Personal Data And Data Theft

Over a single day, we visit multiple websites online. We are all familiar with the cookie/ privacy policy notification that pop-ups on our screen while we browse through a website that promises to enhance our browsing experience. Often, little thought is given to such notification and these tiny hindrances on the screen are bypassed by clicking the I agree option. However, did you know that you just left traces of your data behind? The next time we enter that website, it will remember details about us like our zip code, browsing history, email id, etc. we may also find similar products in our advertisement space.

Personal data is arguably the most important digital resource in modern times and hence called the 'oil of modern times'. Personal data can be categorized into sensitive data and more sensitive data. Sensitive data include details like name, phone number, email address, etc, while more sensitive data can include your passwords, sexual orientation, financial details, biometric detail, etc. When both these data are combined, it forms a clear picture of us. Our values, interests, and personal interests form our identity. Companies generally store our data in their system. This makes us vulnerable to targeted advertisements as our interests, choice, preferences are known to a third party.

Social media apps and search engines might not explicitly charge us anything for their services but oblige us to reciprocally share our data with them. With our preferences known, we are exposed to advertisements according to our interests. After all, advertisement is the primary source of revenue for these entities.

When we hand over our data to a third party, we expect them to protect our data and handle it responsibly. Unfortunately, there have been many instances of data theft that have surfaced on the news. Data theft is the act of stealing information stored in computers, mobile phones, or other electronic devices with the intent to obtain confidential information of the device operator and hence infringe upon that individual's privacy.

Infamous cases of data theft may include the Cambridge Analytica scandal by Facebook, MasterCard, Marriot, Air India, and the more recent, Pegasus spyware. Data theft is a sheer violation of our privacy and can also lead to identity theft. Hackers can use passwords, credit card details, and other credentials to cause huge financial losses. Extremely personal photos or conversations could also be leaked on the internet to cause social harassment. In addition to this, stalkers can track you down in real life after obtaining information about you!

Legislation regarding data protection is important because they provide guidance and best practice rules regarding the use of personal data for organizations and governments to follow. Firstly, the laws regulate the processing of personal data. Secondly, they protect the rights of the data subject. Thirdly, the laws establish authority to monitor any breach in the regulations, thus making the data fiduciary liable.

In India, Privacy has been recognized as a fundamental right under article 21 in K.S Puttaswamy vs Union of India. The Supreme Court has held that information of a person and the right to access the information of the person also falls under the ambit of the right to privacy. Until recently India did not have specific legislation enacted primarily for data protection. India's regulatory mechanism for data protection and privacy is the Information Technology Act,2000, and its corresponding Information Technology (Reasonable Security Practices and Procedure and Sensitive Personal Data or Information) Rule 2011.

However, the Personal Data Protection bill, 2019 is under the scrutiny of the Joint Committee of Parliament (JCP) and after receiving a nod for its fifth extension, the committee is scheduled to present its report before the parliament in the first week of the winter session. If enacted, this will be India's first law on data protection and will repeal 43A of the IT Act.

Personal Data Protection Bill, 2019

In 2017, a committee was set up by the Ministry of Electronics and Information Technology to study issues relating to data protection. The committee was headed by retired Supreme Court judge, Justice B.N Srikrishna. The committee submitted the draft Personal Data Protection Bill in 2018.

This bill was further deliberated on, and after receiving the nod of the cabinet ministry, it was tabled on the 11th of November 2019. The bill was passed by voice vote. Subsequently, a Joint Committee of Parliament, chaired by Meenakshi Lekhi was set up to scrutinize the bill.

The Personal Data Protection Bill is landmark legislation that regulates how companies and organizations use data in India. The bill proposes the formation of the Data Protection Authority (DPA), which will regulate how user's data is used by companies and social media organizations within India and outside the country.

The key feature of the bill is that it makes the prior consent of the individual a necessity. The bill also limits the purpose for which the data is collected and ensures that only necessary data for proving the said service is collected. In addition, the bill includes data localization requirements and makes the appointment of a data protection officer in the organization an obligation.

The bill has also proposed the concept of data fiduciary or data processor which is equivalent to a processor or controller in the European Union's General Data Protection Regulation. The Bill's application is not only limited to people in India but also applies to people outside India who provide goods and services within the Indian territory.

Under this Bill, companies in regulated sectors, such as financial sectors or telecom sectors are subjected to the obligation of confidentiality under sectoral laws which require them to use the data collected from clients only in the prescribed manner, or in the manner agreed upon upon upon with the client. The organization is required to have a robust data security system to safeguard the client's data so collected by preventing unauthorized access to sensitive and confidential data, malicious cyber-attack, and accidental loss of confidential data.

Critical Appraisal
The bill has raised concern among social media firms, ministers, and experts who held that the bill had too many loopholes to be effective and beneficial for the companies and users.
The first to raise a red flag about the bill was Justice B.N Krishna, himself. He held that the bill might lead to an Orwellian State and used the term Big Brother while describing his disapproval towards the exemption clause of the bill which removes the safeguard for government agencies. It is important to note that threats to privacy can originate from both, state actors and non-state actors.

This clause is problematic because the government is given access to 'critical' or 'sensitive personal data under the pretext of national security. Critics highlight the possibility of widespread misuse of this clause. Justice B.N Krishna held that exemptions granted under the bill should be watertight and narrow that should be made available for limited circumstance.

Another controversial clause of the bill is the establishment of the Data Protection Authority (DPA) that will be led by a chairman and six committee members. The DPA will be charged with managing data collected from the Aadhar program. In this committee, all the members will be appointed by the Central Government.

The committee will include civil servants, Cabinet ministers, and other state actors. This raises questions about the independence of the committee and the likelihood of bias. The government's discretion in appointing and removing high-level officials is a cause of fear among stakeholders. Unlike similar committees of the Reserve Bank of India or the Security Exchange Board of India, the board will not have an independent member of the judiciary to ensure that the decision made is not prejudicial to any stakeholder.

Although one can argue that the personal data protection bill is too little coming too late, yet is a sine qua non because of the expanding cyber scenario. The Personal Data Protection Bill seeks to regulate one's data online and can be called India's baby step towards protecting an individual's privacy on the internet.

The bill may be lacking in its features when compared to European Union's General Data Protection Bill which has included the right to be forgotten among other rights, yet we are hopeful that the bill shall duly be amended to adapt to the demands of the internet users in the country.

References:

1. JPC gets time to present the report on personal data protection bill" https://www.livemint.com/news/india/jpc-to-seek-time-to-present-report-on-personal-data-protection-bill-11627017273374.html
2. Why India has introduced the new Personal Data Protection Bill - DCD" https://www.datacenterdynamics.com/en/opinions/why-india-has-introduced-the-new-personal-data-protection-bill/
3. The victors of GDPR will monetize compliance - DCD" https://googleweblight.com/sp?hl&geid=NSTNR&u=https://www.datacenterdynamics.com/en/opinions/the-victors-of-gdpr-will-monetize-compliance/
4. General Data Protection Regulation- Wikipedia
   https://en.m.wikipedia.org/wiki/General_Data_Protection_Regulation
5. Unfulfilled promises on Personal Data Protection Bill- The Hindu
   https://www.thehindu.com/opinion/editorial/unfulfilled-promise-on-personal-data-protection-bill/article30323338.ece
6. Personal Data Bill, 2019- Privacy Laws
   https://indianexpress.com/article/opinion/columns/personal-data-protection-bill-2019-privacy-laws-7135832/
7. What are cookie websites tracking?- Vox
   https://www.vox.com/recode/2019/12/10/18656519/what-are-cookies-website-tracking-gdpr-privacy
8. Data value- Hornet Security
   https://www.hornetsecurity.com/en/security-information/data-value/
9. Why is Data Security so Important- fsb.org.uk
   https://www.fsb.org.uk/resources-page/why-is-data-protection-so-important.html
10. Personal Data important-Keep safe- Redscan
    https://www.redscan.com/news/personal-data-important-keep-safe/