DATA PROTECTION: HOW SAFE ARE WE?
Ever realized that when you’ve purchased a new product from a high profile shop at a mall, or online, or from an agent, esp. Credit cards, etc., soon after few days you start getting infructuous calls, or suddenly your inbox is full of spams. Irritating … Yes! But have you realized that you’ve nobody else to blame but yourself… Why? It’s because you’ve knowingly or unknowingly given your data to the world, by filling up the simple form given to you by the shop or agent or online survey, which has been collected in the garb of getting data to facilitate the companies to obtain data for undertaking Analytics employing Machine Learning utilizing surveillance and Data Mining. You’ve become a victim of a data breach.
Data Breach
“A data breach is a security incident in which information is accessed without authorization. Data breaches can hurt businesses and consumers in a variety of ways. They are a costly expense that can damage lives and reputations and take time to repair.”
Stories of massive data breaches are getting propagated, quite frequently these days. But this shouldn’t be surprising at all, as technology progresses, more and more of our information would be accessible in the digital world. As a result, cyber-burglary would be increasingly common and a costly affair[i].
The Electronic Frontier Foundation (EFF)[ii] demonstrated that anyone could get access to information saved to a Facebook profile, even if the information was not intended to be made public[iii]. Now how does that happen?
- A “connection” is created when a user clicks a “Like” button for any product or service, either on Facebook itself or an external social media site. The site starts treating such relationships as ‘public information’ and the user’s identity was displayed on the Social Media page of the product or service, breaching privacy without the consent of the user.
- Ever wondered how your Facebook page displayed the products you either searched or purchased from the Amazon website. This is termed “Instant Personalization”[iv].The EFF noted that “For users that have not opted out, Instant Personalization is instant data leakage.
As soon as you visit the sites in the pilot program, the sites can access your name, your picture, your gender, your current location, your list of friends, all the Pages you have Liked everything Facebook classifies as public information, what we ignorantly feel as auto fill option available for our ease by the website, but ever realized how the data reached the website which we are accessing for the very first time. Now here it is not you, but your known, who come into the picture as even if one opts out of Instant Personalization, there is still data leakage through your friends who use Instant Personalization websites; their activities can give away information about you unless you block those applications individually.”[v]
How does our data get compromised?
Cybercrime has become a profitable industry for attackers and continues to grow. Hackers seek personally identifiable information to steal money, compromise identities, or sell over the dark web. Data breaches can occur for several reasons; listed below are the most potent ways that we lose our privacy to the World Wide Web:-
- Organizational Data Breach[vi]: To do business, organizations often require our personal information so that they can work on their business model through data analytics. We trust that the organization follows its outlined security protocols to keep our private information, private. When that organization fails to deliver on its security measures, as has been seen in the recent onslaught of big-data and cloud-system security breaches, our personal information is subject to unauthorized access and theft. This is how Hackers have been spreading Ransom ware and targeting particular clients.
- Free Wifi / Internet Access. We Indians are very fond of freebees be it discounted gifts or even free wifi. What we don’t realize is that there are no free lunches and we pay for all such freebees by compromising our privacy. Public or free wifi available at shops, restaurants, airports are the unsecured connections and most susceptible to cyber pilferage. We are quick to log in without realizing the security of the internet connection we’re about to use, leaving our door ajar, allowing access to ethical/ unethical hackers to your domain.
- Exploiting System Vulnerabilities[vii]. The weakest point in our mode of cyber access is to work on pirated software, with free Antivirus and a free firewall. Out-of-date software or pirated software acts as a backdoor left open, allowing an attacker to sneak malware onto a computer and steal data. We could unintentionally download a virus or malware by simply visiting a compromised web page. A drive-by download will typically take advantage of a browser, application, or operating system that is out of date or has a security flaw.
- Responding to a Scam: Scams are designed to look, read and feel as authentic communication as possible. Email phishing, ‘robo’ calls and social engineering tactics like personality quizzes are just a few examples of the ever-growing scams, hackers and cybercriminals have developed to steal your data—right under your very Nose. We often (mistakenly) place our trust blindly into communication exhorts like email, phone, and social media because those are places we communicate with people and brands we do trust.
Data collation has become a part of parcel of the life we are living in the cyber world and one cannot feign ignorance by enacting an Ostrich who, when threatened puts its head into the sand thinking that it is hidden from its attacker. In India, Data security is at a very nascent stage as we are mostly computer illiterate and we think that by knowing how to operate a smart phone or a computer we know all about cyber security. Moreover, with the compulsory introduction of PAN Card, AADHAAR Card, and Aadhaar Enabled Biometric Attendance System (AEBAS); the Breach of Personal Data reached another level. Data Security has become a matter of concern the world over and stringent laws have been put into action by most of the countries.
Aadhaar Card: Privacy Issues
Ration Card is something which most of us would be synonymous with this was part of India’s Public Distribution System (PDS) which constituted 1% of the total GDP of the country, providing food to the poor via Fair Price Shops and other government schemes.[viii] However, the whole system was compromised and the process of obtaining and delivering these subsidies was riddled with fraud, the existence of black markets, and exhausting bureaucracy. To combat a plethora of these logistical issues, Aadhaar was created in 2009. It was developed as a tool to standardize the process of data collection and ease the dispersal of money from government schemes to the citizens of the country, especially the poor. Aadhaar is a 12-digit unique identity number that is issued to all Indian residents, and the process of obtaining the ‘Aadhaar Card’ involves the collection of citizens’ fingerprints, retina scans as well as face photos.
Aadhaar’s importance cannot be understated as it contains the data of billions of people and the security of this data and the system itself is an incredibly important point of political contention. It is one of the biggest biometric databases on the planet with around 1.2 billion enrollments, covering around 89% of India’s population[ix].Complicating the issue is the fact that ever since its inception, Aadhaar has been plagued by a myriad of internal and legal problems, as well as major leaks and vulnerabilities in the overall security of the system, thus compromising on the personal data. The major concern being the Armed Forces who had to take a stand for being exempted from the AEBAS fearing loss of data to the adversary compromising their security and that of their families.
Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Aadhaar Act”)
Due to the increased collection of citizen’s information by the government, concerns have been raised on their impact on citizens’ privacy. The road map for addressing these concerns was laid down by a Bench of nine Supreme Court judges in the judgment delivered on 26 September 2018 in Justice KS Puttaswamy and AnrVs. Union of India and Ors. held that the Right to Privacy is a fundamental right for all citizens. In their order, the judges also highlighted the need for a regulation to protect the privacy of data, especially in the age of ‘big data’, when the state, as well as non-state actors, have so much information about people[x].
The apex court upheld the overall validity of the Aadhaar and the Aadhaar Act 2016 was held to be constitutional to the extent it allowed for Aadhaar number-based authentication for establishing the identity of an individual for receipt of a subsidy, benefit, or service given by the Central or State Government-funded from the Consolidated Fund of India. However, the Supreme Court disallowed the use of individual Aadhaar numbers by any private entities under the garb of Know Your Customer (KYC) concerning for any purpose pursuant to a contract, on the basis that it was contrary to the fundamental right to privacy. The Supreme Court also decreed on several laws, circulars, and directions, which required the mandatory linking of Aadhaar for receiving relevant services.[xi]
The Supreme Court upheld the need for a just, fair, and reasonable law which serves a legitimate state aim and is proportionate to the objective sought for establishing the right to privacy. The Supreme Court further clarified that the proportionality test includes the following four aspects[xii]:-
- Legitimate goal – The measure restricting the right must have a legitimate goal.
- Rational connection – It must be a suitable means of furthering the goal.
- Necessity – There must not be any less but equally effective alternative.
- Balancing – The measure must not have a disproportionate impact on the right holder.
The Supreme Court held that the Aadhaar Act, on the whole, as a law, serves a legitimate state aim and is proportionate, thereby being a reasonable exception to the right to privacy. The salient highlights are:-
- Section 7 of the AadhaarAct – made the Aadhaar number mandatory for receiving subsidies, benefits, and services from the Government (for which expenditure was drawn from the Consolidated Fund of India) was therefore held to be valid.
- Section 57 of the Aadhaar Act. Allowed Government entities, body corporates, and individuals to use the Aadhaar number as a means to identify any individual for any purpose, according to any law or contract. The Supreme Court laid down that the contract has to be ‘backed by law’:-
- Firstly, the Supreme Court held that the phrase ‘any purpose’ is not proportionate, too wide, and susceptible to misuse.
- Secondly, the possibility of collecting and using Aadhaar numbers for authentication according to a contract was disallowed since this may result in individuals being forced to give their consent in the form of a contract for an unjustified
- Thirdly, private entities are not permitted to use Aadhaar numbers for authentication, based on a contract with the concerned individual, since it would enable commercial exploitation of an individual’s biometric and demographic information by private entities. This effectively prevents companies from using Aadhaar based e-KYC authentication of an individual’s identity, which was primarily how many companies complied with the relevant know your customer (KYC) requirements.
- The Supreme Court opined that the validity of certain directions from different departments of the Government (brought in through laws or otherwise), which mandated the linking of Aadhaar numbers to benefit from certain services:-
- Linking Aadhaar numbers to PAN was held to be valid, since it was based on law, serving a legitimate state interest, and was proportionate.
- Linking Aadhaar numbers to bank account numbers was held not to be valid since it did not meet the proportionality test.
- Linking Aadhaar numbers to mobile numbers was held not to be valid since it did not serve a legitimate state aim and was disproportionate in its encroachment on individual liberties.
Personal Data Protection Bill 2019
In July 2017, the Ministry of Electronics and Information Technology set up a committee to study issues related to data protection. The committee was chaired by retired Supreme Court judge Justice B.N. Srikrishna.[xiii] The committee submitted the draft Personal Data Protection Bill, 2018, July 2018. After further deliberations, the Bill was approved by the cabinet ministry of India on 4 December 2019 as the Personal Data Protection Bill 2019 and tabled in the Lok Sabha on 11 December 2019.
The Essence of the Bill
Personal data under the Indian laws and rules are termed “personal information” and has been defined under the Rules as “any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person”. The PDP Bill proposes a similar definition but extends it to include any inference drawn from such data for profiling[xiv].
The Bill aims to[xv]:– to provide for the protection of the privacy of individuals relating to their data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the fundamental rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in the processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorized and harmful processing, and to establish a Data Protection Authority of India for the said purposes and matters connected therewith or incidental thereto.
However the critics viz Justice B. N. Srikrishna, the drafter of the original Bill, opined that the revised PDP Bill 2019 can turn India into an “Orwellian State” i.e. describing a situation, idea, or societal condition that George Orwell identified as being destructive to the welfare of a free and open society (Orwellian State is a term to denote draconian control of its people by a state as described in the novel ‘Nineteen Eighty Four’ by George Orwell)[xvi]
[i]https://us.norton.com/internetsecurity-privacy-data-breaches-what-you-need-to-know.html
[ii]EFF is an international non-profit digital rights group based in San Francisco, California determined to promote Internet civil liberties, identified two personal information aggregation techniques called “connections” and “instant personalization”.Source:-https://en.wikipedia.org/wiki/Electronic_Frontier_Foundation
[iii]https://en.wikipedia.org/wiki/Privacy_concerns_of_Facebook#cite_note-eff.org-1
[iv] Instant Personalisationwas a pilot program that shared Facebook account information with affiliated sites, such as sharing a user’s list of “liked” bands with a music website, so that when the user visits the site, their preferred music plays automatically
[v]ibid
[vi]https://www.semshred.com/personal-data-compromise/#:~:text=Email phishing%2C ‘robo’ calls,right from the horse’s mouth.
[vii]https://us.norton.com/internetsecurity-privacy-data-breaches-what-you-need-to-know.html
[viii]Vikas Bajaj, 2012, A Failed Food System in India Prompts an Intense Review, The New York Times
[ix]Aadhaar Now World’s Largest Biometric Database: 5 Facts from UIDAI CEO’s Presentation in Supreme Court You Must Know, The Financial Express, 2018.
[x]https://www.business-standard.com/article/economy-policy/right-to-privacy-sc-judgment-also-makes-case-for-regulating-data-storage-117083000191_1.html
[xi]https://www.mondaq.com/india/privacy-protection/744522/the-supreme-court39s-aadhaar-judgement-and-the-right-to-privacy#:~:text=At%20the%20end%20of%20September,the%20%22Aadhaar%20Act%22).
[xii]ibid
[xiii] “Personal Data Protection Bill 2018 draft submitted by Justice Srikrishna Committee: Here is what it says”. The Indian Express. 28 July 2018. Retrieved 4 December 2019.
[xiv]https://www.linklaters.com/en/insights/data-protected/data-protected—india
[xv] The Personal Data Protection Bill, 2019
[xvi]https://en.wikipedia.org/wiki/Personal_Data_Protection_Bill,_2019#cite_note-8
About author –
This article has been written by Adv. Pooja Kohli, BA, LLB, LLM, PGDFM, MBA(HR), Punjab & Haryana High Court, Chandigarh