Urban Update and All India Institute of Local Self Government (AIILSG), in collaboration with United Cities and Local Governments Asia Pacific (UCLG ASPAC), organized the fourth edition of the ‘One-on-One” series on the topic “Improved Data Privacy in the New Normal” on Thursday, October 29, 2020. Abhishek Pandey, Editor, Urban Update, interviewed Vijayshankar Nagaraja Rao, Executive Chairman, Foundation of Data Protection Professionals in India (FDDPI), and talked about the various threats to data security in the new normal. Introducing the topic, Abhishek said that due to the COVID-19 pandemic, official activities and day-to-day meetings have gone online resulting in a lot of data sharing digitally. The question of data safety has taken center stage and governments around the globe are handling the issue in their own ways
What are the changes in our day-to-day activities since the pandemic hit the globe in March this year? And, why should we be worried about data safety at all?
Advantages of virtual media like saving expenditure and time have always been recognized but not utilised. This pandemic only forced us to seek shelter in virtual media for everything and this is now called the new normal. I believe that this platform is nothing new, instead, it was always available but only now we have realised its full potential, which is a welcome change.
At the same time, this has brought issues of information and data security to the forefront because opportunities for criminals to exploit the situation have increased. Cyber-crimes in the pandemic have increased due to two reasons- increase in people using the platform and people not well versed with digital usage have suddenly entered the digital world which makes them vulnerable. It becomes very essential to prepare people to counter these challenges.
When we talk about data nowadays, we refer to it as new oil and everyone wants to control it. The issue of data security has become important globally in terms of the relation between different countries. How governments are ensuring that data of their citizens issafe in cases of international interactions online?
One of the two aspects is data security, which implies confidentiality and that the data should not be modified. Data is like money, that is, it has value as long as it is used. So, the second aspect becomes finding appropriate channels for the usage of data rather than preventing data usage. Data can be of two types as well- personal and non-personal. More than 100 countries today have Acts for the protection of personal data. Although, India already has the Information Technology Act, it is currently working on a legislation specific to personal data protection, which includes bank details, addresses, identification numbers, etc.
Personal data needs to be accorded certain additional security in comparison to non-personal data. Non-personal data has commercial value and therefore India is planning to draft alegislation on how to unlock the value of non-personal data.
Using data for data profiling, market segmentation, psychographic profiling of the target audience to regulate the information flow is inherent in any business and is less harmful to the users. What is worrying and can be termed unethical is the manipulation of users through the use of data that they are asked to submit at social media platforms. Controlling fake news and IDs by the platforms and government can reduce potential harm.
A famous saying goes, ‘When you are not paying for a product, you are the product.’ Users on free social media platforms thus become a product as their data is captured and their profiling is carried out. How exactly is it done? How secure, reliable or accountable is this kind of profiling?
All these data profiling and analysis is done by Artificial Intelligence (AI). But actions like blocking profiles, deleting or flagging any inappropriate content is done by AI only under human supervision.
India is planning to develop 100 smart cities. That not only refers to improving basic civic services but also embedding digital technology like smart cameras or facial recognition. Entering into that kind of ecosystem would mean storage of lots of data in cities’ administration which is not fully equipped to deal with the same. Should users and citizens be concerned?
Humans are responsible for the interpretation of data captured by cameras. Smart cities, unless it is a crime related situation, need not use facial recognition as part of the collection. Smart cities’ software need not necessarily be intrusive to citizens’ privacy. Implementation of technology solutions is possible without adversely affecting the privacy or security. Harmless functionality of the system will require innovations in terms of segregating work only according to authorization. Techno-legal people can play a crucial role in this.
How do you propose to build capacity and knowledge of the municipal staff on the introduction of technology?
There is a need for proper information flow among citizens about the involvement of any technology, and law. Government sector lies far behind the private sector in terms of digital data handling and protection. If anonymous data is shared, a municipality can make use of it. A municipality in America traced and anatomised transit movements of people to decide where they should set up housing projects.
What is the Personal Data Protection Bill (PDPB) all about and how it is going to change the whole digital ecosystem?
Presently, we are working under the regime of the Information Technology Act which says that there will be a punishment if data is misused, which makes it a cyber-crime law. This Act made intermediaries or companies who are in possession of these digital information, take certain precautions to ensure that hacking doesn’t take place. But the Act does not have adequate deterrence or monitoring authority. Worldwide, after the General Data Protection Regulation (GDPR) in 2016, the focus was drawn towards the protection of personal data in a particular manner. Our PDPB follows the same trend and intends on introducing pro-active measures to be taken up by the company to reduce the risk of privacy loss.
In Puttaswamy’ judgement, in 2017, the Supreme Court said that privacy is a fundamental right of an Indian citizen. It is infringed upon when an organisation fails to regulate the personal data of people. This act aims at giving an individual the choice and authority over how much of their personal information they want to provide and how much of it can be used. The key to PDPA is consent-based collection of personal information. Certain rights have been given to the data subject, including access to the information on where exactly their information will be used and settings to change the reach of access by the platform into personal data. The organisations have been told to follow certain compliance measures, appoint Data Protection Officers, and develop an action plan on processing data to protect data. Some precautions are necessary to ensure data processing in a manner which is in the interest of the data subject. There are also data breach notification aspects in the Act. PDPB has a system called Data Trust Score (DTS). Every organisation is audited by a data auditor (mandatory once a year) and the auditor has to provide DTS for particular companies based on their capability ofprotecting personal data.
How should users behave online and which precautions should they take?
A user usually is asked to accept a privacy policy of an organisation before submitting their data. However, most users remain unaware that the content in privacy policy contains details of where and how their data will be used.. There are times when an organisation collects more information than is necessary for a particular service. At present, there is no monitoring authority, but after the PDPB bill is passed, Data Protection Authority (DPA) can take action.
DPA can penalize such organisations if found using users’ data in excess if brought to their attention through their own audit system or through complaints. People not well versed in the technology and the laws surrounding it is the biggest issue. A service called consent manager has been introduced in the bill to guide people who are new to technology, through apps and filling information. The law also provides the consent managers to create pseudonymous identity so that their privacy remains protected, their purpose is carried out, and there is no legal infringement. Consent managers will act as an intermediary between data fiduciary and data principle, thus bridging any gap of knowledge, expertise, or language.