-Santulan Chaubey[1]
Recently, I noticed that mobile app of my bank pops up a
message where it tried to make me understand that the bank intent to collect
and monitor my financial transaction related SMS which includes name of
transaction party, transaction description and amount for the purpose of
performing credit risk analysis assessment. They also want to read my contacts to
understand my profile better which helps them provide best loan offers, etc.
The pop up has only one button “I understand”. It is a forceful intent to make
me understand that if you want to avail the services of the bank then reveal
financial transaction information. I never requested any loan from them.
It is generally observed that organization try to obtain
blanket consent from the user to read SMS, contact details, use Mic and Camera,
etc. Especially in case of mobile app, User Interface (UI) is designed in such
a way that one must first give consent, only then mobile allows them to access
the application. The user is generally unaware of consequences of her consent.
It leads to misuse of personal sensitive information.
Regardless, it is Government or Private/Public Sector, there
is a general tendency to ask more information than required to provide service
to a citizen. The service provider should not ask the information, not necessary
to process immediate service request.
Available
Instruments:
Mr. Clive Humby, a British Mathematician and Data Science
Entrepreneur, in 2006, stated that “Data
is the new Oil” underlining its importance in terms of monetization power[1]. It establishes the importance of
data in new digital economy. Indeed, there is need to flourish Digital Economy
in India. But the owners of data, an individual, cannot be treated as oil
fields. Therefore, necessary legal framework is to be kept in the place to
ensure protection of personal data. To empower Indians, it is necessary to
protect their personal data. Such legal framework will encourage innovation,
development and progress of the country[2].
In absence of an enabling legal framework on Personal Data
Protection, Information Technology (Reasonable security practices and
procedures and sensitive personal data or information) Rules, 2011 are framed
under Section 43A of the Information Technology Act, 2000 (21 of 2000) to
address the privacy of personal data issues.[3]. As per the provisions of
above-mentioned Rule under para (5)- Collection of Information, the consent
to share the data is to be taken either in writing or through email or fax from
the personal data owner. There is no mention of obtaining consent for the
service not requested. The consent of personal data owner cannot be obtained to
share the data in anticipation of the service demanded in the future.
To protect privacy of the Indians and to empower them, the
committee of experts under the chairmanship of Justice BN Srikrishna has
drafted a report on Data Protection Framework and a draft bill. The committee
has submitted its report to Ministry of Electronics and Information Technology
on July 27, 2018[4]. The report detailed insight on fiduciary
relationship and obligations, definition of personal data, consent-based
processing, etc. Once the Parliament accepts the bill, India will have its own
Sensitive Personal Data (SPD) protection legal framework.
Business Process Reengineering (BPR) will help in minimizing
the requirements of data / uploading of files by using existing enabling
technologies like Web Services or linking with databases. The services provider
in most of the case is not required to keep data after online/real time
verification. Obligations of Data Fiduciaries have been well defined in the
proposed bill. Even in the present Rules under Section 43(A), agencies
collecting data are to adhere standards like ISO 27001.
Mobile/Web Application Development agencies are also to
ensure that unnecessary demand for accessing information of the customer may be
harmful in the coming data protection regime. For example, permission to read
and send SMS “occasionally” is flexuous and out of context in most of the
transactions.
Immediate
Solution:
Considering Rules framed under IT ACT, there is a need to
regulate the mobile/web apps to ensure they adhere to the provisions of the IT
Act as such. This is like the websites certified for the Guidelines for Indian
Government Websites (GIGW)[5]. All mobile/web app having
requirements of collection of personal data should be certified for adhering
best practices in data protection and privacy by an identified agency say RBI
or MeitY before releasing to the public. The first screen of the app should
promptly display the certificate with verification mechanism.
In existing grievance management systems like ombudsman, CPGRAM,
etc, there is no specific category for data protection breach by various
agencies, leading to either rejection or no addressal for the grievances. A
separate category on data protection breach is also required to add in existing
grievances management applications for a proper redressal of the grievance
under the existing provisions.
There is a necessity to make public aware on the provisions
of Rules framed under Section 43(A) of IT Act. It will help public in knowing
right to privacy and being the owner of data consent process to share the data
with others.
Bibliography:
[1] A. Mavuduru, “Is Data
Really the New Oil in the 21st Century?”
https://towardsdatascience.com/is-data-really-the-new-oil-in-the-21st-century-17d014811b88
(accessed Sep. 08, 2021).
[2] C. of E. under the C. of J. B. N.
Srikrishna, “A Free and Fair Digital Economy Protecting Privacy, Empowering
Indians - Committee of Experts under the Chairmanship of Justice B.N.
Srikrishna,” Minist. Electron. Inf. Technol., pp. 1–213, 2018.
[3] MeitY, “Information Technology (Reasonable
security practices and procedures and sensitive personal data or information)
Rules, 2011,” 2011.
[4] B. Srikrishna, “A Free and Fair Digital
Economy.”
https://prsindia.org/policy/report-summaries/free-and-fair-digital-economy.
[5] NIC, “Government of India Guidelines for
the Websites (GIGW).” https://guidelines.india.gov.in/ (accessed Sep. 09,
2021).
