Home » , , , , , ,

MP Rajeev Chandrasekhar pushes for a Privacy Law, says IT Ministry’s response in Parliament was “misleading”


Share on Facebook0Tweet about this on TwitterShare on LinkedIn8Email this to someone
privacy-cmn-surveillance

Rajya Sabha MP Rajeev Chandrasekhar (on twitter), in a strongly worded letter to the Telecom Minister Ravi Shankar Prasad, has said that the Ministry of Communications and Information Technology doesn’t have adequate “technical understanding on the need, scope and application of a privacy legislation” in the country, and the Ministry’s response to a question he had raised in Parliament was both inaccurate and misleading, and that the Ministry’s statement “circumvents the legitimate question regarding the need for a legislation to guarantee the privacy rights of Indian citizens.”

MediaNama readers might recall that Prasad had said, reading out the statement in Parliament, that Airtel had been injecting Javascript into users’ browser sessions via Flash Networks “solely with the object of improving customer experience and empowering customers to manage their data usage through suitable timely prompts in terms of volume of data used.”

Chandrasekhar had asked about the enactment of a Privacy Legislation in Parliament, which the ministry had tried to evade by only saying that telecom operators are required to take steps to safeguard user privacy.

In his letter to the minister, Chandrasekhar listing the gaps in the current legal data privacy protection framework, especially given that personal data of citizens will be stored in government databases, or in private hands. Among them:

1. Expansion of the Definition of Sensitive Personal Data Current rules identify “Sensitive Personal Data” as “passwords, financial information, sexual orientation etc.”, which are inadequate. According to Chandrasekhar, other categories of information like mobile big data, M2M data, user behavior, Emails and chat logs as well as records of internet activity including online search histories should also be covered.

Advertisement

2. Data Protection provisions should be expanded to include Government Agencies, Not-for Profits and others: Section 43A of Act, which was quoted by the Ministry in its response only covers the narrowly-defined ‘body corporates’ engaged in ‘commercial or professional activities’, thus excluding government agencies and non-profit organizations. Chandrasekhar says that given the Government’s attempts at “collating sensitive personal data of citizens through a variety of databases, including the Aadhar, and the proposed DNA profiling Bill, the need for government agencies and others to guarantee data protection to individuals is of utmost importance.”

3. Intent shouldn’t matter: Chandrasekhar says that, a was in case of the Airtel-FlashNetworks case and the MTNL case, intermediaries shall be held liable only if it is proven that they have violated user privacy “with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract.”

Chandrasekhar points towards some recent occurrences which highlight the need for a legislation “guaranteeing Privacy of data to citizens”:

– Supreme Court looking into the right to privacy The Supreme Court has constituted a five member bench to examine the validity of the assertion that the Right to Privacy is a Constitutional Right under Article 21. (Editor’s Note: the Government of India had said that there is no Fundamental Right to Privacy. Read: “Violation of privacy doesn’t mean anything because privacy is not a guaranteed right”)
– DNA Profiling Bill: The introduction of the Human DNA Profiling Bill in Parliament, which seeks to create a databank of DNA data of citizens.
– The Minister of State for Personnel, Public Grievances and Pensions made a statement last week, indicating that the Government is drafting a legislation that seeks to provide protection to individuals against breach of privacy through unlawful means.

Chandrasekhar has recommended that the ministry do a multi-stakeholder consultation on the subject, aiming to draft and enact a legislation that will effect in a robust protective architecture that shall protect Indian citizens from incursions on their privacy, and look at both individual privacy and data protection. A copy of his letter below:

Letter to the Telecom Minister

Dear Ravi Shankarji

I write to you with regard to a most important issue – the issue of Individual privacy and the need for the Government to enact a legislation to guarantee the Right to Privacy for all Indians.

This issue takes on added significance as the country moves towards Digital India – and Personal data and information of countless Indians will be available/stored in Databases and online, in Government or Private hands. As you will be aware, it is an issue I have pressed for before – as part of a necessary evolution of our Constitution’s commitment to Individual rights.

I would like to bring to your attention the response I received from your Ministry to un-starred Parliamentary Question no. 1347 answered on 31st July 2015 – on the “enactment of a Privacy Legislation”. I have enclosed a copy of the response with this letter for your perusal.

As you will see, section “c” of the question makes a pointed enquiry of your Ministry, on “Whether the Ministry believes that there is an urgent need to enact a privacy legislation to protect the rights of citizens vis-a-vis the various official databases of Government which collates information about citizens?”

The Ministry’s response states that “Department of Telecommunications has already mandated all the Telecom Service Providers as part of license conditions that licensee shall take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and its business to whom it provides the Service and from whom it has acquired such information by virtue of the Service provided and shall use its best endeavors to secure that.”
Further, the Ministry quotes sections 43, 43A and Section 72A of the Information Technology Act and asserts that these “provide (a) comprehensive legal framework for privacy and Security of data in digital form.”

I am concerned by this assertion made by your Ministry on the floor of Parliament, as it is both inaccurate and misleading. Several leading experts have contended that the IT Act, with its limited data protection and privacy related provisions does not provide for all all-encompassing, comprehensive legal framework for privacy and data security. To this extent, this response of the Ministry, unfortunately, exposes its inadequate technical understanding on the need, scope and application of a privacy legislation.

For your benefit, I am listing the gaps in the current legal data privacy protection framework as envisaged under IT Act:
a) Expansion of the Definition of Sensitive Personal Data under rule 3 of Rule 3 of the Sensitive Personal Data Rules: The categories of sensitive personal information, as identified in Rule 3 Privacy Rules (passwords, financial information, sexual orientation etc.) are inadequate as we move towards convergence of communications. So other categories of information like mobile big data, M2M data, user behavior, etc. should also fall within the ambit of Sensitive Personal Data. Emails and chat logs as well as records of internet activity including online search histories are particularly vulnerable to abuse and misuse and should be accorded privileged protection. To this extent, the Ministry needs to hold a consultation on the subject with experts, and widen the ambit of the definition of Sensitive Personal Data.

b) Data Protection Provisions to extend to Government Agencies, Not-for Profits and others: Section 43A of Act, which was quoted by the Ministry as a “protective provision” only covers the narrowly-defined ‘body corporates’ engaged in ‘commercial or professional activities’. Thus government agencies and non-profit organizations are entirely excluded from the ambit of this section. In the light of the Government’s attempts at collating sensitive personal data of citizens through a variety of databases, including the Aadhar, and the proposed DNA profiling Bill, the need for government agencies and others to guarantee data protection to individuals is of utmost importance.

c) Flaws in the drafting of Section 72A: Section 72A, another provision quoted in the Ministry’s response is a problematically worded provision – it requires that third parties or intermediaries can only be held liable if it is proven that they have made a violation “with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract.”

As the Airtel-FlashNetworks case and the MTNL case has shown us, this is exactly the defence that most errant parties have invoked in order to escape punishment or any form of liability. As you are aware, I had made this very assertion to you in a letter dated June 16th 2015, which you are yet to acknowledge the receipt of.

d) Re-issue affordable standards that are equivalent to ISO/IEC 27001: The current standard prescribed by rule 8 (2) of the IT Rules, is the IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements.

To achieve ISO/IEC 27001 compliance and certification, the implementing body, must have access to the copy of the standard, which accrues a cost. The cost of implementing this prescribed standard are further inflated by the involved costs of literature and training, external assistance, technology, employees’ time and certification. This makes it beyond the reach of small and medium-sized Indian bodies corporates. In order to ensure adequate implementation of this, the Ministry should along with the BIS, re-issue affordable standards that are equivalent to ISO/IEC 27001.

Apart from these very specific concerns, there are several other issues that indicate that India is yet to place the necessary safeguards to protect the privacy rights of Indian citizens. In the light of these facts, you will agree that the Ministry’s statement on the floor of the House circumvents the legitimate question regarding the need for a legislation to guarantee the privacy rights of Indian citizens.

As you will be aware, the Supreme Court has constituted a five member bench to examine the validity of the assertion that the Right to Privacy is a Constitutional Right under Article 21. The introduction of the Human DNA Profiling Bill in Parliament, which seeks to create a databank of DNA data of citizens is also an indication, that the MoCIT needs to immediately and urgently review the need for a legislation guaranteeing Privacy of data to citizens.

Significantly, the Minister of State for Personnel, Public Grievances and Pensions made a statement last week, indicating that the Government is drafting a legislation that seeks to provide protection to individuals against breach of privacy through unlawful means. (copy enclosed). This, in my views, provides the MoCIT with the invaluable opportunity of collaborating with the Ministry of Personnel, Public Grievances and Pensions to draft a holistic, all-encompassing Privacy Legislation that covers all aspects of Privacy – individual privacy, as well as data/digital privacy.

Such a legislation shall only fortify the Government’s Digital India vision – which amongst other notable goals, seeks to create universal access to broadband for Indian citizens.

This letter contains only my preliminary views and there is much more to be understood about this important issue. I would recommend that the MoCIT take cognizance of this issue in a pro-active manner and begin a multi-stakeholder consultation on the subject, aiming to draft and enact a legislation that will effect in a robust protective architecture that shall protect Indian citizens from incursions on their privacy. Doing so pro-actively is important for the Government to demonstrate that it is ahead of the curve on understanding the issues that are critical to the people of this country.

Sincerely,
RAJEEV CHANDRASEKHAR

Share on Facebook0Tweet about this on TwitterShare on LinkedIn8Email this to someone