×

Minimal info, data purpose critical in ensuring privacy, protection of user information: Experts

India prepares to put in place a new and robust data protection framework

The concept of "minimal data" and "data purpose" have become increasingly relevant at a time when many apps are seeking blanket consent from users to access unrelated data, according to privacy experts.

A panel discussion on 'Future of Governance' hosted by India International Centre (IIC) in collaboration with Niti Aayog and Centre for Policy Research (CPR) saw eminent speakers converge to discuss threadbare the complex nuances of data privacy.

The issue is now in the spotlight as India prepares to put in place a new and robust data protection framework. The framework, that will secure personal data in the increasingly digitised economy and build safeguards against data breaches, is widely expected be finalised by June.

"If a music app wants to know my music preference, it is understandable...But if they want my photo, what has that to do with my music preference? That is why there is concept of minimal data and data purpose, for what purpose do you want it..." said Justice B N Srikrishna (former Supreme Court judge), who chaired the session dealing with data privacy issues.

Alluding to a panellist's views on the issue of consent as pre-condition for services, Justice Srikrishna said it is possible to make sure that user consent "can be partially to something and partially against something".

Justice Srikrishna -- who also heads the high-level committee which is framing new data protection norms for India -- posed thought-provoking questions at the event organised last evening as part of a series of talks on digital technologies. The panel included Unique Identification Authority of India (UIDAI) Chairman J Satyanarayana and many legal experts.

The wide canvas of questions that were debated ranged from basic issues like the need to protect data, to complex and tricky ones such as data sovereignty and ascertaining liabilities where multiple data collectors are involved.

During the discussion, the panel noted that both public and private sectors are collecting and using personal data at an unprecedented scale and for multiple purposes, and advanced algorithms now make it possible to not only predict user behaviour but also compile complete digital profiles of users. "We need a data protection law. We have, for these many years, been in sort of vacuum where there is no efficient law for data protection - that is a big problem.

"So the law has to define what the rights and responsibilities are, it has to address issues like ownership and custodian of data, and then set up an adjudication mechanism for accountability framework," Vrinda Bhandari, Supreme Court advocate, said to a question on tackling data risks. Bhandari said other key aspects are consumer education and embedding flexible principles in law to ensure that legislations are able to effectively deal with technological advancements. She asserted that where multiple entities may be involved in handling and sub processing of data, the liability of the primary data collector needs to be clearly defined as individuals tend to share their information with companies based on "trust".

The recent data breach episode involving US based social networking giant Facebook and British data analytics firm Cambridge Analytica has created an awareness like never before on issues around information privacy, user rights and consent policies, nudging companies to review and strengthen their privacy protection rules.

Speaking on the occasion, UIDAI's Satyanarayana said new-age technology backed by empathy has transformed the manner in which governance services are being rendered to citizens, and that shift from paper-based to digital systems has resulted in efficiencies as well as convenience for people.

Satyanarayana asserted that Aadhaar is intended at empowerment of citizens, and that giving a unique identity to people and providing a robust digital platform to authenticate "anytime, anywhere" are aligned to this vision.

Aadhaar, he said, is protected by high-tech encryption, authentication and best-in-class security, and every device, person and software is registered and authenticated before allowing enrolment.

So far, 121.17 crore residents have been enrolled for Aadhaar. It has been used for 19.6 billion authentications, he said.

His views assume significance in the backdrop of the Supreme Court reserving its verdict on a batch of pleas challenging the Aadhaar Act and the use of the biometric identifier in various government and non-government services.

Explosion of data, its storage and multiple uses of such information have made it critical to build safeguards against data breaches, said Chinmayi Arun, Executive Director, Centre for Communication Governance at National Law University, Delhi.

Addressing a question on relevance of consent in structure of data privacy law, Arun cautioned that consent may bring its own set of complications.

"...consent has a series of problems with it. There are situations where for government or private delivery of services, you are told that your consent is being asked for, but you don't really have a choice in the matter. So you end up consenting to get the welfare service or access a network, and you don't have an option to quit it," she added.