We should think of privacy as a human right. We have to start from the core principle that the user is the owner of their data and the whole economy, not just the tech sector, must come to grips with this,” remarked Satya Nadella, chief executive officer, Microsoft, at the ongoing World Economic Forum meet in Davos, Switzerland.

Nadella’s statement comes at a time when another technology major, Face­book, is facing its worst crisis since its launch in 2004. The company’s standing took a major hit in March 2018 following allegations of improper acquisition of data of about 50 million Facebook users by UK-based consultancy firm Cambridge Analytica for devising targeted advertising campaigns in the 2016 US presidential election. Later, in September 2018, concerns about Face­book’s handling of user data and security escalated when the firm reported that it had discovered a security flaw that potentially allowed the hijacking of around 50 million Facebook accounts. Unlike the Cambridge Analytica episode, in which a third-party company had erroneously accessed users’ Facebook data, this time hackers were able to directly take control of user accounts.

Facebook’s data breach incidents have exposed the vulnerability of technology firms the world over in protecting user rights and data privacy. In India too, similar concerns have been raised about the Aadhaar database that contains biometric information of over 1 billion Indian citizens. Even though the government insists that the Aadhaar database is secure, there have alle­gedly been multiple privacy breaches in different databases, including those of banks, telecom service providers and government institutions. Some experts fear that Aadhaar could be potentially used by the government as an instrument of mass surveillance.

At a time when governments globally have embarked upon major missions to digitally empower their citizens, it has become increasingly important to allay people’s fears about the security and privacy of their data. This calls for the formulation of robust and comprehensive data security and privacy legislations that can strike the right balance between commercial interests and user privacy.

Data theft: The weakest link in digital transformation?

Enterprises across all industry verticals are undergoing a digital transformation with the adoption of new-age concepts such as internet of things (IoT), big data analytics and cloud computing. Companies are leveraging these technologies to make informed decisions, enhance business efficiency and rationalise costs. At the same time, the over-reliance of organisations on an ICT-enabled ecosystem has exposed them to the threats of cyberattacks, data breaches, data loss and insecure programming interfaces. This has somewhat dampened their enthusiasm to aggressively em­brace next-generation technologies. And their concerns are not unfounded. The incidence of data theft has increased exponentially over the past few years, owing to the increased generation of digital content and lack of appropriate safeguards to protect financial and corporate data.

Meanwhile, individual users, who were till a few years back thriving on opportunit­ies to stay connected, efficient and agile, are now reluctant to share their data online. Pr­otection of user data has also assumed pr­o­minence because of the fact that a huge am­ount of data is being generated on smar­t­p­hones. Telecom operators, who control the networks on which information flows, have the ability to analyse this data. Several mo­bile applications are also using data coll­ated over a period of time to analyse the sp­ecific personality traits and actions of individuals and expose them to targeted advert­is­e­ments, thereby posing a risk to data privacy.

Legal framework for data security

India is now home to over 400 million smartphone users and more than 500 million internet subscribers. The per capita traffic consumption in India is currently around 2.4 GB, which is expected to in­crease to nearly 14 GB by 2022, according to a report by network equipment vendor Cisco. The report further states that the number of connected devices in the country is expected to go up to 2.2 billion by 2022 from 1.6 billion in 2017. These figures in­dicate the scale of the data revolution that the country is witnessing currently. Both the government and private entities are riding on this data revolution to deliver targeted results. However, the country currently lacks adequate legal safeguards to protect the sanctity of personal data.

At present, the Information Techno­logy Act, 2000 and the Information Tech­no­­logy (Amendment) Act, 2008 govern the legal aspects of data security in India. The act has several provisions for ensuring data security and privacy including punishment for indulging in cyberterrorism and identity theft, and penalties for publishing data in breach of a lawful contract and for in­fringing confidentiality and privacy. The act also gives the government the power to monitor data traffic (with reasonable restrictions), block data from being ac­cessed by the public, and declare any system a protected system and take steps to ensure its security. Several leading experts, however, contend that the Information Techno­logy Act has limited data protection- and privacy-related provisions and does not lay down a comprehensive legal framework for data privacy and security. For instance, the categories of sensitive personal information defined in the act (such as passwords and financial information) are too narrow, restrictive and inadequate, and ignore other categories of information such as data on user behaviour. More­­over, government agencies and non-profit organisations are excluded from most provisions of the act, which experts feel is a major loophole since the government is a significant, if not the biggest, custodian and user of data relating to citizens.

The cause for data security and privacy received a major push in August 2017 when the Supreme Court ruled that privacy is a fundamental right granted by the Indian Constitution. The apex court also identified privacy of information as a subset of the right to privacy and remarked that the privacy of information can be threatened by both state and non-state entities. The court, however, stated that unlike other fundamental rights, the right to privacy is not absolute. Meanwhile, in the context of the government’s Aadhaar project, the apex court observed that the requirement to provide biometric and demographic data, as well as the collection, storage and use of data does not violate the fundamental right to privacy of a person.

In the wake of the Supreme Court’s order and the increasing demand from the industry and the public to address the shortcomings of the present data protection regime, the government appointed a committee of experts under the chairmanship of Justice B.N. Srikrishna and entrusted it with the task of identifying the lapses in data protection laws and drafting a new comprehensive data protection law for the country. The committee’s recommendations along with the draft Personal Data Protection Bill, 2018 were released in July 2018. The bill deals with issues such as collection and processing of personal data, consent of individuals, penalties and compensation, code of conduct and an enforcement model. More­over, the bill, for the first time, seeks to provide an overarching data protection legislation that defines certain critical terms such as “personal data” and expands the scope of the definition of sensitive personal data or information to include personal data such as “official identifier” (for example, Aadhaar number and PAN), “caste or tribe”, “transgender status” and “religious or political belief or affiliation”. It proposes the setting up of a Data Pro­tection Authority of India, an independent regulatory body that would be responsible for the enforcement and effective implementation of the law. The bill also stipulates strict penalties for non-compliance with regulations. The bill has so far not been tabled in Parliament and is likely to be taken up only when the new government assumes charge after elections.

Striking a balance between privacy and commercial interests

At a time when user-generated data is be­coming integral to the business models of major enterprises in the country, it has become imperative for the government to bring in legislation that strikes a fine balance between user privacy and commercial use of data. While the recently introduced draft bill is a welcome step in this direction, there are still several gaps in the legislation that need to be addressed. Legal experts feel that the legislation does not go far enough in according protection to individuals’ data and also has wide exceptions that allow the government to collect and process data without consent.

Meanwhile, regaining the trust of users with regard to protecting their information has also become critical for technological firms. A large number of users are of the opinion that the major technology companies were unprepared, and perhaps unwilling, to assume responsibility for the tools they unleashed upon the world. Going forward, technology firms will have to devise innovative mechanisms to restore customer confidence in their platforms.