In this article, we will explain why data protection is important to private persons, what companies in India need to do in order to protect personal data and the penalties for failure to protect customers' data. On August 24, 2017, a nine-judge bench of the Supreme Court of India in the Justice K.S. Puttaswamy (Retired) v Union of India[i] ("Puttaswamy") unanimously recognized that the right to privacy is an intrinsic part of the right to life and personal liberty under Article 21. In a decision spanning 547 pages, the judgment recognizes several spheres where the need for privacy is necessary, including 'informational privacy' in the digital world. This is particularly relevant in the context of the internet, which has evolved from a virtual communications network into an interactive medium for services such as communications, entertainment, data storage, social networking and online marketplaces.
Why Should You Be Concerned About Your Data Privacy?
To define data privacy, it's useful to clarify exactly what is to be protected. Types of information commonly considered sensitive, both by the general public and by legal mandates are as follows:-
- Personally identifiable information (PII) — Data that could be used to identify, contact or locate an individual or distinguish one person from another
- Personal health information (PHI) — Medical history, insurance information and other private data that is collected by healthcare providers and could be linked to a certain person
- Personally identifiable financial information (PIFI) — Credit card numbers, bank account details or other data concerning a person's finances
- Student records — An individual's grades, transcripts, class schedule, billing details etc.
More broadly, in its "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)," the National Institute of Standards and Technology (NIST) gives the following examples of information that may be considered PII:
- Name, such as full name, maiden name, mother's maiden name, or alias
- Personal identification number, such as Social Security number (SSN), passport number, driver's license number, taxpayer identification number, patient identification number, or financial account or credit card number
- Address information, such as street address or email address
- Personal characteristics, including photographic images (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric images or template data (e.g., retina scans, voice signature, facial geometry)
- Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).
A data breach exposes confidential, sensitive, or protected information to an unauthorized person. The files in a data breach are viewed and/or shared without permission. Breaches are on the increase in India, a recent survey revealed that 69% of Indian organizations are at risk of a data breach, 44% encountered a data breach in the past and 25% don't have sufficient data breach assessment procedures in place. The survey found that cybersecurity preparations are often overlooked by operational management.
A breach can have severe impacts: private persons are vulnerable to identity theft, companies can take severe financial damage if they fail to protect personal data of individuals along with damaging their reputation which has ramifications in their relationship with investor, customer and public. Data privacy is all about handling data related to a person's identity, keeping it confidential and anonymous. It's also about respecting individuals. It's only reasonable that an individual would want their personal information kept private, it would be disrespectful for a company to ignore a person's wishes of keeping it private.
Personal data is not just about your name, email address, password or birth date. In large, a person visits hundreds of websites every year and makes use of various digital services to carry out everyday needs. In doing so an individual provides a lot of personal information affecting most aspects of life, from messages sent over social media, online shopping receipts, credit card statements, and personal associations. All of this data is very sensitive and can have drastic consequences on everything from your ability to board an airplane, get a driver's license, a new job or how your neighbors think of you.
Some things are private yet still we are required to share it to participate fully in the digital society we live in today. This is why it's so important for individuals to have control of what data is collected and how it's used by companies. One of the hallmarks of freedom is ownership of choices and data protection laws help us do just that, empower individuals with control of their privacy.
Someone Needs to be Held Accountable
Amidst the digital age, data privacy is becoming an increasingly more difficult challenge for companies. Penalties are used to create accountability. A penalty is imposed on a company if it fails to take acceptable responsibility in governing private data and if a data breach was made.
The challenge of data protection gets increasingly difficult the more data is collected on individuals. In some cases, using a service means that a private person needs to provide a lot of information about themselves in order to get full access to all features and use-cases.
It is also important to note the WhatsApp case before the Supreme Court wherein it was clarified that the SPDI Rules are applicable to a body corporate located in India. This is a cause of concern as data collected by prominent social media websites such as Facebook is entirely controlled by the principal entity (i.e. Facebook Inc.) on servers outside India and the Indian subsidiaries hold no data. Consequently, these companies fall outside the grasp of Indian laws even though they deal entirely with data originating in India. The litigation, thus, highlights the absence of regulatory control over sharing of data with cross-border entities. Another issue that has been highlighted is that a Press Note does not have the force of law and, therefore, leaves more ambiguity in the current regime. Based on these facts, the petition has challenged the constitutional validity of the SPDI Rules and the Press Note arguing that these rules fail to provide adequate remedy to Indian citizens against foreign corporations whose Indian subsidiaries exercise scarce control over data.
While the court has denied immediate relief, it has asked WhatsApp, Twitter and Google to submits responses relating to their policies on disclosure of information to third parties. In conclusion, the Supreme Court in Puttaswamy Judgment has been careful in ensuring that it lays down the contours of informational privacy, while leaving the drafting to the legislators. Further, cases pertaining to data protection filed after the judgement have highlighted some of the most serious flaws in the current data protection regime. With a Supreme Court decision on these cases and a legislation dedicated solely to the protection of data, one can hope that India will make strides in data protection.
Some Examples of Industries Where Data Protection is Important
Some companies need to collect high-detail personal information in order to provide their full services to their users. Products or services requiring high-detail information are financial-related applications or websites where you carry out financial transactions. They are as follows:-
One good example is playing at online casinos. If you want full access to services and use of the products in an online casino, you need to provide a lot of high-detail personal information. Normally you would be asked about Email, New Password, Name, and Surname, Street, City, Country, Date of Birth when signing up to a new online casino. This will give you access but before you have full use of all services offered in a casino you need to provide a photo of your personal identification and a recent utility bill or pay slip, these steps are part of a KYC process (Know Your Customer process) and AML (Anti-money Laundry) measurements.
Governing and protecting the data of users will become an increasingly important commitment for casino operators in India. The online casino market in India is set to grow by 11.5% per year, reaching a market evaluation of $94 billion by 2025. This means that staying compliant with data protection laws will require a higher level of effort and investments in the years to come.
When you want to buy a house, normally you would apply for a mortgage loan as a purchaser of a property in other to finance the costs. When doing so you need to go through a bank. You would need a bank account and then apply for the mortgage, when doing so you will provide a lot of personal information. This is needed to assess your risk profile on the bank's behalf in order to set terms and conditions for the mortgage. In doing so, the bank becomes a data processor and a data controller, where they are from that point on responsible to govern and protect your personal data. Banks in India have invested a lot of money over the past 10-15 years to digitalize processes and accommodate for a big change in consumer behaviour, shifting from brick-and-mortar to the internet. Fortunately, this has also provided the banks with a good foothold when it comes to the protection of data and privacy.
Health Care Industry
Something that is easy to forget when thinking about digitalization is the healthcare sector. Data protection is relevant, particularly when it comes to the collecting and keeping of personal medical records. Data protection laws cover this and determine how health care workers and companies handle personal information.
Health care is unique in the sense that it stores very sensitive information that is difficult to find elsewhere, which makes the sector a target for hackers. Earlier this year, there was a massive data breach where patient records of over 120 million Indian's were leaked, including CT scans, MRI's, x-Rays, patient's records and medical journals of common workers, celebrities and politicians.
Communication between a patient and a doctor is strictly confidential and privileged, as a result the doctor and it's employer, the hospital, are legally and morally bound to maintain the confidentiality of records and communication. Undoubtedly, the healthcare industry in India needs to ramp up the security measures in order to protect medical data. According to the above mentioned article there are three unofficial categories globally where countries are ranked as Good, Bad and Ugly. India ranks second after the United States in the Ugly category.
In this last example, we step away from the personal data and instead move into sensitive data in the energy sector. Plants and factories have become highly digitalized over the past 10-20 years and this change will continue to innovate the energy sector. Sensors collect data on processes and allow for efficient automation and control. Sensors are also used to measure outputs and productivity, identifying bottlenecks and weak spots. Such technology is becoming increasingly more important to increase productivity. Unfortunately, not enough emphasis is placed on protecting the data.
Last year, 2019, the Kudankulam Nuclear Power Plant (KKNPP) was hacked. Little is known of the attack, it was said that no processes, control systems or critical functions were affected, at the same time one of it's plants shut down the week following the breach. Reports suggest that the attack was most likely a targeted espionage operation, where a foreign body was seeking specific information about KKNPP or of India's nuclear programme. In such a situation it is increasingly more important to have advanced data protection measurements in place, if foreign governmental body singles out a target they will have the funding, expertise and motive to penetrate defenses in order to get the data they are looking for. Making data protection in the energy sectors a huge undertaking.
Recently, the Kerala High Court in Sprinklr Contract Deal has caught the privacy-related short comings in the process and it is necessary for Sprinklr to immediately stop receiving identified personal data of the patients which is any way not required for the purpose for which the data is being shared with them. The analytics that they may do has no relation to the identity of the person by name and hence it should immediately agree to an intermediary like NIC conducting "De-identification" process before the data is handed over to Sprinklr. In this case, a substantial fine both on the Kerala Government and Sprinklr on the lines suggested in the PDPA Bill 2019 which is Rs 5 crores for the Kerala Government and upto 4% of the global turnover of Sprinklr should be imposed.
Therefore, there is a need to lay down a proper regulation or rule book for such organisations or any other institution from stealing the data or even storing it for unknown reasons whatever. Data should be protected and citizens of India should not be bound by such frivolous acts.