The Telecom Regulatory Authority of India (TRAI) published a Consultation Paper on Privacy, Security and Ownership of Data in the Telecom Sector on 09 August 2017. TRAI invited comments from stakeholders on 12 questions regarding the state of data privacy and data protection in the country, the capabilities of consumers, the rights and responsibilities of data controllers, and more. Our comments were accompanied by a concept note.
No sector of the global economy has been more rapidly transformed in the last five years than telecommunications. With a swiftness that has left traditional analysis and the entire system of regulatory interaction with the industry obsolete, the industry has changed its entire purpose and behaviour. Because this change has been so little reflected at the visible level of hardware infrastructure, it has passed for invisible altogether in most of the world's regulatory and legislative dialogue.
The telecommunications sector now exists to collect behavioural data on its customers. The traditional sectoral business model of selling circuit- and then packet-switched telecommunication was replaced in the early 21st century by models based first on premium content distribution and then on "over the top" data services. But with the advent of the smartphone and other mobile data devices, the "outbound" packets in the telecommunications network are just the bait on the stage of the mousetrap. The real economic value of the relationship with the customer is the "inbound" packets providing real-time surveillance of individuals' behaviour and thoughts. This data, aggregated and analysed by the new, "big" data science, is now widely characterized as "the new petroleum," the fundamental input commodity to the next phase of socio-economic development.
Learning to treat the "telecommunications sector" as the "behaviour collection and surveillance sector" is not a matter of incremental alteration in the regulatory structure. A bygone regulatory environment must be reconceived in order to deal with a completely reconfigured economy. The questions presented in this consultation reveal the depth of the disconnection between the existing regulatory framework and the new technical and economic reality.
Without simplified rules about data-collection, usage and a strict enforcement of those rules resulting in high pecuniary damages within a fixed period of time, we are merely going through the motions and will end up building yet another burdensome administrative system that will enrich lawyers while checking infringement of privacy.
TSPs should give users meaningful choice, transparency in data-collection and usage and an ability to opt-out of the octopus-like grip of data collectors as and when they choose.
All TSPs should be prohibited from making “take it or leave it” offers, meaning a TSP should not be allowed to refuse to serve a customer who does not consent to the use and sharing of their personal information for commercial purpose.
Towards this end, we recommend the following:
- The data protection framework of India should be designed in accordance with the nine National Privacy Principles laid down in the A. P. Shah Committee Report: Notice, Choice & Consent, Collection Limitation, Purpose Limitation, Access & Correction, Disclosure of Information, Security, Openness and Accountability.
- A new and independent data protection authority should be established under the aegis of the Ministry of Electronics, Information and Technology (MeitY) in order to deal with issues of data privacy and data protection in an unbiased manner. This authority should have the power to hear complaints, investigate instances of violation of data privacy, and issue directions and orders to data controllers.
- Over-the-top applications should not be subjected to telecommunications licensing requirements. However, they must abide by India’s data protection requirements under a new data protection framework.
- Users should have the ability to delete all their data from a service provider.
- Retention limitation: User data must be deleted once the purpose for collection of that data has been achieved.
- Users must be notified as soon as possible about law enforcement access to their data.
- Privacy notices should be simplified and translated into regional languages.
- There should be a requirement to ensure that anyone with whom the data has been shared is also under a legal obligation to provide a comparable standard of protection.
- Consent, although important, should not be allowed to be used by data controllers and data processors to override a consumer’s rights.
- There should be an oversight mechanism for Rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 to ensure that reasonable security measures are taken to protect data. CERT-In or a new data protection authority could be tasked with reviewing data protection audits, and investigating and prosecuting instances of data breaches and lapses in implementing reasonable security measures.
- Users should be notified about any data breach that could affect them, along with the remedial measures available to them.
- The government should set up grants and funds for projects which aim to improve the data protection and security ecosystem for all stakeholders. FOSS projects that are known to provide standards-based solutions to enable security and privacy of data should be financially supported by the government.
- Any deviation from the standard practices in a certain industry must be disclosed in clear and explicit terms by the service provider or manufacturer/seller of a product so that a user/consumer knows what to expect.
- Device manufacturers, service providers, sellers, and all other entities involved in the manufacture, sale and provision of devices and services should not be allowed to interfere with secure data transfers and secure communications in any manner.
- Compliance with the web browser based ‘Do Not Track’ standard, and a new ‘Do Not Serve Advertisements’ option, should be made compulsory for a body corporate that operates in India or targets Indians.
- All parts of the digital ecosystem, including hardware and software such as routers, IoT devices, mobile devices, laptops, desktop computers, among others and the software that runs such hardware including, but not limited to, operating systems, applications and web browsers must comply with the standard data privacy and protection norms of the country.
- The power of law enforcement agencies under Section 69(3) of the Information Technology Act, 2000 should not extend to forcing decryption of information that is infeasible for the service providers, or where the service provider has employed end-to-end encryption. Service providers should not be forced to create backdoors in their products and services.
Q. 1 Are the data protection requirements currently applicable to all the players in the eco-system in India sufficient to protect the interests of telecom subscribers? What are the additional measures, if any, that need to be considered in this regard?
No, they are insufficient to protect interests of the telecom subscribers. They are archaic, ambiguous and toothless. There is an urgent need to modernize the regulatory environment through a comprehensive privacy framework that accounts for the technical realities.
The ecosystem referred in the consultation paper is broad and it includes telecom operators, mobile apps, operating systems and ad networks among others. The measures currently applicable to all the players in this eco-system are insufficient to protect the interests of telecom subscribers. The Unified Service License Agreement and ISP License Agreements require compliance with the Information Technology Act, 2000. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“the Rules”) under Section 43A of the Information Technology Act, 2000 do have certain protections for personal information and sensitive personal data however, these protections are both insufficient and unenforceable in most circumstances. A breach of these Rules can only be enforced by way of compensation to the person affected if a wrongful loss or wrongful gain can be proved. Currently, the loss or gain caused as a result of such a breach is difficult to ascertain, This should be replaced by high statutory damages to deter would-be violators. Any contravention of the Rules where wrongful loss or wrongful gain cannot be proved is punishable with a fine of up to Rs. 25,000/- under Section 45 of the IT Act. These Rules are effectively toothless in an era when European data protection regulations prescribe a fine of up to 4% of the total worldwide revenue of the erring company. Additionally, the Rules suffer from a lack of proper protections for personal data or information as they were created under a Section that was meant to provide protection to only sensitive personal data or information.
ISP License Agreements limit the encryption strength to 40 bits. Though this clause has been removed in the newer Unified Service License Agreement, the newer license continues to prohibit the use of bulk encryption equipment while still requiring service providers to ensure the privacy of subscribers.
Currently, the obligations on those who collect and process data include:
- Obligations on TSPs under Unified Service License Agreement or ISP License Agreements.
- Obligations under The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under Section 43A of the Information Technology Act, 2000.
- Obligation to inform CERT-in (Computer Emergency Response Team of India) about data breaches under Rule 12 of Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013.
In case of a data breach, data controllers should be under an obligation to inform affected users in addition to informing CERT-in and any other regulatory bodies as may be necessary under sectoral laws, rules and regulations. Under Rule 5(4) of the Rules, retention of sensitive personal data or information is not allowed “for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.” We recommend that there should be an obligation to delete all personal data or information, not only sensitive personal data or information, once the purpose for the collection of data has been achieved. Currently, there is an obligation to delete only sensitive personal data after the purpose has been completed. This is insufficient as personal data can be used to identify, track and profile people. Deletion of all personal data must be made mandatory in order to prevent misuse of collected data.
The European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 provides for a bar on automated marketing communications without consent; require identification of the communicator; require a notice of purpose of collection of data before the data is collected for marketing; allow users to determine what, if any of, their personal information exists in a directory, and to verify, correct or withdraw such data; bar processing of location data without consent unless the data is anonymized; require service providers to take appropriate measures to safeguard security of personal data; require a notice of risks of security breach and possible remedies, and a notice of any security breaches that have occurred.
However, telecom subscribers in India do not get similar protection from misuse of data. There is limited protection from unsolicited communications as outlined in the Telecom Commercial Communication Customer Preference Regulations, 2010. There is a need for a legislation to protect the privacy rights of telecom subscribers as well as users of electronic communication services in line with the law in EU.
Section 11(1)(b)(iii) of the Telecom Regulatory Authority of India Act, 1997 enables TRAI to “ensure technical compatibility and effective inter-connection between different service providers.” Under this sub-section, TRAI can mandate a technical measure to ensure that service providers provide a method to port data from one service provider to another. Upon a user’s request, a service provider must provide the user with all data held by the service provider about the user in machine readable and human readable format. Machine readable data would allow users to easily transfer their data from one service provider to another; this would allow competition to thrive in an industry where data is considered to be the new oil. TRAI can prescribe the formats in which such data must be provided, and can mandate that service providers implement a method to export and a method to import such data.
Q. 2 In light of recent advances in technology, what changes, if any, are recommended to the definition of personal data? Should the User’s consent be taken before sharing his/her personal data for commercial purposes? What are the measures that should be considered in order to empower users to own and take control of his/her personal data? In particular, what are the new capabilities that must be granted to consumers over the use of their Personal data?
Currently, Rule 2(i) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules define ‘Personal information’ as any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.’ Often meta data about communications, which may not strictly fall under the definition of personal information can be used to gather information about a person. Hence, meta data should also get the same kind of protection as that accorded to personal data.
User’s consent must be taken before sharing his/her personal data for commercial purposes. Personal data is innately private to a person. Unchecked sharing of personal data would be a violation of an individual’s Fundamental Right to Privacy, enshrined under Article 21 of the Constitution of India, as recognized by the nine-judge bench of the Supreme Court of India in the case of K. S. Puttaswamy v. Union of India on 24 August 2017. It is the duty of the State to ensure that an individual’s fundamental rights are adequately protected from unchecked violations by state and non-state actors. To this end, the measures that should be considered in order to empower users to own and take control of his/her personal data include:
- We should institute an opt-in system as opposed to an opt-out rules for data collection. Rules should be instituted that require individuals to opt in before companies or government entities can collect, use, and share their personal information Privacy notices should be simplified to the extent that a regular user should be able to understand what data will be taken, what purpose that data will serve, who it will be shared with, and who can be approached in case of a grievance. Current privacy notices are unnecessarily long and are written in legalese. Laymen do not even attempt to decipher the contents of these notices as they are long and hard to understand.
- User consent should be taken before transferring data to any third party. There should be a method through which the user is informed about the transfer of data and given a choice to opt out of the transfer within a reasonable amount of time before the data is shared with a third party. In case the data is shared for law enforcement purposes, the user must be informed as soon as possible. If the user is not informed about law enforcement access to their data, then the user cannot mount a proper legal defence or
- If the collection of some data is not necessary to provide certain services, then users must not be compelled to provide that data in order to obtain those services. The requirement under Rule 5(2)(b) of the Rules under Section 43A of the Information Technology Act read "Body corporate or any person on its behalf shall not collect sensitive personal data or information unless the collection of the sensitive personal data or information is considered necessary for that purpose." This requirement should be expanded to include all personal data or information, not only sensitive personal data or information. Providing your residential address, for example, is not necessary to partake in a social network based on your true identity. Providing an address would be necessary to purchase a physical item from an e-commerce website or app.
- Users should have the right to revoke their consent at any point in the processing of data. If a user revokes their consent, then the data controller must delete the data of that user, unless the data controller has a legitimate reason to retain that data, such as a legal obligation or legal action, medical necessity, etc. Such exceptions need to be narrowly defined.
- Users should have the ability to access and make corrections in their data held by data controllers.
- Users should be able to transfer their data from one data controller to another if they no longer wish to continue using the services of a data controller
New capabilities that must be granted to consumers over the use of their Personal data:
- Ability to initiate proceedings against a data controller or data processor (an entity that processes data on the instructions of a data controller, but which does not exercise any decision making powers regarding the collection, use, retention or purpose of processing data) even if no wrongful loss or wrongful gain can be shown. Privacy has been recognized as a Fundamental Right by the Supreme Court of India in the case of K.S. Puttaswamy & Ors v. Union of India [W.P.(C) 494/2012]. Violation of the right to privacy as a result of the collection, use, disclosure or retention of personal data without consent, or as a result of inadequate protection of their data is a harm in itself.
- Consent, although important, should not be allowed to be used by data controllers and data processors to override a consumer’s rights. If harm is caused to a consumer as a result of negligence on the part of the data controller or data processor, then the data controller or data processor must be held accountable regardless of whether or not consent was taken from the data subjects (individuals whose data is collected, stored, transferred, processed or used in any other manner).
- Consumers must be allowed to revoke their consent at any stage of data collection or data processing. When a consumer revokes consent, the data controller or data processor must delete the existing data about that consumer. Consumers must be allowed to revoke their consent in respect to all as well as selective data collection and processing activities. If revocation of consent would lead to the deletion of some data that is necessary for providing the services, then the service provider should be allowed to stop offering those services to the consumer.
- Consumers must be allowed to access the data held about them by a data controller or data processor as it is their own data. Where such data is incorrect, they must be allowed to make corrections in the data that is held about them.
- Consumers must be allowed to transfer their data from one service provider to another at their own choice. Such data must be made available in both machine readable and human readable formats. TRAI could mandate a specific format in which the data must be made available by service providers upon consumer request in order for it to be importable for other service providers in a standardized manner. This would foster growth through competition for providing better services.
- Consumers should have the ability to easily delete all data held by a data controller or data processor if they no longer consent to the use or storage of that data.
- The procedure to initiate access to data, make corrections in data, delete all data, revoke consent, or transfer data from one service provider to another must be simple. Complicated procedures would serve as a hindrance to these tasks in the same manner as complicated privacy policies have served as a hindrance to understanding the nature of those policies.
Q. 3 What should be the Rights and Responsibilities of the Data Controllers? Can the Rights of Data Controller supersede the Rights of an Individual over his/her Personal Data? Suggest a mechanism for regulating and governing the Data Controllers.
Data Controllers should be allowed to collect and process data that is necessary in order to achieve a specified purpose or to provide a specified service for a limited period of time. There should not be a restriction on using higher standards of security than any specific standard. Data controllers should be allowed to innovate through improvement of the security of their products and services. Data controllers should not be forced to weaken the security of their products or services, and they should not be forced to build back doors into their products or services. In the digital world, any backdoor or intentional security bypass can be found and exploited by undesirable actors including criminals. It is impossible to create a weakness or a backdoor that can be used by only a limited set of people such as intelligence and law enforcement agencies.
Responsibilities of the Data Controller:
- Data controllers should not be allowed to collect and process data that is not mentioned in the notice of collection of processing, and which is not necessary to achieve the stated purpose of collection and processing.
- Data controllers must be held responsible for ensuring the security of personal and sensitive personal data. There should be an oversight mechanism for Rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 to ensure that data controllers are taking enough measures to protect the data.
- Data controllers must give notice of data breaches to CERT-in, sectoral regulators and affected data subjects.
- Data controllers must notify data subjects about what data will be collected, for what purpose, by whom, who to contact in case of grievance, what would be the effect of agreeing to or disagreeing to the collection of any data. Such notices should be simple and easy to understand, and must be available in English as well as the vernacular language of the region in which the data controller is providing their services.
- Data controllers must ensure that anyone with whom personal information or sensitive personal data or information is shared obeys the same standards of security and privacy as are applicable on the data controller. The transfer of data should not be allowed without explicit consent from the data subject. Transfer of data must not be allowed to another country unless the country to which the data is being transferred offers similar levels of protection to personal and sensitive personal data.
- Personal data must not be published openly. Any exceptions such as for journalism must be narrowly defined. Broad exceptions would serve as a source of exploitation.
- Any collection, use, storage or transfer of personal data must not be done without prior explicit informed consent from the data subject.
- Data controllers must train their staff in security procedures.
- Data controllers must ensure that access to personal and sensitive personal data is restricted to only those people who must necessarily have access to it in order to perform their duties. In all other instances, such data must be out of reach for employees and outsiders.
As data controllers are in the position to make all decisions related to collection and processing of data, only in certain specific and clearly defined situations the rights of a data controller can supersede the rights of an individual over his/her personal data. The data controller can retain data if the retention of data is necessary to comply with a law, a lawful order, a legal obligation, or for a legal action. They can also retain the data if that data is a part of the public domain. Users cannot compel a data controller to delete or stop processing anonymized data. If the deletion of some data would make it impossible for a data controller to provide a service or a product to a user, then the data controller must not be compelled to provide that service or product to the user.
An independent authority is required to regulate data controllers. This authority can be a new body along the lines of data protection authorities in Europe and other parts of the world. TRAI has the power to regulate telecommunication service providers, but not all data controllers are telecommunication service providers. We recommend that all data controllers should be regulated by a new and independent data protection authority under a new legislation focused on the issue of data privacy and protection. Such a regulator should have the power to hear complaints against data controllers, investigate instances of data breaches, and issue directions and orders to data controllers. Since India already has a body dealing with security of data in the form of CERT-In, the powers of CERT-In to regulate and decide upon issues of data security could be expanded, and a new body could be established to deal with issues of data privacy. CERT-In was established through The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 passed under Section 70B of The Information Technology Act, 2000. Section 70B(4) and Rules 8 and 9 of the 2013 Rules deal with the responsibilities and services of CERT-In. The responsibilities under Section 70B(4) include:
- collection, analysis and dissemination of information on cyber incidents;
- forecast and alerts of cyber security incidents;
- emergency measures for handling cyber security incidents;
- coordination of cyber incidents response activities;
- issue guidelines, advisories, vulnerability notes and white-papers relating to information security practices, procedures, preventation, response and reporting of cyber incidents;
CERT-In’s services under Rule 9 of the 2013 rules include:
- response to cyber security incidents;
- prediction and prevention of cyber security incidents;
- analysis and forensics of cyber security incidents;
- information security assurance and audits;
- awareness and technology exposition in the area of cyber security;
- training or upgrade of technical know-how for certain entities;
- scanning of cyber space with respect to cyber security vulnerabilities, breaches and malicious activities.
Through a change in the law, CERT-In may be granted the additional responsibilities of:
- investigating and prosecuting failure to:
- implement reasonable security procedures;
- inform affected users about data breaches, how the breach affects them and what remedies are available to the users;
- disclose to CERT-In and to the public at large about security procedures followed by a body corporate;
- train staff about security procedures;
- report instances of security breaches to CERT-In.
- interfacing with a dedicated data security officer in body corporates of a certain size – for example, body corporates with 200 employees or revenue exceeding 10 crores Rupees;
- reviewing security audits of body corporates.
Q. 4 Given the fears related to abuse of this data, is it advisable to create a technology enabled architecture to audit the use of personal data, and associated consent? Will an audit-based mechanism provide sufficient visibility for the government or its authorized authority to prevent harm? Can the industry create a sufficiently capable workforce of auditors who can take on these responsibilities?
Technology based architectures do not operate in isolation without active application of mind through human intervention. Algorithmic biases are well-known in the industry. Harm cannot be prevented in a fool-proof manner, but the majority of it can be avoided through the use of audits as they would lead to higher compliance with data protection requirements than unchecked haphazard implementations. Other jurisdictions in the world have audit mechanisms to prevent abuse of data. Audits could be conducted to ensure that:
- data is not being collected without consent;
- notices are simplified and easy to understand;
- notices sufficiently inform data subjects about what data will be collected, how it will be used, who it will be shared with and how to raise a complaint;
- the method of collecting consent is sufficient;
- security procedures and practices match or exceed the industry standards;
- data has not been transferred to another body without prior user consent;
- data controllers conduct training of their staff in security procedures and practices.
A technology enabled architecture would enable the government or its designated authority to receive data from auditors in a standard format with the ability to easily look for errants. These audits could help in preventing future security breaches and unintended violations of privacy. The audits would act as a deterrent in selling personal data without proper consent. Data transfers for a price would appear on the balance sheets of the body corporate, but the audits cannot prevent abuse of data in the form of data transfers where a body corporate is determined to bypass the law.
The industry and industry associations could come together to train auditors to meet the requirements. Once there is a demand, a sufficiently large talent pool of auditors could be developed.
Q. 5 What, if any, are the measures that must be taken to encourage the creation of new data based businesses consistent with the overall framework of data protection?
To ensure innovation and creation of new businesses, there should be certainty with respect to the legal framework related to data protection. The law should be in tune with the principles of privacy followed in jurisdictions like the EU so that there is no hindrance to cross-border transfer of data, while at the same time protecting the interest of Indian users.
Currently, the quantum of fine for non-compliance with data protection requirements under the Information Technology Act and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 is too low. Since these Rules do not explicitly mention any punishment or fine, the only provisions under which they can be enforced are Sections 43A and 45 of the Information Technology Act, 2000. Section 43A, under which these rules were drafted, allows for compensation to be paid to a person affected by non-compliance of these Rules. Section 45 prescribes the fine for non-compliance with any provision of the Act or Rules made under it when no separate provision has been made for punishment for such non-compliance. The penalty payable under Section 45 is up to Rs. 25,000/-. In an era when data-based global technological companies are some of the richest companies in the world, with global revenue higher than the GDP of many countries, a fine of this magnitude is not a deterrent from the perspective of such companies. If it would be cheaper to pay a fine than to fix a problem, then a body corporate would choose to pay a fine instead of fixing the problem. The quantum of fine must be tied to the local or global revenue of a body corporate in order for the fine to be a deterrent.
A measure that, for example, requires encryption of a particular form for the security of data could in future be a hindrance towards the very security that it set out to protect. Vulnerabilities are regularly found in software and hardware. To ensure that data is protected from these vulnerabilities, more secure technologies have to be deployed by data controllers and data processors. The vulnerability known as KRACKs (Key Reinstallation Attacks) has demonstrated that even the most prevalent and seemingly secure standards can one day become vulnerable to attack. To protect against such vulnerabilities, the legal requirement should be to implement a reasonable standard of security, along with audits of those security measures, instead of prescribing a base standard for security. A base standard for security poses a secondary problem as well – body corporates can follow the minimum level that has been prescribed and not improve upon it because it provides them with legal protection for the lowest financial cost.
The laws and regulations created to preserve the privacy and security of data must be carefully drafted to ensure that they do not encroach upon the ability to innovate by being excessively restrictive. Technology evolves faster than laws and regulations. There is a need for a principle-based approach to ensure data privacy and data security. We recommend following the nine principles outlined by the A.P. Shah Committee as the National Privacy Principles, in order to ensure that the law meets the needs of privacy and security in an appropriate manner. These principles are: Notice, Choice & Consent, Collection Limitation, Purpose Limitation, Access & Correction, Disclosure of Information, Security, Openness and Accountability.
Q. 6 Should government or its authorized authority setup a data sandbox, which allows the regulated companies to create anonymized data sets which can be used for the development of newer services?
The Government could use anonymized data sets for projects that are in the interest of public, for example to get health trends. With increasing emphasis on Open data, more and more Government departments and agencies are publishing data related to their area of work. At the same time, care should be taken to ensure that anonymized data is not processed to reveal identity information. Research has shown that with the help of big data analytics it is possible, and often very easy, to identify individuals from anonymized data. Researchers from the University of Texas, used anonymized data set released by Netflix and showed that it is possible to re-identify a Netflix user from the data set.
Research has shown that the belief that anonymized data protects privacy of users is a myth. It has been shown that anonymized data can be easily de-anonymised enabling identification of individuals. Hence it will be ideal for Governments or authorised authority to no get into the business of creating anonymized data sets for commercial uses.
In the proposed law on Data Protection in UK, re-identifying de-identified data is an offence. Measures like this could be necessary to ensure that big data analytics would not result in violation of privacy rights of citizens.
Q. 7 How can the government or its authorized authority setup a technology solution that can assist it in monitoring the ecosystem for compliance? What are the attributes of such a solution that allow the regulations to keep pace with a changing technology ecosystem?
The approach should be to have principles, standards and guidelines in place that would ensure compliance of service providers with the data protection regulation. Technologies could change at a fast pace making any solution designed obsolete in no time. However, standards and guidelines could ensure that irrespective of technologies, the goal of protection of privacy rights of citizens is taken care of. It is important to have a data protection authority that would ensure compliance of service providers with standards and guidelines that would help to protect the privacy rights of users.
Q. 8 What are the measures that should be considered in order to strengthen and preserve the safety and security of telecommunications infrastructure and the digital ecosystem as a whole?
- It is important to adopt Free and Open Source Software (FOSS) which are auditable over proprietary software which are closed and are not auditable.
- Support FOSS projects that are known to provide standards-based solutions to enable security and privacy of data. These projects could be standalone tools or libraries (modules, addons) used in other developing software.
- Set up grants and funds for projects which aim to improve the data protection and security ecosystem for all stakeholders.
- Announce incentives (cash prizes, scholarships, recognitions) for individuals or organizations who follow responsible disclosure of security flaws in technologies that handle sensitive personal data.
As the Equifax breach has shown us, it is important to have proper Information Security practices. It is imperative to have an organisational culture that places emphasis on security.
Q. 9 What are the key issues of data protection pertaining to the collection and use of data by various other stakeholders in the digital ecosystem, including content and application service providers, device manufacturers, operating systems, browsers, etc? What mechanisms need to be put in place in order to address these issues?
TRAI has no jurisdiction to control these players as all policy matters relating to information technology, electronics and Internet (except licensing of ISP) fall under the domain of MeitY, not TRAI.
Key issues of data protection pertaining to the collection and use of data by various stakeholders in the digital ecosystem, including content and application service providers, device manufacturers, operating systems, browsers, etc:
- Operating systems and device manufacturers have disproportionate power of holding their users hostage to giving up their data or being unable to use a product that they’ve paid for.
- Browsers act as gatekeepers to the internet. While operating systems and device manufacturers have the ability to capture everything that anyone does on the device, browsers have the ability to capture all data related to a person’s online activities.
- Various companies such as those in the online advertising business make use of cookie based trackers and fingerprinting mechanisms to gather user data and to profile users.
- All stakeholders in the digital ecosystem, including those mentioned above, have the ability to collect, use and/or transfer data for which they did not collect explicit consent.
- Any data is only as secure as the weakest link in the chain. As such, it is necessary to ensure that all parts of the digital ecosystem abide by data privacy and data protection norms.
Mechanisms that need to be put in place in order to address these issues:
- Any deviation from the standard practices in a certain industry must be disclosed in clear and explicit terms by the service provider or manufacturer/seller of a product so that a user/consumer knows what to expect. If such deviations would intrude upon the privacy of a user, the company should be obligated to clearly disclose and highlight what the impact of such a deviation from the norm would be on the privacy of the individuals using that service or product.
- Device manufacturers, service providers, sellers, and all other entities involved in the manufacture, sale and provision of devices and services should not be allowed to interfere with secure data transfers and secure communications in any manner. For example, Lenovo installed a malware called Superfish in its Windows based laptops. This malware intercepted all secure communications taking place in web browsers by replacing their security certificate by a self-signed certificate from the malware itself. This weakened user security by preventing them from knowing when they were visiting a website that had a spoofed certificate, and compromised their privacy by intercepting secure communications with their banking, shopping and email websites, among others.
- Consent should be explicit and clear. A system of opting out of consent must not be allowed to take free reign wherever privacy and security are concerned. For example, when Microsoft allowed a free upgrade to Windows 10 for users of Windows 7 and Windows 8, it employed a deceptive tactic to get users’ consent. The act of closing a window is commonly an action to dismiss something without accepting it. The upgrade software considered the act of closing a window to be acceptance of the option to upgrade to Windows 10. The upgrade to Windows 10 had various implications on the privacy and security of end users as Windows 10 sends their data to Microsoft’s servers for analysis and user profiling, among other things.
- Browsers must not be allowed to:
4.1 transfer browsing history, cookies, cache data and form data from the local device for any purpose other than syncing across user devices;
4.2 interfere with security of data transfer by replacing security certificates;
- A web browser standard called ‘Do Not Track’ exists to assist users in easily signalling to websites that they do not wish to be tracked. Compliance with this standard is currently not compulsory. The majority of websites ignore this signal and continue to track users despite their clear expression that they do not wish for such tracking and profiling to take place. Users should have the ability to easily block all web based trackers and advertisements to protect their privacy. Ad-blocking could take the form of an option in web browsers, similar to the Do Not Track option, that signals to websites that a user does not wish to be served advertisements. Compliance with both of these signals: Do Not Track and the new Do Not Serve Advertisements, should be made compulsory for a body corporate that operates in India or targets Indians.
- All parts of the digital ecosystem, including hardware and software such as routers, IoT devices, mobile devices, laptops, desktop computers, among others and the software that runs such hardware including, but not limited to, operating systems, applications and web browsers must comply with the standard data privacy and protection norms of the country. Without these norms being applicable to all the players in the ecosystem, loopholes would be left behind for data to be gathered and exploited. Towards this end, the National Privacy Principles recommended by the A. P. Shah Committee can serve as a good guideline for the norms that should be followed by all the stakeholders. These include: Notice, Choice & Consent, Collection Limitation, Purpose Limitation, Access & Correction, Disclosure of Information, Security, Openness and Accountability. These principles are being followed in data protection laws in most parts of the world, with new countries constantly joining the fold of those that have laws that allow personal data to be shared with recipients in only those countries that also have similar protections in place.
Q. 10 Is there a need for bringing about greater parity in the data protection norms applicable to TSPs and other communication service providers offering comparable services (such as Internet based voice and messaging services). What are the various options that may be considered in this regard?
The data protection norms applicable to TSPs are mainly contained in the IT Act, Telegraph Act and various license agreements.
- Telegraph Act:
- Section 26 makes it an offence for a Telegraph Officer to alter, unlawfully disclose or acquaint himself with the content of any message.
- Section 30 criminalizes the fraudulent retention or wilful detention of a message which is intended for someone else.
Section 43A of the IT Act (Compensation for failure to protect data) and Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011 formed under section 43A of Act define a data protection framework for the processing of digital data by body corporates.
TRAI established the Telecom Unsolicited Commercial Communications Regulations, 2007 in an attempt to prevent Unsolicited Commercial Calls to telecom consumers. A National Do Not Call Register was established under it, which contains information regarding consumers who do not wish to receive unsolicited commercial communications. The regulation also specifies the procedure for initiation of complaints by consumers and for their adjudication and disposal. It also imposes fines on telemarketers who initiate UCC with individuals who have opted not to receive such communications.
It also provides for every access provider and the person authorized to maintain the National Do Not Call Register and to keep confidential all the information disclosed by the subscriber and entered in the National Do Not Call Register.
Similarly, the Telecom Commercial Communications Customer Preference Regulations, 2010 provides for setting up a Provider Customer Preference Register/ National customer Preference Register/ National Telemarketer Register. It contains provisions for maintaining privacy and protecting customer information.
On 26th February 2010, TRAI issued a direction to make sure that the compliance of the terms and conditions of the licenses regarding confidentiality of information of subscribers and privacy of communications were carried out.
TRAI directed Cellular Mobile Telephone Service Providers and Unified Access Service Providers:
- To ensure confidentiality of information as provided in the license conditions;
- To put in place appropriate mechanisms so as to prevent the breach of confidentiality of information of the subscriber and privacy of communication; and
- To furnish to the Authority, within fifteen days of issuance of this Direction, the details of steps taken by the service provider to safeguard the confidentiality of information of subscribers and privacy of communications.
The detailed guidelines regulating the behaviour of TSPs are contained in the terms of the licences issued, which permit them to conduct business, frequently, these licences contain clauses requiring TSPs to safeguard the privacy of their consumers.
Apart from the aforementioned regulations, National Long distance license, ISP license categories (A, B and C) and Unified service license issued by the Department of Telecommunications (DoT) contain provisions specifying a certain degree of data protection.
Further, the Telecom Engineering Centre specifies common standards regarding telecom network equipment, services, interoperability, generic and interface requirements, among other things.
Since OTT applications are unlicensed, they do not have to comply with TRAI and DOT regulations. They however have to abide by the provisions of the IT Act and the complementing Rules.
Although, OTT applications should not be subjected to licensing as it will hamper innovation, they should abide by the proposed data protection law and regulations. There should be greater parity in the data protection norms applicable to TSPs and other communications service providers offering comparable services. A comprehensive data protection framework to protect user data from misuse is the need of the hour.
Q. 11 What should be the legitimate exceptions to the data protection requirements imposed on TSPs and other providers in the digital ecosystem and how should these be designed? In particular, what are the checks and balances that need to be considered in the context of lawful surveillance and law enforcement requirements?
Legitimate exceptions should be limited and narrowly defined to avoid abuse. These should include:
- Section 69(3) of IT Act allows for a lawful order to intercept, monitor or decrypt some information. This should not extend to forcing decryption of information that is infeasible for the service providers, or where the service provider has employed end-to-end encryption. Forcing a service provider to create a backdoor in an end-to-end encryption system would weaken the security of all users of that service provider. Such a damage to the security of all users is disproportionate and must not be allowed as a fallout of an attempt to access the messages of a few.
- Service providers should be allowed to retain data that is necessary for the performance of a legal obligation or a legal procedure. However, this exception should be defined in such a way that it cannot be used by law enforcement to force service providers to collect any data that the service provider would not have otherwise collected from the user.
- Data that has been fully anonymized with no way to link it back to any person should be allowed to be used and shared in any manner by the service provider. If the data is only partially anonymized, then data protection requirements should continue to be imposed on that data in order to minimize the chances of privacy violations.
- Data should be allowed to be used for medical research and other research that would result in societal advancements after the data has been anonymized as far as may be feasible.
- Data that is available in the public domain does not need to fall within the scope of data protection requirements.
- Freedom of press should be upheld by allowing press to publish information that is in the interest of society. This exception should not allow the press to publish sensitive personal information such as biometric data.
- Data subjects should be informed about law enforcement access immediately after the access to their data. Where such a notice would jeopardize the safety or security of the state or investigation or prevention of an offence, the data subject should be informed as soon as such a danger has passed. A data subject cannot defend his/her legal rights if they are not made aware of violations of those rights.
Q. 12 What are the measures that can be considered in order to address the potential issues arising from cross border flow of information and jurisdictional challenges in the digital ecosystem?
Companies should not be allowed to transfer personal data out of India unless the country to which that data is transferred has the same level of protections available. Without such a clause, data could be transferred out of India to another country with fewer protections and more freedom to violate data privacy. Under the European General Data Protection Regulation, transfer of personal data for processing to a third country or international organization outside the EU can be done by the means of an adequacy decision, i.e. if the Commission decides that the third party ensures an adequate level of protection. 'Adequacy' is decided by analysing the rule of law, legislations in force, defence, national security, effective functioning of independent supervisory authorities responsible for data protection, among other things. Without an adequacy decision, a controller or processor can direct such transfer after ensuring that there are appropriate safeguards in place by means of binding corporate rules or standard data protection clauses as adopted by the Commission or a Supervisory Authority. Both of the above methods can be disregarded if for example, the data subject has consented to the transfer, after being given due counselling of the risks, or if it is necessary for fulfilling compelling public interest or performance of a contract between the data subject and the controller. Similar laws exist in multiple countries.
The issue of jurisdiction is challenging in the digital sphere, but here too, the GDPR has made great strides. These can be appropriately modified and implemented in the Indian legal system. If the website or service targets Indians, then it must obey Indian laws and regulations. In order to determine whether it a website or a service targets Indians, the following things could be checked:
- It uses an Indian language; or
- It allows people to enter an Indian address; or
- It mentions India, Bharat or Hindustan prominently; or
- It allows payments to be made in Indian rupees; or
- It has a registered office located in India.
Jurisdiction can be enforced by:
- Local agents of a body corporate that is located outside the country can be held liable for the actions of the body corporate. Local agents could include employees of the body corporate, local office of the body corporate or a subsidiary of the body corporate.
- Each body corporate that targets Indians may be required to have a data protection officer located in India if the body corporate is of a certain size, for example, if the body corporate has 200 employees or a revenue exceeding 10 crore Rupees, there could be a requirement to have a local agent in India that is held responsible for the actions of the body corporate. Please note that these figures are for representational purposes only.
- A website or a service that targets Indians but does not obey Indian laws / regulations and against which there is no way to enforce Indian laws and regulations may be prevented from operating in India or targeting Indian users.
Data protection has two aspects: privacy and security. The current law for data protection in India exists in the form of The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under Section 43A of the Information Technology Act, 2000. These rules are insufficient to ensure proper protection as they are both insufficient and also suffer from a lack of enforceability. Governments and multinational corporations are collecting, processing and sharing vast amounts of data without any checks and balances. The current system is riddled with privacy concerns and needs a major re-working. Internationally, the movement for strong data protection laws is progressing at a rapid pace. Soon, the lack of a proper data protection framework will be economically disadvantageous to India due to the General Data Protection Regulation in the European Union and laws in other countries that are designed along similar lines, as these laws require a similar level of protection to be offered for personal and sensitive personal data in other countries before allowing data to be transferred to those countries. With the recent nine-judge judgment in the case of K.S. Puttaswamy v. Union of India recognizing that the right to privacy is a fundamental right and the looming economic disadvantage, the time is right for revisiting the creation of a robust framework for data protection in India.
Data Protection in the Indian Context
The Information Technology Act, 2000 has the following provisions that constitute the basic data protection regime in the country:
- Section 43A: This provision entitles the individual to claim compensation if the data handler has been negligent in safeguarding their sensitive personal data, and they have suffered a subsequent wrongful loss, or a wrongful gain has accrued to another thereof. However, this provision can only be successfully used if the individual can prove he has incurred a wrongful loss or someone else has benefited wrongfully.
- Section 72: Under this provision, a person who has power under the IT Act to handle the following items like any book, register, or electronic record, and has without consent received access to them, cannot disclose their contents to another. If he does, he can be punished with imprisonment for two years, or a fine which may extend to one lakh rupees, or both.
- Section 72A: This clause provides recourse when an individual operating under a contract, gains access to certain personal information of another person with the intention of causing wrongful harm/gain, and discloses this information without consent, or in breach of the contract. The penalty under this clause extends to a fine of five lakh rupees, or an imprisonment term of three years, or both.
- Access to data for law enforcement & security purposes:
- Section 67C: Under the IT (Intermediaries Guidelines) Rules, 2011, the service providers (all intermediaries) have to retain content that is grossly harmful, harassing, defamatory, or violates the laid down list under Rule 3 of these Guidelines. The actual content and associated information has to be preserved for 90 days for investigation purposes.
- Section 69: This provision permits the Central or State Government to issue orders for interception, monitoring or decryption of data if either Government is satisfied of the necessity of the action in interest of sovereignty, defence, or security of the State, or public order among other things.
- Section 69B: The Central Government can under this provision monitor and collect traffic data, or information generated, transmitted or stored, if required to enhance cyber security and for identification , analysis and prevention of intrusion or spread of computer contaminant in the country.
- Various Sectoral Laws: There are various sectoral laws that indirectly provide for security of sensitive personal data by setting encryption standards, or clauses that prohibit breach of confidentiality. Most of these laws deal with information such as financial transactions, medical and health related data, among other things.
These provisions cover personal information, like date of birth, email address, gender, address; and sensitive personal information, which includes an individual's biometrics, passwords, financial and health information, sexual orientation as included under Rule 3 of the IT (Reasonable Security practices) Rules, 2011.
- Consent & notification;
- Guidelines for how the data can be used;
- Under what circumstances data can be disclosed to third parties;
- Data retention period;
- Deletion of data;
- Access and rectification of data by the user;
- Responsibilities of the data handler;
- Cross border transfer of data;
- Grievance redressal & recourse mechanism.
Government and state actors that handle sensitive personal data are exempted from these provisions, both for liability in failure to protect, and for following security practices laid down in the 2011 Rules.
Section 43A only refers to compensation for failure to protect 'sensitive personal data', when such failure has consequently accrued a wrongful loss to an individual, or led to wrongful gain of a third party. Therefore, apart from sensitive personal data, compensation cannot be claimed for breach of any other kind of personal information, even if there is proof of wrongful loss or gain.
For both personal data and sensitive personal data, the 2011 IT Rules on reasonable security practices for sensitive information maintain that International Standard IS/ISO/IEC codes of best practices should be followed. Other codes besides these should be sought an approval and notification by the Central Government regarding their effectiveness before being implemented. (Rule 8). However, for certain types of sensitive personal information, like financial data, the SEBI & RBI have recommended 128 bits of encryption for such transactions.
The data that is controlled by services based abroad are usually transferred to wherever their servers are located- most often not in India. The Terms of Service of most of these services, like Facebook, Twitter, Google, explicitly state that the data collected is transferred outside the country. However, at present we don't have any provision that controls or provides insight into cross border transfers of data. There is no law that enumerates conditions, safeguards, or any other details for processing of data of Indian users abroad.
Any sensitive information, if it is freely accessible or available in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force, is not regarded as sensitive personal information qualifying for protection under the 2011 Rules for reasonable practices. There are stricter procedures in place for processing sensitive personal data, although both types of data are asked to be maintained with similar security standards under the 2011 Rules. For personal information, the 2011 Rules mandate a privacy and disclosure policy that is needed to be uploaded on the website of the entity and/or made available for viewing of the public. This policy should contain:
- the type of information that will be collected; and
- the manner in which this collected information will be used, disclosed, retained, and security practices for safeguarding of such data.
A body corporate that is handling any kind of sensitive personal data has to follow the provisions laid down in the 2011 Rules regarding the collection, disclosure, transfer, and reasonable security practices & procedures as per Rules 5,6,7 & 8 of the Rules.
Before sensitive personal data is collected, the body corporate or any other person on its behalf (authorized to do so) have to comply with Rule 5 of the 2011 Rules for reasonable security practices that stipulate the following necessary pre-requisites:
- Consent of the data subject in writing through letter, fax, or email.
- Collection to be limited to lawful purpose connected to the activity performed by the body corporate, and it is necessary to collect the data for this purpose.
- Ensure that data subject is aware that the said information is being collected, the purpose of collection, the intended recipients, the name and address of the agency that is collecting the information, and the agency that will retain the information so collected.
- An option to the data subject to not give their sensitive personal information in the first place or withdraw consent earlier given. However, in such a situation, the body corporate can deny any goods or services that require furnishing of such information as a part of a lawful contract for their delivery.
The body corporate or any person on its behalf has to ensure that the collected sensitive personal information is:
- Retained only for the purpose for which it was lawfully collected, or if any other law asks for further retention.
- Utilized for the purpose for which it was collected.
- Provide access to individuals to review their given information, and provide corrections in case of inaccuracy or deficiency.
As per the procedures laid down under Rule 6, in certain cases sensitive personal data can be disclosed to third parties and Government agencies. There are three ways in which body corporates can disclose their collected sensitive personal data to third parties:
- Only with prior consent of the data subject, information that is collected under a lawful contract can be disclosed to third parties.
- If the lawful contract under which such information is collected contains a clause for disclosing it to third parties, prior consent of the data provider is not necessary.
- When it is ordered under a law that is in force, or is necessary for compliance of a legal obligation, sensitive personal information can be disclosed without any prior consent.
The government agencies can access sensitive personal information without prior permission of the data subject when they are mandated under law to do so for the purposes of verification of identity, or for the prevention, detection, investigation, prosecution and punishment of offences including cyber incidents. A request in writing has to be made by the government agency to the requisite body corporate for obtaining sensitive personal data of an individual. The government agency shall have to state along with this request that the information obtained will not be published or shared with any other person.
The body corporate can transfer sensitive personal information to any other entity in India or abroad, provided:
- It ensures same level of protection to data as is adhered by the body corporate themselves; and
- The transfer is necessary for the performance of a lawful contract between the body corporate and the data subject, or the data subject has consented to such transfer of their data.
Section 43A of the IT Act states that reasonable security practices and procedures should be followed by body corporates that are handling sensitive personal data to safeguard such information as per the law in force, or as may be prescribed under the 2011 IT Rules for reasonable security practices. The body corporates are required to protect the sensitive personal information from:
- unauthorized access;
- disclosure; or
A body corporate or a person on its behalf, needs to have a comprehensive documented information security program, and information security policies that contain managerial, technical, operational, and physical security control measures that are adequate for the type of information being protected in the particular nature of their business. An example of such security standard given in Rule 8 of the 2011 Rules is the international Standard IS/ISO/IEC27001 on “Information Technology-Security Techniques-Information Security Management System-Requirements”. Body corporates could use other codes and practices also, but they have to get them duly approved and notified by the Central Government for effective implementation. Such standards have to be maintained for personal information and sensitive personal information and data.
Rule 8(4) states that an audit needs to be carried out at least once a year, or when significant upgradation of the processes & computer resources of the body corporate is done. Conducting such regular audits through independent auditors that are duly approved by the Central Government is required to maintain compliance with the reasonable security standards and practices. There is no provision that makes it possible for the audit reports to be made available for public scrutiny or opinion.
There are no provisions for penalty in case of non-compliance with the standards and practices laid down in 2011 Rules for both, personal data and sensitive personal data. However, body corporates can be held liable for damages only if the individual suffers a wrongful harm/gain due to the body corporate's negligence in implementing the security practices for sensitive personal data, but not for personal information.
Rule 5(9) of the 2011 Rules mandates the designation of a Grievance Officer, along with the publication of their name and contact details on the website of the body corporate that is handling sensitive personal information. This officer is to redress the discrepancy within one month from the date of receipt of the grievance.
There is no provision for notifying the individuals if their personal or sensitive personal data is breached. Furthermore, there is no recourse for breach of personal data. Although, if an individual can prove wrongful harm/gain because the entity controlling sensitive personal data was negligent in implementing reasonable standards, he can claim compensation under Section 43A of IT Act.
There is no distinction between raw data and aggregate/anonymized data, nor any separate provisions for their processing/handling.
A.P. Shah Committee Report
In 2012, a committee called the Group of Experts, headed by Justice A.P Shah, was formed by the Planning Commission to identify issues related to privacy and to set out principles for an overarching privacy legislation. The committee was formed in the wake of concerns related to programs like NATGRID, DNA Profiling, Unique Identification Number, etc.
The A.P. Shah Committee underwent thorough study of the various aspects of the right to privacy, its international standing, constitutional status, and finally released a report that contained recommendations, salient features for a legislation, along with a set of suggested privacy principles.
The five salient features for a framework on privacy suggested by this committee are:
- Technology Neutral & Interoperability with international standards: A legislation drafted on privacy should ensure that it applies to a generic category of technology and is not specific to the data collected and/or processed through a specific mode. With data transfers and sharing becoming a business model, a framework governing privacy should also be compatible with International standards to ensure a harmonious relationship.
- Multi-dimensional privacy: There are various dimensions of privacy, including 'appropriate protection from unauthorized interception, audio and video surveillance, use of personal identifiers, bodily privacy, including DNA.'
- Horizontal Applicability: A legislation on privacy should apply to both corporate sector as well as the Government and include duties and responsibilities for both.
- Conformity with the 9 Privacy principles: The report lays out privacy principles that according to the committee are essential in any regime that protects the privacy of its' citizens. These principles are discussed in detail subsequently.
- Co-regulatory enforcement regime: Establish office of a privacy commissioner at both central and regional levels, who will be the primary authority for enforcement of the provisions. In addition, there should be a self regulatory mechanisms, wherein the organizations vested with this power should possess industry specific know how and create awareness in the industry about the importance of a privacy regime.
The Committee proposed 9 principles that should be included in a law on privacy and data collection. These principles are:
- Notice: During collection, and otherwise, a notice should be displayed that should include what Personal Information is being collected, its purpose and use, disclosure policies associated with it, scope for security and correction, when can the information be legally accessed by third parties and the protocol in times of breach, among other things.
- Choice & Consent: Consent of the data subject must be necessarily taken before obtaining, processing or sharing their personal data. The consent should not be forced or implied. Special attention has been given to consent for children. Data controllers should take responsibility for protecting privacy and not pass the responsibility to the data subjects.
- Collection Limitation: Only that data should be collected that is necessary to carry out the specified purpose of data collection and processing. Excessive collection of data should not take place.
- Purpose Limitation: Collected personal data should be used only for the purpose for which it was collected, and only after proper notice has been given and consent has been taken from the data subject. This data should be destroyed as soon as the purpose has been completed.
- Access & Correction: Data subjects should have the ability to verify whether a data controller has their personal data, obtain a copy of their personal data held by data controllers, and make corrections in such data or ask for deletion of such data if the data is inaccurate.
- Disclosure of Information: Personal data should not be disclosed by a data controller to any third party without taking informed consent of the data subject. Third parties to whom such data has been disclosed must also abide by these privacy principles. An exception has been made for data disclosed to law enforcement in accordance with the laws in force. Personal data should not be made publicly available by the data controllers.
- Security: It is the duty of data controllers to protect personal data by employing reasonable security safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, deanonymization, unauthorized disclosure [either accidental or incidental] or other reasonably foreseeable risks.
- Openness: Data controllers should make their privacy policies, practices, systems and procedures available to the general public in multiple languages. Special focus has been given to making the data available in open standards/accessible format for disabled people.
- Accountability: The data controller is accountable to the individual, government and other stakeholders for compliance with the privacy principles. This includes but is not limited to providing tools, training and education to staff, external and internal audits, and extending all necessary support to the government agency responsible for protecting privacy. This also includes thinking about privacy from the ground up when designing new products and services, and protecting privacy of individuals from service providers until it is absolutely necessary to reveal some personal information.
International Legislations on Data Protection
Upon the final creation and integration of the European Union as a conglomerate of various states, the Data Protection Directive of 1995 (Directive 95/46/EC) was passed as a comprehensive law for EU members with the aim of fostering closer, economic and social relations through common frameworks and actions in both, private and public sector. The 1995 Data Protection Directive was limited to processing of personal data while balancing the free movement of data necessary for economic progress. The ECHR principles in Sections 7 and 8 accord protection to privacy and personal data. In furtherance to these rights enshrined in the ECHR, the 1995 Directive aimed to follow through with a substantial law for the entire European Union.
The 2002 Directive (Directive 2002/58/EC) specifically applies to processing of personal data in the electronic communications sector. Its scope extends to protecting legitimate interests of subscribers who are legal persons as well. 'Communications' with respect to this law pertains to 'any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communication service.' This Directive is aimed at regulating the means of processing personal data by the providers of publicly available electronic communication service.
The General Data Protection Regulation (GDPR) will come into force in 2018. It has even stricter requirements and liabilities regarding the collection, processing, use and transfer of personal and sensitive personal data. EU has also proposed draft ePrivacy regulations in January 2017 to replace the 2002 Directive for regulating privacy of electronic communications, including among other things, protection of metadata and an easy way to accept or reject tracking cookies.
The European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 provide for regulating unsolicited email communication, caller line identification. directory services, data collection and other aspects of data collection affecting telecommunication users in EU.
The Regulations apply to all publicly available electronic communication services, and contain stipulations such as:
- Without consent, no subscribers or users must receive unsolicited marketing communications though automated calling machines, fax, or email.
- All marketing communications must identify the communicator and where applicable, the person on whose behalf the communication is made.
- Marketing emails must not hide the identities of senders.
- Before adding subscribers to directory services, they must be informed about the purpose of the directory service and any further usage possibilities, allowed to determine if their personal data is included in the directory, and allowed to determine what personal data is included, and to verify, correct or withdraw such data.
- Subscribers must have the option of preventing the his/her calling line ID from being displayed on a per-line basis free of charge. They must also have the option of preventing calling line ID for incoming calls.
- Location data other than traffic data is not to be processed by anyone unless such data is made anonymous, or such processing has been consented to.
- Service providers must take appropriate measures to safeguard security, including at least the following: personal data must be accessible only to authorized personnel for legally authorized reasons; personal data must be protected against accidental destruction, loss, alteration and unauthorized storage, processing, access or disclosure; security policies must be implemented with respect to processing of personal data.
- Subscibers must be informed of any risks of security-breach. They must also be informed of possible remedies (including estimated costs) where applicable.
- Data Protection Commissioner as well as subscribers likely to be affected must be informed of any security breaches that have occurred. Service providers must also maintain inventories of personal data breaches, mentioning facts surrounding the breaches, their effects and remedial actions taken.
General Data Protection Regulation (Proposed in 2012, final compromise text released in 2015, coming into force in May 2018)
This regulation was proposed with the overarching objective to review, amend, and revise the existing data protection regime in EU to upgrade the provisions to ensure better transparency, accountability, security and free flow of personal data in line with the technological developments. Aside the material scope covering the processing of personal data and its free flow, the territorial scope of this Regulation extends to the data controllers not established in the EU itself, but regardless process personal data related to the offering of goods and services to data subjects in the EU, or their behaviour monitoring data. Foundation of the data protection law is based on certain principles that simplify the underlying ideology to be followed for the processing of personal data. Principles of lawful collection of personal data, maintenance of its accuracy, relevant and necessary use for the purpose collected for, have been carried forward from the 1995 Data Protection Directive to this Regulation. But, along with them, principles on enhancing transparency between the data processors & controllers, and the data subject, and enhancing the accountability by creating comprehensive responsibility and liability for data processors and controllers have also been added.
Lawful processing of personal data
Article 6 of the GDPR, which corresponds to Article 5 of the 1995 Directive, elaborates the situations under which the processing of personal data can be deemed lawful. These situations are identical to those in the earlier directive, except for the introduction of the following safeguards:
- The first method of lawful processing is through the consent of an individual. The definition of consent, which has seen a minor change from the 1995 Directive to replace the term 'unambiguous' with 'explicit' to ensure that there is no room for any misinterpretation.
- Sub clause (c) of Article 6 permits the processing of personal data if it is necessary for compliance with a legal obligation to which the data controller is subject; and sub clause (e) relates to the necessary processing for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Article 6(3) makes the operation of the above mentioned clauses contingent on there being a basis for them in the law of the member state evoking it. Moreover, the Regulation states that such laws must be in consonance with the objective of public interest or follow the principles of necessity and proportionality with respect to the freedoms and rights of others, the protection of personal data, and the legitimate purpose of such processing of data.
As mentioned earlier, the GDPR has re-defined consent to be explicit in its nature, and not merely unambiguous. Simultaneously, it has also put the burden of proof on the data controller to demonstrate that such consent was taken from the data subject. From the 1995 Directive, the GDPR retains the provision on the data subject's ability to withdraw consent. However, unlike its predecessor, this Regulation entails a separate provision detailing the consent and other requirements for processing the personal data of a child. It provides that for services that are directly offered to children, the personal data collected of a child below 16 years of age, cannot be processed without consent given or authorized by the child's parent or custodian. In this regard, it emphasizes the duty of the controller to make considerable effort with the available technology to get such consent. It also leaves room for the Commission to draft standards to obtain the verifiable consent for lawful processing of personal data of children below the age of 16 years. Although, as in the 1995 Directive, personal sensitive data is accorded the same standard of protection in the GDPR, an additional safeguard is included in the new law. Article 10 prohibits the controller from acquiring additional information from the data subject, solely for the purpose of complying with any provision of this Regulation. The implication of this clause is the establishment of a standard of necessity, for which additional personal information can be asked and acquired.
Rights of Data Subject
Chapter III in the GDPR houses the portion on the rights of a data subject. While improving upon the earlier data protection regime, it envisages a section on cultivating and ensuring transparency in the relationship of the data controller and the data subject. Under these provisions, the controller is directed to have easily accessible privacy policies, where any information related to the processing of personal data is available in clear and plain language. Article 11 makes a specific mention in this provision about the ease in availability of information that relates to children. Another significant addition in this law is setting a one month limit for controllers to respond about the action taken in relation to the requests made by the data subject to access or rectify their personal data. Moreover, the data subject can lodge a complaint to the supervisory authority and has the power to seek a judicial remedy if the data controller refuses to take action on the request made.
The list of information to be provided to the data subjects prior to the collection of data is similar to Directive 95/46, with the addition of the clauses on specifying the time period of retention of data to the subject and their right to lodge a complaint with the supervisory authority. In addition to the right to access, rectify, and seek erasure (right to be forgotten), the GDPR has introduced the right to data portability. This right is limited to the processing of data by electronic means and stored in an automated processing system. It enables the transmission of personal data and other information at the request of the data subject to another electronically operated automated system by the controller. Increasing the list of additions in the GDPR to enhance the protection of privacy of individuals, Article 19 & 20 respectively entitle data subjects with the right to object, and measures based on profiling of individuals through their personal data. The right to object empowers a data subject to restrain the controller from processing his data, unless his rights are overridden by a compelling legitimate interest evinced by the controller. Without any limitations, a data subject has a full right to object to his data being processed for the purposes of direct marketing. Furthermore, the GDPR places a strict prohibition on automatic processing of data to evaluate, or predict a data subject's performance at work, economic situation, location, health, personal preferences, reliability, or behaviour, unless it is carried out in performance of a contract, is expressly authorized by the state law, or is consented by the data subject.
The protection of a right to privacy and the freedoms enabled by it can be abrogated in light of certain exigencies that have far reaching implications and can override an individual's concern for privacy. For this purpose, the GDPR also manifests restrictions that not only limit the scope of when a data subject's rights can be eroded, but also legitimizes such situations and provides safeguards to ensure its correct usage. It also specifies that laws of Member States must enshrine to the minimum the objectives for which the following exceptions can be utilized:
- public security;
- prevention, investigation, detection, and prosecution of criminal offences;
- important economic or financial interest of the Union of Member State;
- prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
- monitoring, inspection, or regulatory function connected, even occasionally, with the exercise of official authority in above mentioned exceptions;
- protection of the data subject or the rights and freedoms of others.
Data Protection & Security
Apart from retaining the security measures from the 1995 Directive, the GDPR has stressed upon swift notifications to the Supervisory Authority, as well as the data subject about data breaches to their database. Such notifications have to be made within 24 hours to the Supervisory Authority along with the description of the nature of breach, the categories, number of data subjects concerned, consequences of the breach; share the identity and contact details of data protection officer; recommended measures to mitigate the adverse effects among other things. The data subject is also to be notified promptly after the supervisory authority is alerted.
Moreover, taking from the popular concept of environmental impact assessments, the GDPR has included in its framework a Data Protection impact assessment. This method refers to conducting an assessment of the processing of personal data that poses 'specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope, or their purposes...' This provision gives few specific examples, like information on sex life, health, race, and ethnic origin; personal data in large scale filing systems on children, genetic data, or biometric data; evaluation of a person's economic situation, location, behaviour, where the risks apprehended could entail a data protection impact assessment by the controller. The mechanism of conducting such assessment includes processes of public consultation, assessing legal obligations if the data is being processed by a public authority, thereby developing a comprehensive understanding of the risks, safeguards, security measures that should be in place for processing the said personal data.
Transfer of personal data for processing to a third country, or international organization outside the EU can be done by the means of an adequacy decision, i.e. if the Commission decides that the third party ensures an adequate level of protection. 'Adequacy' is decided by analysing the rule of law, legislations in force, defence, national security, effective functioning of independent supervisory authorities responsible for data protection, among other things. Without an adequacy decision, a controller or processor can direct such transfer with having appropriate safeguards in place by means of binding corporate rules or standard data protection clauses as adopted by the Commission or a Supervisory Authority. Both of the above methods can be disregarded if for example, the data subject has consented to the transfer, after being given due counselling of the risks, or if it is necessary for fulfilling compelling public interest, or performance of a contract between the data subject and the controller.
Recourse & Remedies
A data subject whose rights and freedoms with respect to the protection of personal data have been unduly violated, and in excess of the provisions provided in the Regulation, has a judicial remedy to file a complaint with a supervisory authority in any Member State. Such complaints can be filed even on behalf of other data subjects. An appellate remedy against decisions of the supervisory authority is also entitled to every data subject. Such proceedings shall take place in matters where no decision has been given by the Supervisory Authority with respect to the complaint, or if within 3 months, the Authority has not informed the data subject about the progress or outcome of the complaint. Such judicial remedy will be sought before the courts of the Member State where the authority is established.
Apart from remedies against the supervisory authority, a data subject also has a right to a judicial recourse against a data controller or processor. These claims can be brought right to the courts where the data subject resides unless the controller is a public authority acting in its official powers. For a complaint against the controllers and processors, the decision of the courts will have to be enforced by the Member States. Besides judicial remedies, the recourse to administrative sanctions has been included in the Regulation, the power for which has been granted to the supervisory authorities. These sanctions will be adjudged separately for individual cases and be applied in a manner that is effective, proportionate and dissuasive. Moreover, the amount of fine imposed as an administrative sanction has to be assessed with respect to the nature, gravity and duration of the breach, intentional or negligent character of the infringement, degree of responsibility of the natural or legal person and of previous breaches by this person, and degree of cooperation with the supervisory authority in order to remedy the breach.
United States of America
The legal framework established in the United States for the protection of privacy is different than that in the EU. Where the EU has a set of central laws as a foundation, based on which separate national laws are drafted, United States functions on the system of distinct laws in various sectors governing privacy of personal data. The regulation of privacy is further complicated in USA by the existence of several state specific laws dealing with the collection, use and disclosure of personal data. There is no law to govern cross-border transfer of personal data.
The US Constitution has carved out a right to privacy from three of its fundamental rights, the First Amendment, the Fourth Amendment, and the Fourteenth Amendment. The First Amendment is the right to free speech and assembly and a counterpart of the Indian Article 19 of the Constitution; the Fourth Amendment enshrines the protection of citizens from unauthorized searches and seizures; and the Fourteenth amendment contains the due process clause. The Courts in US, like India have evolved the scope and applicability of this right to include privacy concerns, including in matters of reproduction, search & seizure of documents and computers, among other things. The right to privacy has been secured in the United States through varying mediums and its jurisprudence has spread across avenues of reproductive rights, the right to watch obscene material in the vicinity of one's house, among various other rights, to this right being carried forward to the materials stored in a person's computer.
Sector specific federal regulators such as those in the communication, medical and financial sectors regulate privacy in their own domains. The Federal Trade Commission (FTC) regulates privacy in certain sectors such as telemarketing and commercial emails. Insufficient security measures are prosecuted by FTC. FTC considers improper disclosure of data collection, processing and disclosure practices to be a deceptive trade practice.
Although data privacy and protection is split across multiple legislations and regulators, data collection generally requires a notice to the individual before collection of his/her data. Processing and disclosure of personal data generally requires a way to opt-out, while for certain data such as medical information and geolocation data it is necessary to opt-in for processing and disclosure.
Laws for security of personal data vary in different sectors, however, sensitive personal data such as medical and financial information is generally required to be protected by undertaking reasonable security measures. Security audits are mandatory in the financial sector.
Almost all the states in USA require a notification of a data breach that consists of sensitive personal data. Under federal laws, a notification is necessary in case of a breach in financial, medical and telecommunications sectors.
The Personal Data Protection Act 2012 (PDPA) covers data collection, data processing and data disclosures of personal data that occur in Singapore. Sensitive personal data is not provided any additional protections in the country.
The Act does not cover publicly available personal data. Collection of data by news organizations is protected under the Act, but processing of data by such organizations is not protected. Unlike other countries, Singapore’s law provides an exception for collection, processing and disclosure of personal data for reasons of collection of debt owed to an organization. Other exceptions from the duties of organizations and rights of individuals, such as exceptions for national interest, investigation and prosecution of offences, are mentioned in the Second, Third and Fourth Schedules of the Act.
The Act requires a notice to be provided and consent to be taken in most circumstances, barring situations where consent is deemed as well as the situations covered under the Second, Third and Fourth Schedule.
The notice must include the purposes for the collection, use or disclosure of the personal data, as the case may be, on or before collecting the personal data. Any other purpose of the use or disclosure of the personal data must be brought to the notice of the individual before using the personal data for a new purpose. On request by the individual, the business contact information of a person who is able to answer the individual’s questions about the collection, use or disclosure of the personal data on behalf of the organisation needs to be disclosed.
Organizations collecting data from other organizations are under an obligation to inform such an organization about the purpose of collection of data so that the organization that is giving the data can determine whether the transfer of data would be in accordance with PDPA.
PDPA has the following obligations of data controllers:
- Notification - Notice of purpose for collection and processing, and/or disclosure of personal data to be given to an individual before collection of data.
- Consent - Consent to be taken before collection, processing or disclosure of personal data.
- Purpose limitation - Collected data is to be used for only the purposes for which it was collected. Additional purposes require an additional consent.
- Accuracy - Organizations are under an obligation to ensure that the data is accurate.
- Access and correction of data - Individuals must have the ability to access their personal data held by organizations, and must have the ability to make corrections in the data.
- Transfer limitation - Organizations are required to ensure that any data they transfer to another organization is not made without proper notice and consent. For data transfers to another country, the organization must ensure that the data is transferred only if there is a comparable standard of legally enforceable protection under a law, a contract, binding corporate rules, or other legal means.
- Retention limitation - Data must be deleted when the purpose for collection has been completed and it is no longer necessary to retain the data for any legal or business purpose. The Act does not explicitly define a time limit, leaving the time of deletion to be decided based on the completion of purpose. There is no specific clause under which a data subject can request for deletion of his/her data.
- Security - Organizations must ensure protection of data by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. There is no requirement under the Act to notify about a data breach.
- Openness - Organizations are under an obligation to provide, upon request by an individual, details regarding its complaint procedure and its data security practices.
Complaints regarding access and correction of data can be made to the Personal Data Protection Commission (PDPC). The Commission can issue directions for resolution of complaints, or refer the matter for mediation with the consent of both parties. The Commission deals with enforcement of the Act. It has the power to investigate matters sou-moto. Apart from issuing fines and prosecuting matters in court, the PDPC can issue directions to stop collection, processing or disclosure of personal data, and to delete personal data.
The Brazilian Internet Act (Federal Law No. 12.965/2014) and Decree No. 8.771/16 under the said Act provide limited protection in security and processing of personal data. The Act deals with storage, processing and disclosure of data collected on the internet. The Federal Constitution of Brazil, Brazilian Civil Code and multiple sectoral laws, such as those in the medical, financial and telecommunications sectors, provide for protection of privacy. A comprehensive data protection framework under Bill of Law No. 5.2726/16 (The Bill) has been given a status of urgency by the President of Brazil.
Article 5 of the Federal Constitution declares that:
- personal intimacy, private life, honour and reputation are inviolable;
- access to information is assured to everyone, protecting the confidentiality of sources when necessary for professional activity;
- secrecy of correspondence and of telegraphic, data and telephonic communications is inviolable, except, in the latter case, by court order, in the situations and manner established by law for purposes of criminal investigation or the fact-finding phase of a criminal prosecution;
- access to information is assured to everyone, protecting the confidentiality of sources when necessary for professional activity.
Under the existing law, it is not necessary to appoint a data protection officer. The Bill contains a provisions for the following three categories to be appointed by a data controller:
- Responsible – The Responsible would ensure transparency of information regarding security breaches, what data will be collected and what that data will be used for. In case of a dispute, the burden of proof would be on the Responsible to show that consent was properly taken.
- Operator – The Operator would process data based on the directions of the Responsible.
- Designated – The Designated would train employees in data protection, receive communications from the supervising authority, and receive complaints from and provide information to data subjects.
Under the Brazilian Internet Act, consent is necessary before data can be collected, stored, processed or transferred by a data controller. Data processing is allowed only for the purpose for which it was collected. Under the Brazilian Consumer Protection Code, a consumer must be notified in writing if their personal data is recorded when they did not request for it. Consumers have the ability to access their data and to correct it if it is incorrect. The Bill contains principles such as informed consent, purpose of processing, transparency and security among others.
Data can be retained only as long as it is necessary for the purpose for which it was collected. Cross-border transfer of data is not barred under current Brazilian law. Notifications of security breaches are also not necessary under the current law. The Bill, if passed, would require notice of breach to individuals affected by it and a notice of the breach to the relevant authority. Cross-border transfers would be allowed to only those countries that have a similar level of protection.
Data processors in Brazil are required to ensure reasonable security of the data. Special protection is required for certain records such as IP addresses and login details under the Brazilian Internet Act. The Decree requires the following security standards:
I. The establishment of strict control over access to data by defining the responsibilities of persons who will have access possibilities and exclusive access privileges for certain users;
II. The provision of authentication mechanisms for access to records using, for example, dual authentication systems to ensure the individualization of the person responsible for the processing of records;
III. Creation of a detailed inventory of access to connection records and access to applications, containing the moment, duration, identity of the employee or the person designated by the company and the file accessed, including for compliance with the provisions of art.. 11, paragraph 3, of the Brazilian Internet Act;
IV. The use of records management solutions through techniques that guarantee the inviolability of data, such as encryption or equivalent protection measures.
In a judgment delivered by a nine-judge bench in the case of K. S Puttaswamy (Retd.) & Anr. v. Union of India & Ors. on 24 August 2017, the Supreme Court of India affirmed that citizens have a fundamental right to privacy. The nine-judge Constitution bench comprising Chief Justice of India (CJI) J.S Khehar, and Justices D.Y. Chandrachud, J. Chelameshwar, S.A. Bobde, A. Nazeer, R.K. Agrawal, R.F. Nariman, A.M. Sapre, and S.K. Kaul, held in a unanimous decision that Right to Privacy is protected as an intrinsic part of Right to Life and Personal Liberty under Article 21 of the Constitution and other freedoms guaranteed under Part III of the Constitution.
The nine-judge Bench was tasked with answering the specific question of whether the previous Supreme Court judgments in M.P. Sharma v. Satish Chandra (an eight-judge Bench) and Kharak Singh v. State of Uttar Pradesh (a six-judge Bench) were correct in holding that the Constitution of India does not envisage a fundamental right to privacy.
CJI J.S. Khehar read out the ratio-decidendi:
(i) The decision in M P Sharma which holds that the right to privacy is not protected by the Constitution stands over-ruled;
(ii) The decision in Kharak Singh to the extent that it holds that the right to privacy is not protected by the Constitution stands over-ruled;
(iii) The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.
(iv) Decisions subsequent to Kharak Singh which have enunciated the position in (iii) above lay down the correct position in law.
Since the Right to Privacy has been recognized as a fundamental right, the protection of privacy is now a duty of the government. Fundamental Rights are not only protected against violations by the State, the State also has a duty to protect them from violations by others. The right to data protection stems from the right to privacy. As such, ensuring a robust framework for data protection is a duty of the government, so that the right to privacy can be protected in the modern and rapidly evolving world.
Narayanan, A. and Shmatikov, V, Robust De-anonymization of Large Sparse Datasets, available at https://www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdf , last accessed on Nov.7, 2017. ↩︎
Ohm, Paul, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization (August 13, 2009). UCLA Law Review, Vol. 57, p. 1701, 2010; U of Colorado Law Legal Studies Research Paper No. 9-12. Available at SSRN: https://ssrn.com/abstract=1450006 ↩︎
https://publications.parliament.uk/pa/bills/lbill/2017-2019/0066/18066.pdf ,last accessed on Nov.7, 2017 ↩︎
Writ Petition (Civil) No. 494 of 2012 ↩︎
AIR 1954 SC 300 ↩︎
AIR 1963 SC 1295 ↩︎