Protecting personal data of citizens is increasingly being seen as a major obligation
There is an unprecedented need for regulation regarding the extent to which such information can be stored, processed and used by non-state actors. There is also a need for protection of such information from the State
The historic SC judgment on privacy has accelerated creation of personal data protection legislation. The new regime will bring in a set of new obligations for the businesses. Its time to examine the new compliance requirements that you may have to fulfil
Recently, when Equifax, one of the top three US credit bureaus, suffered a massive cyber attack that resulted in breach of personal data of 143 million people, the first major fallout was rolling of the heads of some C suite executives.
No marks for guessing who those C-suite executives were. Dave Webb was working as the CIO of the company for seven years while Susan Mauldin was the chief security officer since 2013.
It is anything but surprising. Protecting personal data of citizens is increasingly being seen as a major obligation of those who deal with that data—be it commercial agencies like Equifax or government agencies like Unique Identification Authority of India.
Globally, an individual’s right to privacy—that includes informational privacy—is increasingly being recognized. Authorities are coming with stringent regulations for the entities that handle individual’s personal data—often called ‘data controller’ and ‘data processor’ in regulatory lingo. The General Data Protection Regulation (GDPR)—a regulatory framework that has been approved by the European Union Parliament and will come into effect in May 2018, is seen as a pioneering regulation regime in the area.
The demand for such regime is becoming stronger in all parts of the democratic world. In India, the apex court, the Supreme Court of India has lent its voice to the cause by explicitly recommending the government to initiate such legislation.
On 24 August, in a historic judgment, a nine-judge bench of the Supreme Court ruled that right to privacy is a fundamental right. While another important judgment on triple talaq delivered two days earlier saw a divide of opinion among the five members of the bench, the decision on right to privacy was completely unanimous, in a much larger bench.
“The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution,” the bench ruled in its order while over-ruling two earlier decisions by the apex court. The government had argued against privacy being a fundamental right.
While the media focused on the judgment’s implication for Aadhaar because the judgment came while hearing a petition that questioned the data collected by Unique Identification Authority for Aadhaar, the implications of the judgment are far wider.
Creation of a data protection regime—is by far the most obvious and immediate fallout—something which the honorable judges have pointed out as well. Protected personal data is one of the most important means to protect an individual’s privacy. Ensuring it is becoming a tough challenge in this era of digital everything.
“We are in an information age. With the growth and development of technology, more information is now easily available. The information explosion has manifold advantages but also some disadvantages. The access to information, which an individual may not want to give, needs the protection of privacy. The right to privacy is claimed qua the State and non-State actors. Recognition and enforcement of claims qua non-state actors may require legislative intervention by the State,” Justice Sanjay Kishan Kaul said in his judgment.
Giving examples of players, such as Uber, Facebook, Alibaba and Airbnb and noting the capabilities of technologies such as ‘Big Data’, the judgment observes that individual’s data can be collected, processed to find new uses of data. “A large number of people would like to keep such search history private, but it rarely remains private, and is collected, sold and analyzed for purposes such as targeted advertising,” the judgment noted.
Noting that the personal data collected is capable of effecting representations, influencing decision making processes, shaping behavior, and the possibility of the government exercising control over us like ‘big brother’ leading to stultifying effect on the expression of dissent and difference of opinion, the judgment explicitly argued for legislation in the area.
“There is an unprecedented need for regulation regarding the extent to which such information can be stored, processed and used by non-state actors. There is also a need for protection of such information from the State,” Justice Kaul noted while clarifying that interception may be desirable and permissible in order to ensure national security, it cannot be left unregulated.
Both Justice Dr DY Chandrachud and Justice Kaul explicitly stressed the need for legislation to protect data privacy. The judges delivered six separate judgments. While Justice Chandrachud delivered the judgment on behalf of four judges including the Chief Justice, the other judges delivered their own judgments.
“Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. We commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state,” Justice Chandrachud’s judgment noted.
“I agree with Dr. D.Y. Chandrachud, J., that formulation of data protection is a complex exercise which needs to be undertaken by the State after a careful balancing of privacy concerns and legitimate State interests, including public benefit arising from scientific and historical research based on data collected and processed. The European Union Regulation of 201629 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data may provide useful guidance in this regard. The State must ensure that,” said Justice Kaul in his judgment.
With such unambiguous, unequivocal and forceful recommendation by the highest court of the country, the efforts towards formulating a data protections law are only expected to accelerate.
As such, the government had initiated some first steps in that direction. In July, the Ministry of Electronics and Information Technology (MeitY) constituted a committee of experts under the chairmanship of Justice B N Srikrishna, former Judge of the Supreme Court, to identify key data protection issues and recommend methods for addressing them. Its brief also includes creation of a draft data protection bill. Members of the committee include Dr Gulshan Rai, National Cyber Security Coordinator; Prof Rajat Moona, Director, lIT, Raipur and a noted cyber security expert and Ajay Bhushan, CEOof Unique Identification Authority of India among others.
Interestingly, a private member bill called Data (Privacy and Protection) has been introduced by Biju Janata Dal MP Baijayant Panda in the Parliament. The draft bill is based on the major issues addressed by the European GDPR.
Implications for enterprises
The EU GDPR defines a data 'controller' as ‘the natural or legal person, public authority, agency or other body’ which, alone or jointly with others, determines the purposes and means of the processing of personal data. Similarly it defines a processor as an entity that processes data on behalf of the controller.
The non-state actors referred to by the judges are typically commercial companies who use an individual’s data for their business purpose. Most commercial agencies, especially those engaged in large scale B2C business, would fall under the definition of data controllers in the EU GDPR definition. And certain category of businesses would typically be classified as data processors. While in the EU definition, a processor is defined as someone who does the processing of personal data ‘on behalf of the controller’, it may not be defined that way necessarily. For example, the private member bill introduced by BJD MP Panda, defines a processor as someone ‘who processes data independently or on behalf of a data controller’.
In short, most businesses would fall under one or both the definitions and will have to comply with the new set of regulations. A limited exposure to EU GDPR—such as by companies who do business there or who provide IT or BPO services to European companies—has already resulted in many companies scrambling to comply. A full-fledged Indian data protection regime will result in several compliance requirements.
Once that happens, it is a no brainer that the CISOs and CIOs will have to drive this new set of compliance requirements.
Here is a look at some of the obligations that may come your company’s way. While you may have some of those in place already if your sectoral regulations require that, most of them would be new for most companies.
While all of them may not require you to ‘show’ something (like appointing a Data Protection Officer) immediately, you nevertheless need to ensure that the obligations are met. An Indian draft data protection bill is yet to be ready and is a specific brief for the committee appointed by the Government under the chairmanship of Justice Srikrishna. So, most of the possible requirements that are presented here are taken from European GDPR’s principles, if not its exact regulatory requirements.
In the discussion, we will refer to data controller/processors as businesses or enterprises though it may apply to other types of entities as well.
- Purpose of processing: The controller or processor has to clearly mention the purpose of collecting/processing data. That is because using the data for anything else other than the original purpose for which it was collected has to have explicit consent of the individual concerned, also referred to as data subject. The onus of ensuring that will be on the enterprises.
- Consent of the individual: One of the requirements of the European GDPR is that “where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” It further mandates that the request for consent cannot be fine print as is the case today. It should be very clear and in plain language. Further, the companies should be able to make it easy for the individual to withdraw consent any time. Whether the consent us taken through paper-based documents or electronic means, business organizations have to put the systems in place to make it possible. “Making it easy for the individual’ has to be defined and that may go through change from time to time.
- Right of access by the data subject: One of the possible requirements from the companies dealing with individual data would be to provide the data subjects with access to their own data as well as additional information like the period for which the data would be stored; who will be provided access to that data, if it would be transferred beyond the boundaries of the country…the list may keep changing.
- Right to be forgotten/Data erasure: Another important requirements that the EU GDPR has mandated—and which has become somewhat controversial—is the right of the individual to be forgotten or to request erasure of his/her data without ‘undue delay’. This is going to be especially challenging as there would most likely be a stipulated time period and failure to do that in that period may attract stringent penalties/punishment. The front end and back end system should be such that it should not only make it easy for the data subject to give or withdraw consent but also easily request for erasure which then have to be honored within a given time period.
- Data portability: Another possible requirement—taking a cue from EU GDPR—could be data portability. This means the data controllers or processors are under obligation to provide a data subject’s data to him/her on demand in a structured, commonly used and machine readable format for the latter to transport that data to another data controller. Practically, the challenge for the businesses is not just to make it possible but find an efficient cost-effective manner in which to make it possible.
- Storage and transfer of personal data: There are a number of requirements from the data controllers or businesses about how they should keep the data subjects in loop where they store the data and if they transfer data to a third party. With evolving technology, there would be a number of clarifications needed to enforce this regulation. For example, for this purpose, if a public cloud will be considered a third party is open for debate.
- Data protection mechanisms: The EU GDPR explicitly mentions pseudonymization as a data protection mechanism. A robust data protection mechanism may involve advanced techniques of data encryption and/or anonymization.
- Breach notification to the data subjects: This one is a no-brainer. Any data protection legislation would make it mandatory to for the data controllers to inform the individuals about any breach that happens. While many countries already have laws to address this, in India, it is still not a requirement; nor has been a voluntary practice. So, a new data protection regime will be challenging.
- Appointment of Data Protection Officers: The EU GDPR asks for a designated Data Protection Officer. This is primarily for accountability purpose as far as regulators are concerned but a dedicated executive also brings in focus. It remains to be seen if some information security professionals would look at a new career path through this responsibility. The companies will have to clear on what would be the role, seniority level, reporting structure of such an executive and what will be his/her relationship with the CIO and the CISO. Taking a cue from EU GDPR, the private member bill introduced by MP Baijayanta Panda too mentions the need to appoint a Data Protection Officer.“Every data controller or processor or third party, as the case may be, shall appoint a Data Protection Officer having adequate technical expertise in the field of data collection or processing and the ability to address any requests, clarifications or complaints made with regard to the provisions of this Act,” it notes.The draft bill also tries to list the role of Data Protection Officers. It says the role of DPO would be to act as an independent person, address requests, clarifications or complaints by any aggrieved person in stipulated time and recommend actions to be initiated.
The Indian bill is yet to be drafted. It may add some other requirements and/or ignore some of the EU GDPR requirements. One of the tricky challenges for Indian banks, telcos and other such companies dealing with individual data will be how to meet the compliance requirements even in the wake of mandate to link with Aadhaar.
As a CIO or CISO, it is time for you to examine what the most likely new compliance requirements could mean for your organization and for your KRAs. While the legislation and enforcement may still be at least a year away, it is only now that you can provide input to making of the legislation. Since a regulator like a Data Protection Authority will only be formed later, the committee may not be proactively be able to approach businesses. It is not a bad idea to get your voice heard now. This will ensure that the draft bill does not throw some nasty surprises. The private member bill introduced by Panda is a fairly comprehensive work and may serve as a good starting point in case you want to deliberate and reach out to the authorities with your considered opinion.