Note: MediaNama is hosting a full day discussion on privacy, called The Future of User Data in India, on the 6th of September 2017. Apply to attend at http://www.bit.ly/namaprivacyapply. More details here.
The issue of privacy is being looked at from three different perspectives currently in India: Privacy as right, data protection and data security. All are issues contained in and related to the broader issue of Privacy, but with multiple processes running in parallel, with everything interlinked, we thought we would separate them out, for the sake of clarity, in the manner that we’ve understood things.
One of the reasons why we’re creating this delineation is because different branches of the government (and departments) departments are currently looking into different aspects: The judiciary (the Supreme Court) is looking at the right to privacy, while from a legislative perspective, there are two data protection bills in Parliament (from Jay Panda. Shashi Tharoor is apparently also working on a bill), MEITY has a committee, the TRAI has begun a consultation, and there’s a Parliamentary Standing Committee on data security.
Here’s the separation of issues:
1. Privacy as a right:
- Involves: your rights as a citizen, over your own data, which you generate.
- Process: a case in the Supreme Court, which looks at Privacy as a right.
- Why this matters: A distinction is being made between fundamental rights and legal rights here. Fundamental Rights cannot be removed by enacting a law, and empower citizens to challenge existing laws. Parliament cannot enact a law which violates a fundamental right. Your control over data access (data protection) and data security depend on whether you have a fundamental right to privacy; if the court decides that you don’t have a fundamental right to privacy, then your ability to control over data access and security will depend on what the government allows you via a law. The law will never empower you as much as a fundamental right will, and it won’t also take into account future developments.
- Jurisdiction: Ministry of Law and MEITY
2. Data Protection:
- Involves: control over data, and who has how much control, what kind of control, under what circumstances it can be shared, with whom, and how. This essentially covers permissions, and enabling authorised access to data, its transfer and collection. It’s focused on data at rest, and should probably be called “Data Access” instead of Data Protection.
- Process: A regulatory consultation from the TRAI, and a committee set up by the Ministry of Electronics and Information Technology (MEITY)
- Why this matters: App stores are allowing apps to collect large amounts of data (examples: wallets, banks, UPI apps). Often we don’t even know how much data they’re collecting. Check Google’s My Activity Tracker, for yours. In the works are a public credit registry and a health information network. A separate public registry for employment and education is not unimaginable. At the same time, what is being collected is highly personal and sensitive data: and so controls may be needed, in terms of how much data is collected, what disclosures are given, permissions that are taken, how long that data is kept for, what purpose it may be used for, are necessary. Mass collection of data also lends itself to mass surveillance. Another line of thinking is that Data is a toxic asset, because what is being collected is highly personal and sensitive data, and the cost of losing that data is often higher than the benefits of retaining it. Thus there must be limits to data collection.
- Jurisdiction: MEITY. The TRAI is running a consultation sans jurisdiction, in my opinion.
3. Data Security:
- Involves: preventing unauthorised access to data, and preventing attacks that can impact authorised access to that data. This would cover issues like encryption of data, preventing and dealing with ransomware, addressing DDoS attacks, leaky APIs etc. There’s security of data to be taken into account when it is being collected, when it is stored (at rest) and when it is transferred (in transit), because leaks could happen anywhere. There’s also the question of API’s that end up allowing unauthorised access.
- Process: Parliamentary Standing Committee on Home Affairs, which is only looking at data security related to Aadhaar.
- Why this matters: With sensitive data, securing it is always a tricky proposition, and a never-ending battle. However, idea is to limit the damage, keep track of all access to identify potential unauthorised access, make sure access points aren’t open, and even then, that gaining access to it without permissions, isn’t easy. Personal and sensitive data getting leaked can lead to fraud, abuse, impersonation.
- Jurisdiction: MEITY, Home Ministry and maybe Ministry of Communications (for security of data in transit).
This is a work in progress, open to correction and changes, so please feel free to leave a comment or email me at firstname.lastname@example.org, with suggested changes.