Data protection, privacy and confidentiality in Cyber space

Abstract

India is undergoing a rapid transformation by means of adopting more and more digitization. Public administration, delivery of public as well as private services, economic transactions and even social interactions are getting redefined with digitization. This push into digitization is, undeniably and rightly so, with the intent to bring more efficiency, transparency and scalability in our systems. The fundamental backbone of this digital adoption is built on the digitization of the user's(individual as well as institutional) data, that has enabled services like e-KYC, biometric authentication, e-Filing of IT returns, e-Wallet, location based services like cabs, food delivery and many more. With so much digitization, 'data' is becoming the new 'money and more recently the new OIL . We carry out most of the transactions through cyberspace and as the technology improves, so will their quality and quantity. The wide-ranging surveillance of all our cyber-activities whether by the Government or the IT czars viz. Google, Facebook, Amazon etc. present a serious threat to data protection and information privacy. Misuse, inadequate security and insufficient rules of sharing this data is not only leading to annoying marketing calls and violation of fundamental right to privacy of the citizens, but is also giving rapid rise to higher forms of crime like Phishing, Vishing and even more higher forms of crime like digital extortions (also known as ransomware) and industrial espionage. Such new forms of crime bring newer forms of challenges to policing and internal as well as external security. The Information Technology Act of 2000/2008 (with its latest amendments) provides for various sections (for e.g. 43A, 72 and 72A) and Rules for "Reasonable Security Practices and Procedures and Sensitive Personal Data or Information", to address the issue of handling sensitive data with security, however the legislation at best is a representation of the intent. The western countries that are ahead to us in the curve of adopting digitization, for e.g. EU, UK and the USA, respectively have their own set of comprehensive policies to define data privacy, disclosure mandates in the event of a breach and remedial measures. It is highly imperative that we too work towards creating a stronger, clearer and precise policy framework for Data Protection, Privacy and Confidentiality that spans over the gamut of Technology, Process and People involved in the digital ecosystem (Both in the Government and the Private sector). Otherwise in our fast pace adoption of digitization we will risk our individuals and institutions to a significant vulnerability. The Hon ble Supreme Court of India in the recent Puttaswamy judgement recognised the right to privacy as a fundamental Right and went on further to recognize informational privacy as a facet of the right to privacy and directed the Union Government to put in place a robust data protection regime to ensure protection against the dangers posed to an individual s privacy by state and non-state actors in the information age. In response to this very recently a White Paper of the Committee of Experts on data protection framework for India has been released for studying various issues relating to data protection in India, making specific suggestions on principles underlying data protection bill and draft such a bill with an objective to ensure growth of the digital economy while keeping personal data of citizen secure and protected . The aim of this study is to collect both primary and secondary data from the various stakeholders regarding the current policies being followed by them, its effectiveness and finding out the gaps and after comparing to the West eg. EU, UK and USA suggest policy recommendations for ensuring informational privacy of the citizens. A total of 16 respondents both in the Government and Private sector including an MNC were circulated a questionnaire and responses obtained. (Annexure-1) The analysis of the responses has been consolidated and the findings depicted through various statistical charts. (Annexure-2)Basing on the findings various policy recommendations have been made mainly being dedicated legislation, effective regulatory framework to increase deterrence, external audit, mandatory CISO, data retention policies around right to be forgotten, creation of a Data Protection Authority as an oversight body and introduction of performance metrics besides others.