaried existence, he came out of the closet. Punit is the single man behind Chalta Hai Comedy – a...
Read more

Searching Roots of Sir Elton John In Pinner ,London

-
Image
Elton John is my most favorite singer. He is a singer, songwriter, pianist and composer all rolled into one. In terms of sales, he is the fourth-best-selling music artist worldwide . In 1998, he was knighted by British Queen this got ‘Sir’ title, but for music lover like me whether he is Sir or not a Sir , it is immaterial. He has won heart of millions of music lovers, that is more important. These days I am living in Harrow Burroughs of London, Pinner is a part of it. Yesterday I was in Pinner Library and out of a conversation between two young ladies I come to know that this international rock sensation was born and brought up in this area only. I asked the ladies  about the details. Than they shared that he was born in house at 55, Pinner Hill Road in March 1947. One of them told me more : that he was the eldest child of Stanley Dwight and the only child of Sheila Eileen. The boy was named Reginald Kenneth Dwight, and raised in the council house of his grandparents at 55, Pinn...
Read more