Citibank, consumer financial service provider, has sent its responses on data protection for an open consultation on the issue by the Telecom Regulatory Authority of India (TRAI). In its submission, Citibank has stated that the rights of the individual over his/her personal data foremost and cannot be superseded by the data controller. Some key remarks are as follows: Definition of personal data Citibank has sought an expansion categories of data that are classified as “personal” under the IT Act, 2000 & its Rules, 2011. The current definition includes passwords, financial information, health conditions, sexual orientation, biometric information that can be used to identify a natural person. Citibank’s suggestion asks for the inclusion of call details records, calling patterns, location data, data usage information, details relating to browsing, usage of Apps as personal information, and be brought under the Indian telecom regulatory framework. Rights over data The rights of a data controller cannot supersede the rights of an individual over his/her Personal Data, the bank said. For regulation of data controllers, Citibank mentions the implementation of National Level Privacy Principles as recommended by the report dated October 2012 of Group of Experts (headed by Justice A.P.Shah), under which data controllers are to be subjected to the regulatory audits through regulators like TRAI or any delegated authority. User consent and control on data Citibank has stated that user consent is essential before their personal data is shared for commercial purposes, and can empower users to take control of their personal data, as…
