DATA – THE NEW OIL
Mr Rishi Wadhwa
Jul 11, 2020
Data in the 21stCentury is like oil in the 18th Century: an untapped asset which stands to reward those who will see its value and devise ways to extract and use it.
In this data centric ecosystem that we operate and transact, huge volumes of data are being collected, be it through applications on smart phones or watches that monitor our health. Taking into account this heightened proliferation of data, be it in sectors of business, health, financial or entertainment, it has become imperative for us to comprehend the impact of such proliferation and appreciate the right to privacy which must be carefully weighed in.
What is privacy and why is it important?
Privacy, essentially, is the art of handling a piece of information/data based on its relative importance and/or category. Privacy is the right to be free from intrusions into one’s personal space and have a certain sense of control over how personal information is collected and used.
Therefore, we are at a point in time where privacy has become a standard to be complied with unanimously, considering that we find ourselves in a digital and cyber world. Hence, unauthorized access, data breaches, or personal information theft are no longer wild conjectures but prevalent realities which we must wrap our heads around to ensure the privacy of individual’s data, every bit and byte of it.
The Indian Context: Legal Impact of Proliferation of Data
At present, there is no specific comprehensive data privacy law in India. However, a Personal Data Protection Bill, 2019 (“PDPB”) was introduced in the lower house of the Parliament on 10th December 2019. Once enacted in its current form, the PDPB will require a significant number of companies (both Indian and foreign) to revamp their operational practices in relation to data processing and embed practices and technologies that enable privacy and protection of data within their systems.
The said Bill is a by-product of the judgment in KS Puttuswamy v. Union of India (2017) 10 SCC 1, wherein the Supreme Court of India held that individuals have the fundamental right to privacy and recognized the need for the Government to put in place a legal regime that protects individual’s privacy right.
Currently, section 43A of the Information Technology Act 2000 (“IT Act”) along with the supplementary Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 [SPDI Rules] mandates an exhaustive protection regime in India in relation to sensitive personal data, and obliges corporate bodies who “possess, deal or handle” any Personal Information (PI) or Sensitive Personal Data or Information (SPDI) to implement and maintain “reasonable” security practices, failing which they would be liable to compensate those affected by any negligence attributable such a failure.
Moreover, the Storage of Payment System Data Directive 2018 released by Reserve Bank of India (RBI) mandates the entire data relating to payment systems operated by payment system providers to be stored in a system located in India. These data elements should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction. This directive exempts data corresponding to the foreign leg of a transaction.
With the increase in data breaches and cybercrime internationally, data protection and cyber security are more important now than ever before.
Following are a few industry leading practices for individuals and organisations -
· Security: Secure devices with a pin on mobile, look out for privacy settings and disable location when not in use. Additionally, as a rule, always sign out of your email account and lock your device to avoid unauthorized access to your work related or personal data.
· Information disclosure: Be wary of sharing your information (name, age, address, contact details, etc.) while taking part in offline or online surveys. These surveys may not only be used to profile you for unsolicited marketing, but you will seldom know the details related to why your data is collected, where it will be stored, with whom it will be shared and till when it will be stored.
· Secured networks: It is advisable to not connect devices on an unsecured Wi-Fi network since the data transmitted via the network would lack security (E.g. encryption)
· Passwords: Use strong, unique alpha-numeric passwords for all of your online accounts, change the password periodically, and beware of onlookers in public spaces.
· Govern: Create a comprehensive privacy framework that assigns accountability for its privacy policies and procedures, defines the roles and responsibilities, and align the same to applicable privacy laws.
· Assess:Establish adequate controls for use, processing, storage, transfer and destruction of the data that is being collected.
· Choice and consent: Formulate an adequate consent mechanism acknowledging the rights of individuals and procuring consent to process their information.
· Protect: Put technological safeguards in place to protect personal data. Privacy must be incorporated by design, within the process.
· Monitor:Standardize metrics for Privacy adherence, especially against the requirements. Monitor processes, systems and networks to identify data access, use, changes and breaches.
· Respond: Create an adequate process to identify and respond to data breaches.
To conclude, privacy, at its core, aims to safeguard data and information that may establish an individual’s identity, preferences, and activities. Hence, it is common sense to enhance and strengthen the current practices that govern almost everything from creation, processing, storing, and finally, destruction of personal data that belongs to individuals. Given the constant flux that we are observing in the data privacy and protection landscape in India and abroad, along with consumers becoming aware of their right to privacy, the onus has now shifted on the industry to move focus on gaining and retaining customer trust by formulating privacy frameworks and practices that reflects a bona fide intention towards the data of individuals.