Data Privacy and Information Security: What Becomes of Users’ Personal Information?

With the Indian Personal Data Protection Bill 2019 set to come into existence in the country soon, the debate over data privacy and information security is hotting up yet again. While DataQuest, in a previous article, had highlighted the various aspects of data privacy, in Series II the importance of information security will be discussed.

When we accept the app usage policies, not many of us take out the time to scroll through the new changes and adjust our data settings. We sign up to get the service, but we don’t give much thought to who might be storing our likes/dislikes or what they’re doing with our personal information. At first, one feels elated to know that when our devices seem to “know” where we live or how old we are or what books we like or which brand of shirt we use. Then we grow to expect this familiarity, and even to like it. It makes the online world seem customized for us, and it cuts down on the time we need to order the right accessory with your shirt or order something new to read.

In other words, Social media companies can now uniquely identify individuals amidst mass data sets and streams, and equally make decisions about people based on this massive database. It is now possible for companies and governments to monitor every conversation we conduct, each commercial transaction we undertake, and every location we visit. These capabilities may lead to negative effects on individuals, groups and even society as it may exclude or include and discriminate individuals based on their social profile.

But, as it has become apparent in the past year, we don’t really know who is seeing our data or how they’re using it, and more worryingly this is also true for even the people whose business it is, to know. We are reminded of the consulting firm Cambridge Analytica, which had harvested the personal information of more than fifty million Facebook users and offered it to clients, all within the grey area of consumer benefits.

So this hullabaloo over Privacy is genuine! With the mind-blowing technological innovation in this ever-increasing VUCA world of Data usage, information privacy is becoming more complex by the second, as a humungous amount of data is being collected and exchanged. And that leaves organizations facing an incredibly complex task of ensuring that personal information has been protected.

As a result, privacy has fast-emerged as perhaps the most significant consumer protection issue in the global information economy.

Additionally, the Indian Supreme Court, in one of the (various) cases over the years, has commented on Privacy as follows:

“for the purpose (of this case), it is sufficient to go by the understanding that the right to privacy consists of three facets i.e. repose, sanctuary and intimate decision. Each of these facets is so essential for the liberty of human beings”.

“Repose” refers to freedom from unwarranted stimuli, “sanctuary to protection against intrusive observation, and “intimate decisions” to autonomy with respect to the most personal life choices.

Indian courts have also ruled that “Privacy, in its simplest sense, allows each human being to be left alone in a core which is inviolable.”

Multiple SC judgments have ruled that the Right to Privacy is implicit in the Right to Life and Right to Liberty under section 21 of the Indian Constitution.

Since Privacy is for all practical purposes considered a fundamental right of the Indian Citizen, it means that the Government cannot infringe on the privacy of a citizen except under the “Reasonable Restrictions” clause which has to be embedded into a statutory law providing a “Due Process”.

Hence when it comes to “Surveillance” the Government has to ensure that there is a law that provides it has the power to do surveillance and also provides a reasonable process through which such power can be exercised. This would include defining who has the authority, when and how it can be exercised, what are the limitations to the power, under what all circumstances these can be revoked and what documentation and reporting would be required, etc.

So is Privacy the same as Security?

Data privacy is focused on the use and governance of personal data—things like putting policies in place to ensure that consumers’ personal information is being collected, processed, stored and erased in the appropriate ways. A novel concept of obtaining consent has been introduced to ensure the interest of the individual is paramount.

Security focuses more on protecting data from malicious attacks and the exploitation of stolen data for profit. While security is necessary for protecting data, it’s not sufficient for addressing privacy.

Also, although the Concept of Privacy is closely related to concepts such as “Secrecy”, “Confidentiality” and “Anonymity”, but“Privacy”, as such, has a distinct character.

For understanding the Indian PDPB2019, it is essential that we have a clear and unambiguous understanding of these terms and what they mean to a Data Protection Professional. These will be taken up in the upcoming series – III.

By Sameer Mathur, Founder and CEO, SM Consulting

President, Delhi-NCR Chapter of the Foundation of Data Protection Professionals in India

With inputs from Vijayashankar Nagaraj Rao