Citibank, consumer financial service provider, has sent its responses on data protection for an open consultation on the issue by the Telecom Regulatory Authority of India (TRAI). In its submission, Citibank has stated that the rights of the individual over his/her personal data foremost and cannot be superseded by the data controller.

Some key remarks are as follows:

Definition of personal data

Citibank has sought an expansion categories of data that are classified as “personal” under the IT Act, 2000 & its Rules, 2011. The current definition includes passwords, financial information, health conditions, sexual orientation, biometric information that can be used to identify a natural person. Citibank’s suggestion asks for the inclusion of call details records, calling patterns, location data, data usage information, details relating to browsing, usage of Apps as personal information, and be brought under the Indian telecom regulatory framework.

Rights over data

The rights of a data controller cannot supersede the rights of an individual over his/her Personal Data, the bank said. For regulation of data controllers, Citibank mentions the implementation of National Level Privacy Principles as recommended by the report dated October 2012 of Group of Experts (headed by Justice A.P.Shah), under which data controllers are to be subjected to the regulatory audits through regulators like TRAI or any delegated authority.

User consent and control on data

Citibank has stated that user consent is essential before their personal data is shared for commercial purposes, and can empower users to take control of their personal data, as per the Choice and Consent (opt-in/opt-out) under National Level Privacy Principles as recommended by Justice Shah committee, and also based on the Federal Communication Commission enacted broadband privacy rules, 2016 in United States.

It suggested that data controllers must be mandated to giving simple to understand Notice of its information practices to their users in all their services, along with grievance redressal mechanism on any claims of users on the same.

In addition, it says that the consumers/users could be granted with the right to demand information of their respective data controllers/service providers from the records of the regulators like TRAI.

Collection and use of data by private stakeholders

Citibank pointed out that many private stakeholders are currently out of the legal or regulatory control, and a key challenge will be bringing them under a telecom regulatory regime, and how the data can be protected, especially given the questionable nature of consent obtained.

To address this, Citibank suggested creation of data sandbox “under the technology enabled architecture of personal data”, coupled with punitive consequences in case of non-compliance. It has said that a setup of data sandbox would be for “anonymized data sets of regulated companies under the purview of the government or its authorized authority”.

Cross border data flows

Citibank said that necessary rules could be stated regarding the transfer of personal data to countries which do not ensure an adequate level of protection. This recommendation is based on European Union (EU) Directive 95/46 read with OECD principles. “EU law also includes the right to data protection at the constitutional level (for example, in the EU Charter of Fundamental Rights), and the European Court of Human Rights has construed Article 8 of the European Convention on Human Rights to include data protection.”

Also read: French IoT company Sigfox wants distinct regulation for personal and non-personal data