In July this year Telecom Regulatory Authority Chairman, RS Sharma took to his twitter handle and threw an open challenge by putting his Aadhaar number in the public domain, daring anyone to ‘do any harm’ to him. This was his attempt to debunk allegations that privacy of data with UID can be breached. His challenge was accepted by French security researcher Elliot Alderson and number of other users on Twitter. Within hours his phone number, alternate phone number, PAN number, Bank accounts linked to his Aadhar etc were out in the public domain. Sharma is the Chairman of TRAI, he holds a masters degree in computer science from the University of California and was Director General of UIDAI – the issuer of Aadhaar. If his data can be breached with such of ease then who is safe?
An individual’s right to privacy has been a fundamental issue with the people, and in a data driven marketing and artificial intelligence, private information is vulnerable to breach and misuse. That Privacy is a Fundamental Right has been settled by the Supreme Court in KS Puttaswamy Vs Union of India in 2017 in the Aadhaar litigation. Today, casual social media activity, or just swiping a debit card to buy a pair of shoes can bombard you a series of advertisements on, election strategies are being made after mass profiling and distribution of fake news and rumours is rampant, a robust regulatory regime is need of the hour for data protection and to safeguard the Right to Privacy.
The Personal Data Protection Bill, 2018 is all set to be tabled in Parliament. The Bill’s journey has been recorded in volumes of work done first by Justice AP Shah led committee of experts commissioned by Planning Commission in 2012, and later by Justice BN Srikrishna Committee which dealt with the issue of data privacy and individual rights in its report ‘A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’ and also presented the draft Bill. Both reports, and the draft Bill has a direct bearing on the Aadhaar project where government is collector, processor and holder of citizen’s personal data. The principle of obtaining user’s consent goes for a toss with mandatory aspect of Aadhaar.
Justice AP Shah Committee laid the founding principles for data protection and future legislation under the broad principles of Constitutional guarantee and unequivocally defended the individual rights of privacy to the extent that a breach by the state opens a wide possibility of surveillance.
The report which examined Supreme Court judgements, views from experts and civil society, and regulatory regimes in other countries has framed nine principle of data protection.
Principle 1 – Notice: A data controller shall give an easy to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them.
Principle 2 – Choice and Consent: A data controller shall give individuals choices (opt-in/opt-out) with regard to providing their personal information, and take individual consent only after providing notice of its information practices. Only after consent has been taken will the data controller collect, process, use, or disclose such information to third parties, except in the case of authorized agencies.
Principle 3 – Collection Limitation: A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection, regarding which notice has been provided and consent of the individual taken. Such collection shall be through lawful and fair means.
Principle 4 – Purpose Limitation: Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which they are processed. A data controller shall collect, process, disclose, make available, or otherwise use personal information only for the purposes as stated in the notice after taking consent of individuals.
Principle 5 – Access and Correction: Individuals shall have access to personal information about them held by a data controller; shall be able to seek correction, amendments, or deletion such information where it is inaccurate; be able to confirm that a data controller holds or is processing information about them; be able to obtain from the data controller a copy of the personal data; . Access and correction to personal information may not be given by the data controller if it is not, despite best efforts, possible to do so without affecting the privacy rights of another person, unless that person has explicitly consented to disclosure.
Principle 6 – Disclosure of Information: A data controller shall only disclose personal information to third parties after providing notice and seeking informed consent from the individual for such disclosure. Third parties are bound to adhere to relevant and applicable privacy principles. Disclosure for law enforcement purposes must be in accordance with the laws in force. Data controllers shall not publish or in any other way make public personal information, including personal sensitive information.
Principle 7 – Security: A data controller shall secure personal information that they have either collected or have in their custody, by reasonable security safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, deanonymization, unauthorized disclosure [either accidental or incidental] or other reasonably foreseeable risks.
Principle 8 – Openness: A data controller shall take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data they collect, in order to ensure compliance with the privacy principles, information regarding which shall be made in an intelligible form, using clear and plain language, available to all individuals.
Principle 9 – Accountability: The data controller shall be accountable for complying with measures which give effect to the privacy principles. Such measures should include mechanisms to implement privacy policies; including tools, training, and education; external and internal audits, and requiring organizations or overseeing bodies extend all necessary support to the Privacy Commissioner and comply with the specific and general orders of the Privacy Commissioner.
The proposed law on data protection must testify to the above principles to qualify the global standards and necessities of a modern society which has the legitimate rights of individual privacy. The bill is also silent on issue of right to object by individuals and diluted the consent where government has been put in a different bracket than private parties. Individual is the only legitimate owner of personal data and any infringement on this right will end up risk of creating authoritarian regimes.
By Prashant Tandon