Data protection law in India is currently facing many problem and resentments due the absence of proper legislative framework. There is an ongoing explosion of cyber crimes on a global scale. The theft and sale of stolen data is happening across vast continents where physical boundaries pose no restriction or seem non-existent in this technological era. India being the largest host of outsourced data processing in the world could become the epicentre of cyber crimes this is mainly due absence of the appropriate legislation
1. Privacy
Legislation -
India
Latha H C
Senior Research Officer, Telecom Regulatory Authority of India
Regional Office, Bangalore, Karnataka, India
2. Data is collected by various businesses and agencies as a
by-product of the user’s interactions with them. This
data is then retained by the business, and used to its
advantage. People are increasingly making their
personal information available publically. Today there is
an unprecedented amount of personal data available
with Government and Private Sector Players.
Personal Data
3. • Publically available personal information pose a greater risk for
Indians because majority of population is illiterate and there is no law
mandating data protection.
• Individuals are repeatedly transmitting their
personal information for various activities.
• In the present era most of the crimes are
being done by the professionals through
the easiest medium i.e. computers and
electronic gadgets. Just by the single click,
the criminals are able to get the secured
information. The lust of information is acting
as a catalyst in the growth of cyber crimes.
Risk Factors
4. PwC’s survey (May 2017)- Indian organisations have
detected a sharp increase in instances of crime from an
average of 2,895 incidents a year to 6,284 incidents in
2015–16,
According to PwC’s survey, Indian organisations have detected a sharp increase in instances of crime from an average
5. While people are getting comfortable with mobile wallets and
banking through apps and smartphones, Wi-Fi networks continue
to have major security flaws that can make it very dangerous to
conduct transactions using mobile devices. Following are the major
types of risks that you should be aware of:
• Malware
• Phishing
• Public Networks
• Ransomware
No prescribed security standards under
Indian e-wallet laws puts Indians
financial data at risk
Risk Factors
6. Privacy concerns exist wherever personally identifiable
information or other sensitive information is collected, stored, used,
and finally destroyed or deleted – in digital form or otherwise.
Improper or non-existent disclosure control can be the root cause
for privacy issues.
Data privacy issues may arise in response to
information from a wide range of sources, such
as:
Healthcare records
Criminal justice investigations and proceedings
Financial institutions and transactions
Biological traits, such as genetic material
Residence and geographic records
Privacy breach
Location-based service and geolocation
Web surfing behavior or user preferences using persistent cookies
.
7. Why Indians are a softer
target of Cyber Crimes and
Identity Theft
The lack of awareness about
cybercrimes
Lack of tools and guidance
Inadequate cyber crime laws
10. Future frameworks for privacy in India
The report creates a set of
recommendations for a privacy
framework and legislation in India.
Most importantly, the Report
recognizes privacy as a fundamental
right and defines nine National Privacy
Principles that would apply to all data
controllers both in the private sector
and the public sector.
In October 2012, a Group of Experts headed by (Retd.)
Justice A. P.Shah, Former Chief Justice, Delhi High Court
submitted a report to the Planning Commission on the
subject of data privacy.
11. Nine national privacy principles
Principle 1: Notice
A data controller shall give simple to understand
notice of its information practices to all individuals,
in clear and concise language, before any personal
information is collected from them.
Example : A telecom operator must make available
to individuals a privacy policy before any personal
information is collected by the company.
12. Nine national privacy principles
Principle 2: Choice and Consent
A data controller shall give individuals choices
(opt-in/opt-out) with regard to providing their
personal information, and take individual
consent only after providing notice of its
information practices.
Example : If an individual is signing up to a
service, a company can only begin collecting,
processing, using and disclosing their data after
consent has been taken.
13. Nine national privacy principles
Principle 3: Collection Limitation
A data controller shall only collect personal
information from data subjects as is necessary for
the purposes identified for such collection,
regarding which notice has been provided and
consent of the individual taken. Such collection
shall be through lawful and fair means.
Example : If a bank is collecting information to
open an account for a potential customer, they
must collect only that information which is
absolutely necessary for the purpose of opening the
account, after they have taken the consent of the
individual.
14. Nine national privacy principles
Principle 4: Purpose Limitation
Personal data collected and processed by data
controllers should be adequate and relevant to the
purposes for which they are processed.
Example : If a bank is collecting information from a
customer for opening a bank account, the bank can
only use that information for the purpose of
opening the account and any other reasons
consented to..
15. Nine national privacy principles
Principle 5: Access and Correction
Individuals shall have access to personal
information about them held by a data controller;
shall be able to seek correction, amendments, or
deletion such information where it is inaccurate; be
able to confirm that a data controller holds or is
processing information about them; be able to
obtain from the data controller a copy of the
personal data.
Example : An individual who has opened a bank
account, has the right to access the information that
was initially provided and subsequently generated.
16. Nine national privacy principles
Principle 6: Disclosure of Information
A data controller shall only disclose personal
information to third parties after providing notice
and seeking informed consent from the individual
for such disclosure.
Example : If a website, like a social media site,
collects information about how a consumer uses its
website, this information cannot be sold or shared
with other websites or partners, unless notice of
such sharing has been given to the individual and
consent has been taken from the individual.
17. Nine national privacy principles
Principle 7: Security
A data controller shall secure personal information
that they have either collected or have in their custody,
by reasonable security safeguards against loss,
unauthorised access, destruction, use, processing,
storage, modification, deanonymization,
Example : If a company is a telecommunication
company, it must have security measures in place to
protect customers communications data from loss,
unauthorized access, destruction, use, processing,
storage, modification, denanonmyization,
unauthorized disclosure, or other forseeable risk.
18. Nine national privacy principles
Principle 8: Openness
A data controller shall take all necessary steps to implement
practices, procedures, policies and systems in a manner
proportional to the scale, scope, and sensitivity to the data
they collect, in order to ensure compliance with the privacy
principles, information regarding which shall be made in an
intelligible form, using clear and plain language, available to
all individuals.
Example : If a hospital is collecting and processing personal
information of, for example, 1,000 patients, their policies
and practices must reflect and be applicable to the amount,
sensitivity, and nature of information that they are
collecting.
19. Nine national privacy principles
Principle 9: Accountability
The data controller shall be accountable for complying with
measures which give effect to the privacy principles.
Example : To ensure that a hospital is in compliance with
the national privacy principles, it must undertake activities
like running trainings and providing educational
information to employees on how to handle patient related
information, conducting audits, and establishing an officer
or body for overseeing the implementation of privacy.
20. CONCLUSION
Clearly, privacy is an emerging and increasingly important
field in India.
As companies collect greater amounts of information
from and about online users, and as the government
continues to seek greater access and surveillance
capabilities, it is critical that India prioritizes privacy and
puts in place strong safeguards to protect the privacy of both
Indians and foreigners whose data resides temporarily or
permanently in India.
The first step towards this is the enactment of a
comprehensive privacy legislation recognizing privacy as a
fundamental right.
21. The rapid evolution of telecommunications
services in India has aided the overall
economic and social development of the
country.
Privacy in Telecom Sector
22. TTRAI Regulations and Directions
The Telecom Regulatory Authority of India was established
by statute in 1997 to safeguard interests of consumers while
simultaneously nurturing conditions for growth of
telecommunications in the country. The Authority has
issued several regulations on various subjects which are
binding on TSPs. The following regulations touch on the
subject of privacy:
1. Unsolicited Commercial Communications Regulation: In 2007, the Authority
introduced the Telecom Unsolicited Commercial Communications Regulations which
were aimed at creating a mechanism for registering requests of subscribers who did
not wish to receive unsolicited commercial communications.
2. Privacy and Confidentiality Direction : In February 2010, the TRAI issued a direction
seeking to implement the privacy and confidentiality related clauses in the service
providers’ licenses (see previous sections). Accordingly by this direction, the TRAI
ordered all service providers to “put in place an appropriate mechanisms, so as to
prevent the breach of confidentiality on information belonging to the subscribers and
privacy of communication”
23. Telecommunication Policies in India
The current telecom policy of India is lacking adequate
privacy laws and no effective mechanism through which
telecom disputes of consumers can be effectively handled in
India.
Essential and private details of telecom consumers were
openly available for sale in the markets and
companies purchase this information and used the same
without any fear of punishment as there were no deterrent
rules or regulations in this regard.
Constitutionally valid phone tapping law is not there in
India
24. Communications revolution has led to the exposure of
individuals to risks
1. During the normal course of their business, telecom companies heap up vast
volumes of personal data including copies of identity documents, biographical
information etc., which could potentially be misused;
2. The fact that a vast amount of communication now occurs with the involvement
of electronic media, has rendered more susceptible to invasive electronic
surveillance - whether lawful or not;
3. Much of the communications is now stored in digital form for unknown periods
in corporate data centres;
4. Owning a mobile phone not only enables us to communicate with our business
partners and loved ones, but also forces us to engage with a continual stream of
„noise‟ – telemarketing calls and SMSs, prank/hoax calls, calls troubling us for
the payment of bills and offensive/threatening calls.
5. subscriber signs the contract without even looking at the contract or its terms
and conditions.
6. Consumer related transactions often occur between parties who have no pre-
existing relationship, which may raise concerns of the person‟s identity with
respect to issues of the person‟s capacity, authority and legitimacy to enter the
contract.
7. The aforesaid points regarding the acceptance, timing and not reading the terms
creates a loophole in an effort to protect the consumer privacy.
25. Communications revolution has led to the exposure of
individuals to risks
8. The huge list of terms and conditions discourages the consumer to search for the
privacy clause and thus leave himself vulnerable at the hands of the company.
9. Companies that keep sensitive information on their servers must ensure that
they have adequate security measures to safeguard their servers from any
unauthorised intrusion. A company could face security threats externally as well
as internally.
10. Externally, the company could face problems from hackers, viruses and Trojan
horses. Internally, the company must ensure security against its technical staff
and employees.
11. Security can be maintained by using various security tools such as encryption,
firewalls, access codes/passwords, virus scans and biometrics.
12. With the advancements in Internet, security breaches have become a daily
scenario. TSPs need to protect their websites and servers for loss of private data
since a company can also be held liable for inadequate security procedures on its
servers
26. Spam calls: India has topped the list of most
affected countries by spam calls in 2017 so
far, according to data gathered by
Truecaller.
Highlights
• India accounted for 22.6% of total spam calls
received so far this year, followed by the U.S and
Brazil (20.7%), Chile (17.4%), and South Africa
(15%).
• Free calls and data are major reasons in India
• 3% of total spam calls in India are fraud
The reasons why India is
the most affected country
by spam calls are
operators and financial
services, most of whom
often promise free data
and unlimited voice calls.
India accounted for 22.6%
of total spam calls
27. TRAI Initiatives
To identify the key issues pertaining to data protection in relation to the
delivery of digital services, TRAI has released Consultation Paper on
Privacy, Secuirity and ownership of dfata in Aug 2017 and sought
comments from stake holders on below mentioned issues,
1. Data protection requirements to protect the interests of
telecom subscribers in addition to existing guidelines.
2. New capabilities that must be granted to consumers over the
use of their Personal data?
3. Rights and Responsibilities of the Data Controllers.
4. Mechanism for regulating and governing the Data
Controllers.
5. Technology enabled architecture to audit the use of personal
data, and associated consent
6. Setup of a data sandbox
7. Measures to strengthen and preserve the safety and security
of telecommunications infrastructure and the digital
ecosystem
8. Key issues of data protection pertaining to the collection and
use of data by various other stakeholders.
9. Measures to address the potential issues arising from cross
28. Recent Developments
25th Aug 2017
A nine judge constitutional
bench of the Supreme Court of India has held
the right to privacy is a fundamental right
under the Constitution of India. The court has
held the right to privacy is part of the right to
life and is on similar terms with the right to
human dignity. The judgments have by and
large held the view the right to privacy is also
part of the “freedom rights” under Article 19
(right to speech, movement, etc) or under all of
the fundamental rights enumerated in Part III
of the Constitution
3rd Sep. 2017
The Supreme Court has held that seeking information about
individual bank employees which were personal in nature and
devoid of any public interest, was exempted under the Right to
Information (RTI) Act.