Insights into Editorial: Ensuring Privacy in a Digital Age
28 January 2016
28th January, 2106 was celebrated as the International Data Privacy Day around the world. The idea behind Data Protection day is to celebrate our right to data protection and raise awareness of the law in this area.
Why this day (28th Jan)?
It is because it was on this day (28th Jan), in 1981, the European Council signed the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
About the convention:
Popularly known as Convention 108, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data is the first legally binding international treaty dealing with privacy and data protection.
- All members of the Council of Europe have ratified the treaty, except Turkey.
Significance of 28th Jan 2016:
2016 marks the 10th anniversary of Data Protection Day.
Significance of data protection:
Data protection is a bigger part of our lives. But, often we ignore its importance. We come across data protection issues at work, when browsing the internet, when dealing with public authorities, when we shop, when we book tickets online and in many other circumstances.
- As digitalisation increases, more and more of our data is being captured. How this data is used and held is becoming increasingly important.
- However, it is well known that most citizens all over the world are unaware their rights in relation to data protection. And some people are breaching data protection laws unknowingly on a daily basis.
According to an Internet and Mobile Association of India report, India has around 400 million Internet users. This number took a decade to reach 100 million from 10 million, three years to reach 200 million and just another year to reach 300 million.
The Internet is essentially a data ecosystem where every node is engaged in generation, transmission, consumption and storage of data. Massive amounts of information and data are being generated every day.
- Various government schemes like Adhaar, digi locker and DBT are increasing the availability of large-scale sensitive data online.
- But the situation is such that while we are generating such high volumes of data, we do not have in place measures that safeguard the privacy of this data, nor regulate data retention by platforms collecting it.
- As a result, ordinary citizens are unaware of how their personally identifiable information is collected, stored, used and shared.
- The Information Technology Act, with its limited scope to penalize government agencies for breach of data privacy, is the only legal instrument available to citizens against contravention of their privacy in the data ecosystem.
- This leaves citizens exposed—as in 2013, when the Maharashtra government simply lost the personal data of 300,000 Aadhaar card applicants.
What should be done now?
The need of the hour is a comprehensive legislation that provides for a right to privacy as a fundamental entitlement to citizens. The groundwork for such legislation has already been laid in 2012 by a Justice A.P. Shah-headed group of experts constituted by the Planning Commission.
The commission had proposed a set of national privacy principles that would place an obligation on data controllers to put in place safeguards and procedures that would enable and ensure protection of privacy rights. These include:
- Notice to be given to users while collecting data.
- Choice and consent of users while collecting data from them,
- Collection limitation to keep user data collected at the minimum necessary.
- Purpose limitation to keep the purpose as adequately defined and narrow as possible.
- Access and correction for end users to correct or delete their personal data as may be necessary.
- Disclosure of information: private data should not be disclosed without explicit consent of end user.
- Security: defining responsibility to ensure technical, administrative and physical safeguards for data collected.
- Openness: informing end users of possible collection and utilization of personal data.
- Accountability: institutionalize accountability for adherence to these principles.
Significance of the proposed framework:
- The proposed framework aims at being technology neutral and compliant with international standards already in place to protect user privacy.
- It also recognizes the multiple dimensions of privacy and aims at establishing a national ethos for privacy protection, while remaining flexible to address emerging concerns.
- It seeks horizontal applicability with both the public and private sectors bought under the purview of privacy legislation.
An attempt to introduce such legislation in Parliament failed in 2011 as there could not be a consensus on which government agencies could seek exclusion from such provisions and collect citizen data without any oversight.
Until such provisions are established by law, it will be necessary to adopt mechanisms that ensure compliance towards use of privacy enhancing technologies (PET).
What are PETs?
PETs are essentially processes and tools that allow end users to safeguard the privacy of their personally identifiable information that they willingly provide to government agencies and other service providers.
- PETs put the end user in control over what information to share, with whom to share and a clear knowledge of the recipients of this information. For example, using PETs the end user can make use of data encryption and can mandate multi-factor authentication for access to data.
What else can the government do?
- The government needs to start with aligning its technology laws with the evolving Internet landscape.
- User privacy concerns and secure designing should be integrated in the charters of respective standard-setting organizations.
- There needs to be active user education that makes them aware of their choices.
- Lengthy and complex privacy policies that practically hand over control of user data to the platforms collecting it need to be replaced with ones that are user friendly in draft and execution.
- Policy documents that address these concerns need to be widely discussed and debated in the public domain.
There’s no doubt that this year’s Data Protection Day serves as a timely reminder for organisations about the importance of correctly handling and safeguarding individuals’ personal data. It also highlights the uncertainty around how these regulations may change and develop in the coming months, as decisions are reached to align future legislation with our modern data footprint. However, sensing the urgency, the Supreme Court in 2015 referred to a constitutional bench the petition seeking inclusion of the Right to Privacy under Article 21 (Right to Life). While the verdict of the honourable court is still awaited, we can take the first steps towards safeguarding ourselves by voluntarily inculcating digital privacy principles.