The other day, after reading an article on the importance of having medical insurance, written by one of this paper’s knowledgeable personal finance writers, I was alarmed enough to search for potential medical insurance options available to someone approaching retirement. Within minutes, my personal email id had been bombarded with pitches from various insurance companies and aggregators. More alarmingly, I soon started receiving unsolicited phone calls from telemarketers hawking various insurance plans. All this, literally within minutes of reading one article related to the subject, and a single Google search: “medical insurance 60 years”.

This happened a couple of weeks ago. Even today, while researching for this piece, most of the ads on the websites I visited were pushing either insurance or air tickets (Christmas is coming and I had also been looking at options for a short break)!

So let’s look at what happened. My browsing history is clearly not private. Yes, I was doing this at my workplace and my employer (or rather, my employer’s IT admin) had a right to know what I was doing with office-provided resources. I don’t have a problem with that. What I do have a problem with is how all the other entities who have taken to plaguing my life got hold of my personal information.

The kind of information that these marketers had got hold of goes well beyond what can be gleaned by simply trawling the Internet activity from my IP address, which would account for the Web ads. Mind you, I have taken the usual precautions. I clean out cookies regularly, I have a “no track” enabled on my browser and have up-to-date anti-spyware and anti-malware protection. How then did they get my personal email id and my mobile number? Clearly, one of the many entities I had disclosed these details to for some other purpose had, wittingly or unwittingly — more likely wittingly — passed this on to others.

Collecting information

We clearly do not have data privacy worth the name in our country. Therefore, whatever be the debate on the government’s new Data Protection Bill (now referred to a hand-picked ‘select’ committee of both Houses of Parliament, rather than the standing committee, as is the norm), the need for some form of data privacy law is clearly not the issue.

At the moment, as an individual, if you at all go online — or even simply use a mobile phone — there is a very real threat of having your most sensitive data, including biometrics, being made available to an enterprising hacker, or worse, the highest bidder. That’s because, although the Supreme Court eventually quashed the mandatory linking of your Aadhaar details with your cellphone, mobile service providers — whipped by the government, one might add — had already collected these details for a bulk of active users.

Ditto for banks, insurance companies, mutual funds and other financial services intermediaries, who already have what the draft law classifies as “sensitive personal data” in their grasp. Which is fine, since they do need this data to do business for you. The problem arises with what they do with the stuff afterwards. Most of them have a “Terms of Use” policy that you have to accept if you wish to transact, which literally gives these entities a carte blanche to use or share your information with third parties.

And that’s the legitimate part. I’m sure many would have seen that scary video doing the rounds on WhatsApp where a photocopy shop owner explains how the real money in the business is selling the data which one routinely shares with such service providers — your ID proof, your age proof, your address proof and so on, which you are required to furnish for getting practically everything nowadays.

Government access

So yes, we do need a law, and a tough one at that. The trouble is that the government appears to have used the opportunity to vastly extend its powers concerning the collection and usage of your personal data by its agencies. As this paper reported, the actual provision reads: “The Central Government may, in consultation with the Authority (proposed Data Protection Authority), direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.”

This is over and above the considerable amount of information that the government already wrests from service providers by simply using its clout, or invoking the ever-useful “national security” gambit. Now, the draft law proposes to exempt the government from the provisions of the law, provided it is for national security, crime detection or prevention, or enforcing of legal rights or court orders, to name just a few.

The government is the biggest data collector in the country. How it collects, stores, manages and uses the data is, therefore, of critical importance if we are to have any meaningful data protection and privacy. By giving blanket exemption to government security and intelligence agencies from complying with the otherwise stringent provisions of the draft law raises serious questions over the motives behind the government’s action.

The WhatsApp security breach case, where the messaging platform revealed that its encryption system was breached by spyware developed by an Israeli firm, already raises some worrying concerns about who is spying on whom and for what purpose. Enacting a sweeping law which effectively leaves government agencies untouched and unsupervised may well lead to ‘Big Brother’ entering through the back door.

Related Topics
comment COMMENT NOW