INTRODUCTION
The notion of data privacy has become salient in the era of digitization and globalization wherein the Internet has penetrated almost every aspect of our daily lives. The jurisprudence of privacy has evolved with the advent of the Internet.
Data is one of the pivotal assets of any organisation. With the rise of the data economy, organisations collect personal data in bulk and process the same for business purposes. In the light of the same, the organisations should take due care in safeguarding the personal data of its users. The concept of data privacy as a whole is based on governing how the data is being collected, stored, used and transferred.
On the international front, there are a number of Laws and regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) which govern data privacy and security for their respective jurisdictions. However, as of today, India has no comprehensive data protection framework.
All the data which is being collected and processed by the organisations and giant conglomerates is largely unregulated. Besides, the processing of the data has certain loopholes which makes the data susceptible to breaches. Such grey areas need to be addressed by the Regulatory Bodies in order to negate the probability of data breaches and security issues.
In our previous blogs, we discussed the various grey areas in the concept of data privacy and moving forward, in this blog, we shall delve further into the same.
GREY AREAS
DATA ENCRYPTION
Data encryption is a process wherein the information is translated to an encoded format which can be accessed through a secret key known as Decryption Key. Encrypted data is referred to as cipher text and is one of the most popular data privacy measures used by the organisations. The regulation of data encryption in India is indistinct as the infrastructure of data privacy is yet to be formalized.
In September 2015, a draft National Encryption Policy (the Draft Policy) was released by the Ministry of Electronics and Information Technology (MeitY). The Draft Policy aimed to set up protocols and algorithms for data encryption, exchange of keys, digital signatures, etc. However, the Draft Policy witnessed a major backlash from the technical experts, critics, the media and almost from every other sphere of the society, causing the Draft Policy to be withdrawn within a few days after being released. The critics argued that the provisions in the Draft Policy were not realistic enough to be technologically enforceable.
Presently, the only legal framework governing encryption is the Information Technology Act, 2000 (the IT Act). Vide the 2009 Amendment, i.e., the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (the 2009 Rules), Section 84A was incorporated which states that the Central Government may prescribe the methods for encryption for the secure use of electronic medium and for the promotion of e-governance and e-commerce. On the other hand, as per Section 69 of the IT Act, the Central Government or the State Government can direct any agency or authority to intercept or decrypt any information through any computer resource.
Recently, the Government enacted the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (the IT Rules) which mandated the Over-The-Top (OTT) Platforms and digital portals to disclose the ‘first originator’ of any objectionable content. In the light of the same, the end-to-end encryption policies of several social media platforms and messengers and their authenticity have been making headlines.
Well-known social media giants like Twitter and WhatsApp have strongly opposed such provisions introduced by the IT Rules as it goes against their end-to-end encryption policies. WhatsApp has filed a petition in the Delhi High Court. WhatsApp’s end-to-end encryption ensures the data through messages and calls between the parties cannot be accessed by the third party.WhatsApp has therefore, expressed concerns over the fact that tracing messages would break the end-to-end encryption which would enable the third party to access such information thereby violating the Right to Privacy of billions of people.
The Government however, has been emphasizing upon the fact that a number of other countries, namely the United Kingdom (UK), the United States of America (USA), Canada and Australia have sought the tech companies to device encrypted products and services whereby the appropriate Government Authorities can access the data in a readable, usable format. The Governments have contended that in the interest of the public it is important that they have access to the data and the information pertaining to the originator of the data.
However, the pertinent question that needs to be answered is whether fragmenting the end-to-end encryption by allowing the Government to exercise its authority in order to access data should supersede the Right to Privacy of billions of people.
DATA ANONYMIZATION AND NON-PERSONAL DATA
Data Anonymization is the process whereby the identity of a person is protected by erasing or encrypting any identifying information which is, Personally Identifiable Information (PII) such as names, social security/Aadhaar Card numbers and addresses. The Non-Personal Data (NPD) under the Personal Data Protection Bill, 2019 (PDPB)is defined as the data that is not ‘personal data’, or the data that lacks any PII.
Anonymous Data inadvertently becomes NPD, as in Anonymous data all the personal identifiable markers are erased or encrypted. Anonymous data can always be classified as NPD, however NPD is not always Anonymous. NPD can be collected as it is without having any PII, Anonymous data on the other hand is collected in its entirety and the PII are subsequently erased or encrypted.
Anonymous data is not regulated under the GDPR which is till date the most comprehensive legislation governing Data Protection across the globe. Since the PDPB has been largely inspired by the GDPR, the PDPB also does not regulate Anonymous Data.
However, there is an exception to this provided under Section 91 of the PDPB wherein, the Central Government in consultation with the Data Protection Authority can direct the Data Fiduciary to or the Data Processor to provide anonymised data, personal data or other NPD in order to enable better public services or evidence based public policies by the Government.
As for the framework pertaining to the NPD in India, it is still at a primitive stage. The Gopalakrishnan Committee released the Initial Report on the regulation of the NPD in July 2020 for public consultation. The Report proposed the introduction of legislation for NPDwhich would be enforced by the Non-Personal Data Authority (the NPDA) and chalked out the essential principles and the general framework to be included in the NPD legislation.
Furthermore, the Committee also recommends the deletion of the provisions pertaining to the NPD from the PDPB in order to ensure that there is no ambiguity pertaining to regulation of the NPD. As per the recommendations of the Committee, any anonymized data will fall outside the purview of the PDPB and will be regulated by the NPD Framework.
However, there are still issues that need to be addressed. Even though the report sought to address Data Anonymisation in NPD, it lacked clarity with regards to certain aspects such as community NPD, definitions, and other provisions and the purpose sought to be achieved by the framework.
At present, there is no framework governing the NPD or anonymous data which is why the companies can indiscriminately use such data for their personal gain which may be detrimental to the interests of the public at large.
INTERNET OF THINGS
One of the most significant developments in the 21st Century in the field of technology is the development of the Internet of Things (IoT). Data is collected from various devices, machines and systems through IoT, technology can be then used to detect patterns, recommendations, potential problems. Few examples of IoT Devices would be the Smart Watches that help us review our sleep patterns, the medical devices which monitor heart rates and help us identify irregularities, pace makers, etc.
At present there is no legal framework governing the IoT Devices and the issues posed by the collection of Data by the IoT Devices. Apart from the IT Act and the IT Rules, the Government has framed the Draft PDPB and the Digital Information Security in Healthcare Act, 2017 (DISHA) in an attempt to establish a framework for protection of Data in India. The proposed PDPB defines Personal Data and seeks to protect the Personal Data by imposing hefty fines on the misuses of such data. However, since the PDPB is yet to be implemented there is a lacuna in regulating the use of Personal Data collected from the IoT Devices.
An example for the misuse of data collected from the IoT Devices can be the disclosure of information to the pharmaceutical, nutraceutical and insurance companies. These companies may use such information for their own benefit which shall be detrimental to the interests of the Patients, as the companies in order to make more profits may resort to hoarding, inflating the prices of the products, increasing insurance premiums, etc.
Thus, even though the data collected from IoT Devices unleashes immense potential to transform the Healthcare Sector, the major issue that can be foreseen is the Security and Privacy of the collected data, therefore there is an immediate need to regulate the data collected from the IoT Devices in order to secure the interests of the data subjects.
The use of information collected from the IoT Devices must therefore be regulated. This can be achieved by creating a robust framework that not only governs Data Protection but also regulates it. The PDPB and the Draft of DISHA shall play a crucial role to increase the use of IoT Devices in the Healthcare Sector in India.
PRIVACY BY DESIGN
Privacy by Design (PbD) refers to the measures adopted by the organisation to safeguard and protect the Personal Data collected, stored and managed by them. The main aim in adopting PbD is the protection of Personal Data by acknowledging the potential issues pertaining to data privacy in an organisation.
Even though the concept of PbD is not explicitly mentioned under the GDPR, Article 25 pertains to the ‘Data Protection by Design’ and recognises the concept of PbD in spirit. It states that any organisation collecting personal data shall take reasonable measures to ensure the data collected is appropriate and is protected.
However, in PDPB the concept of PbD is provided under Chapter IV. Section 22(1) of the PDPB explicitly states that the Data Fiduciary must prepare a PbD policy and lists down the components to be incorporated in the policy. Further, Section 22(2) also provides that the policy so formulated must be submitted to the relevant authority for certification and subsequently must be published on the website of the data fiduciary and the relevant authority.
The data privacy and security cannot be solely guaranteed on the basis of compliance with the regulatory frameworks, rather there is a need to adopt a measure like PbD in order to ensure the privacy and security of the data. At present there is no law regulating the privacy policies in an organisation, the PbD in this regard aims to adopt a more comprehensive framework by way of a policy, in order to ensure the protection of data.
AMLEGALS REMARKS
With the rapidly changing practices pertaining to the use of technology, there is a need for the implementation of the Personal Data Protection Framework now more than ever. The Government is not only responsible to protect the data of the people who are aware of their rights, but are responsible to protect the data of all the citizens. The Government has started taking a proactive approach to use technology; the same is evident through the Covid-19 vaccination drive which is being carried out throughout the country with a centralised database, the use of the Arogya Setu App for contact tracing, Digital India Campaign, etc. Even though all the aforementioned developments are extremely positive in the spirit of embracing technology, the data privacy and security concerns still persist.
In fact, since the use of technology in our day today lives is increasing heaps and bounds and there is a need for the creation of proper regulatory frameworks in order to address the Grey Areas in Data Privacy. The implementation of the PDPB is long overdue, the legislation once introduced may still be required to be amended in order to bridge the lacunae that may be detected once the PDPB is implemented as the PDPB shall be in a nascent stage.
For any queries or feedback, please feel free to connect with aditi.tiwari@amlegals.com or nikita.mulay@amlegals.com.
Leave a Reply