There is a land rush to establish a data privacy and protection law in India. Things have changed from two years ago, when the government was repeatedly insisting that the Information Technology Act of 2000 was adequate for the task. At this time, there is a draft Bill proposed by a government-formed commission, there is a set of recommendations by the telecom regulatory authority, and there is a ‘citizens’ law’ proposed by a small group of technically literate elite. These are welcome initiatives, but none of them is comprehensive enough when it comes to balancing individual rights versus public accountability, nor do they go far enough to promote data protection.
Strikingly, but perhaps unsurprisingly, all three proposals refer to the EU’s General Data Protection Regulation (GDPR) since it is currently one of the most comprehensive data protection regulations in the world. The three proposals also resemble the EU’s GDPR in many portions, sometimes down to verbatim copy-and-paste sections. Where they differ, they reflect their creators’ ideologies and biases.
The proposal that is closest to becoming a law is the ‘Personal Data Protection Bill, 2018’ (PDP Bill), released by a commission headed by retired Supreme Court Justice B.N. Srikrishna. It is also the closest to the GDPR, mimicking it in structure, data protection concepts and penalties. While the PDP Bill hits all the right notes, there are enough changes to please business interests and appease the paternalistic and bureaucracy-loving elements of the Indian government. Thus, while the end result evokes the spirit of data protection, the letter of the law seems set to create confusion and red tape. Things are heading from a ‘license raj’ to a ‘data protection raj’.
The Telecom Regulatory Authority of India released its ‘Recommendations on Privacy, Security and Ownership of the Data in the Telecom Sector’ (TRAI Recommendations) a week before the PDP Bill. Although TRAI approaches the issue from the telecom sector, it also tries to establish sweeping norms such as the titular issue of ownership of data and standards for data encryption. The TRAI’s approach to data ownership is flawed, but even at face value it glosses over important nuances in data ownership and has missed a huge opportunity to significantly enhance data protection.
The third proposal originated with a small group of private citizens and builds on earlier work by the Centre for Internet and Society, one of the earliest advocates for a dedicated data protection bill in India. The ‘Indian Privacy Code, 2018’ (Citizens’ Law) resembles the GDPR in matters of consent and data processing, but pushes individual privacy rights much further. It is also heavily preoccupied with surveillance, a word that occurs 124 times and is the second most frequent concept after privacy (298 occurrences). Approximately 20% of the total text is devoted to the topic of surveillance.
As mentioned above, each proposal improves on the current state of data protection law and regulation and therefore offers a net benefit to individuals. A fine-grained analysis of the virtues and flaws of any one proposal deserves more time for analysis and a much longer treatment. However, based on an earlier analysis of the GDPR and some of its shortcomings, these three proposals also fail to address those same issues. Where they depart from the GDPR in their zeal to protect individual data subjects, they may actually end up diminishing individual rights and government accountability. The first of these concerns the question of who owns personal data.
The TRAI Recommendations and the Citizens’ Law take the approach that data subjects own their personal data, whereas the GDPR and the PDP Bill do not take this approach. As Arghya Sengupta wrote, ownership of personal data does not make sense conceptually or legally. It makes more sense to say that individuals should be able to control the collection and use of their personal data. However, even in terms of control, there are exceptional situations, which TRAI and the Citizens’ Law ignore.
Specifically, data about an individual collected by another person in a public space does not belong to the subject. This would apply to a person in a public space who is caught on camera or in a video or audio recording. For example, if an individual appears in a tourist’s photo of the Taj Mahal, the individual does not have any ownership or control of the photo. In data privacy terms, the individual, by being present in a public space, is giving consent to be recorded. Yet this exception has its own exception. Since children cannot give consent, they may not be recorded or photographed without explicit permission from a guardian, and if a child is included in the tourist’s photo, a parent should have the right and the backing of the law to ask that the photo be deleted. There are further nuances, such as automated CCTV recordings in businesses or public spaces, etc., where recording of minors may be allowed, as well as prohibitions against stalking or violations of bodily intimacy such as upskirting.
Another exception to individual privacy is crucial to a democracy, and it has to do with public employees and employees in public spaces. The PDP Bill and the Citizens’ Law assume a blanket protection of privacy, but exceptions should be made for public employees. Specifically, government employees in their offices or while fulfilling their official functions, public employees and law enforcement officials in uniform and elected officials outside their home or while interacting with members of the public should have no expectation of privacy. In such circumstances, the law should allow any private individual to photograph, record or observe public officials and request information about their activities and personal information such as salaries and property ownership through the freedom of information laws.
Such exception on employees could also be extended to private employees in public spaces, such as waiters or managers in restaurants, theatre ushers or flight attendants in airline cabins. When the employees in positions of some authority are violating norms or harassing others, a private individual’s recordings could be used to hold the violators accountable. The same also applies to private security guards.
The PDP Bill and the Citizens’ Law address storage period limitation of collected data similarly and in more explicit detail than the GDPR. While it is a welcome improvement, they still fail to address what would happen to the data if the data collector shuts down its operations or transfers ownership. In the case of a business firm winding up, since the legal entity would cease to exist, a data protection bill needs to address what remedies data subjects would have and what penalties the data protection authority impose and on whom, if the data collector (presumably) violated its terms and sold the data it had collected. Data subjects should have this information at the time they are asked to give consent for data collection.
Similar to the GDPR, the PDP Bill and the TRAI Recommendations promote the idea of data minimisation, but they do not wholly embrace the ‘less is more’ ethos of data abstention. This is especially important when it comes to data collected by the state or is required to be collected by private entities through state mandate. The GDPR places an onus on member states to provide the purpose, scope, safeguards and risks to data subjects when the state seeks to restrict the rights of data subjects, whereas the PDP Bill and the TRAI Recommendations do not question whether state-mandated data retention is useful or beneficial. Yet such questions should be asked, and a data protection law should place a burden on the government to demonstrate the public benefit of data collection by the government or private entities mandated by the government that goes contrary to the principles of consent, purpose limitation, right to access and storage limitation. Take, for example, the requirement that internet service providers monitor and record the metadata of their customers’ online activities. The government needs to show that this has solved crimes or prevented terrorist acts such that it justifies violating the privacy of all customers and putting some of them at risk of blackmail, extortion or public loss of reputation if the data fall into the wrong hands.
TRAI’s recommendations arise from its role as a telecommunications regulator overseeing the flow of data. In that same regard, it has missed an opportunity to propose changes that are completely within its wheelhouse and which would significantly affect the security and safety of everyone in India. However, it is not too late to make a separate recommendation, and TRAI still can, and absolutely should, make it mandatory for every mobile SIM card to issued with the SIM PIN enabled by default.
Factory setting the SIM PIN has been standard practice for years in European countries such as France and Sweden, where the code comes printed in the SIM card packet. The SIM PIN, sometimes also called PUK code, prevents a mobile device from sending or receiving calls or data whenever it is first powered up or the SIM is inserted into a device. Without a SIM PIN, every individual is susceptible to financial and data theft if they ever lose their mobile phone or someone gains momentary access to their device. A criminal can take the SIM out and insert it into their own device to gain immediate access to SMS messages that are sent to that number. The damage can be done in a few minutes, well before the victim is able to notify the carrier to block the SIM. Since the overwhelmingly prevalent second-factor authentication method uses one-time passwords (OTPs) sent via SMS, an unlocked SIM grants access to mobile wallets, bank accounts, email and social media. TRAI did not implement this common-sense measure the last time it looked into mobile phone theft; it should do so now.
Next, TRAI should urge the National Informatics Centre and the Ministry of Electronics and Information Technology to apply encryption to secure all government websites. A recent scan of 3,440 central government websites found that only 746 (22%) had properly working encryption (making them accessible via HTTPS rather than HTTP). This is up from a year ago, but there is still a long way to go. Some sites let users log in or provide personal information without any encryption.
When a site does not use HTTPS, third parties can snoop on the data flows between the server and the user’s device. Since many users reuse passwords across websites, getting access to real passwords, even if they are for non-financial or sensitive-data sites, can be a bounty for criminals. Furthermore, while the unencrypted sites may not be disclosing sensitive information, they pose a risk to users because the data being exchanged could be intercepted in transit and injected with malware. It can also be analysed to profile individuals – say someone visits websites about how to treat TB or HIV, such actions could be used to infer that they or someone they know are infected. Whether true or not, this is a violation of their privacy and could be used to stigmatise them.
More analysis and public debate will highlight other areas of improvement in the PDP Bill, and, if implemented, the TRAI Recommendations are a good interim measure. The concerns mentioned above are crucial, and also practical, to preserve individual rights, increase government transparency and strengthen data protections. They need to be raised with lawmakers and regulators either during periods of public comment or legislative debate.
Sushil Kambampati is the founder of YouRTI.in, a portal where anyone can suggest an RTI query anonymously. He created SecureTheWeb.info. He writes about online security and privacy and tweets at @SKisContent.