Data Privacy Day is celebrated around the world on January 28. One more day in the long list of Earth Day, Environment Day, Wildlife Day etc. What was its significance? The ubiquitous communication technology driven by the Internet has globalised the world and brought people nearer in unthinkable ways. Individuals visit various websites, send emails, chat with their friends, exchange photographs, buy online, make their travel plans among a host of other activities. They share their personal data with sites in return for services – whether paid or free.
On the other hand, corporates carry out business transactions with data flowing across borders. A company may choose to process accounting data from all its offices around the world at a single location. It may mine the personal data for business decisions, and even sell the data to other companies for targeted marketing. Data has clearly emerged with economic value of its own.
In today’s knowledge economy, it is being valued higher than capital and land. It is the digitisation of data that has given it economic value. Creation, access, sharing, mining, trading of this huge data is becoming easier. It is putting the individual at risk since they may have no control over who should see it. Are there fair information practices for collection and use of such data? Are companies compromising the privacy of their consumers? In the case of the government, can it abuse the data collected from its citizens in projects like Unique Identification number (UIDAI), statistics in the National Population Register, surveillance data from public places, by using it any which ways to compromise the privacy of citizens?
It is these considerations that led the government to set up a committee under Justice A.P. Shah to propose a privacy framework. It has drawn strength from several Supreme Court judgments upholding privacy as a right under Article 21 of the constitution. Its recommendations are based on global privacy developments, new privacy principles and emerging challenges posed by continuous march of technology. The report also discusses enforcement concerns and suggests a co-regulation model for enforcement. The author contributed as a member of the committee. Some of the technology and globalisation imperatives are as follows.
The impact of globalisation on privacy of individuals is growing. The fact that more and more personal information is crossing borders in trans-border data flows means that data breaches often affect people in multiple countries, and may result in financial frauds – as in TJX case, a retailer in the United States. Nearly 100 million credit and debit cards belonging to people from various regions were exposed when hackers broke into its computer systems. They kept the information in personal computer servers in the US and Eastern Europe and converted some of it into ready-to-use bank cards. Hackers sold the stolen credit card information to people in US and Europe via the Internet.
Social networking, in a span of 4-5 years has caught the fancy of millions of users throughout the world. Facebook has over 900 million users, of which some 50 million are from India alone. However, privacy options, though available on social sites, are not fully understood by users though the consequences of ignorance can be serious.
On one hand, citizens are paranoid about their privacy – they want and expect protection of all of their personal identifiers: name, address, mobile number, credit card details, PAN number, and passport number. On the other hand they reveal all of their personal information quite innocently and voluntarily on such sites to unknown people. Companies are supposed to use fair Information Principles like Notice, Choice and Consent and inform the users before collecting their data.
Information thus shared by people gets stored on the web site’s servers located anywhere in the world. One does not know where the servers of Google, Facebook, or MySpace are located? The personal information that we so zealously guard and protect, within our four walls, is now out there in the cloud , as it is commonly called. Countries around the world have enacted different laws to protect privacy of individuals, but which privacy laws are applicable in a given case? There have been numerous incidents in the recent past when intruders have been able to gain access into some of them resulting in compromise of millions of records.
To enable the individual to have more control of their data, both the European Union and the United States have studied their concerns, and come up with updated versions of legislation to protect citizens and consumers. The proposed EU Data Protection Regulation was released in January 2012 – it seeks to make a single privacy law across the entire EU without nation-states having to adopt separate laws by their parliaments. It was followed by the US Consumer Bill of Rights in February 2012. Likewise, OECD also has proposed its Revised Guidelines for Privacy in October 2012.
There is no substitute to awareness creation, education and training of consumers and citizens, not as a onetime exercise but as a continuous way of mitigating risks associated with technology adoption. Nobody has taught our young friends the behavioural norms, the acts they should guard against to stay out of harm. Data Privacy Day presents an opportunity to promote the culture of privacy among users through continuing education programs, and encouraging the industry and the government to implement privacy principles in letter and spirit.
(The writer is CEO, Data Security Council of India. The views are personal.)