Data Ownership and Privacy: An Indian Perspective

Transcription

1 Data Ownership and Privacy: An Indian Perspective RAJIV SINHA DEPUTY DIRECTOR GENERAL NETWORKS & TECHNOLOGIES MINISTRY OF COMMUNICATIONS DEPARTMENT OF TELECOMMUNICATIONS GOVERNMENT OF INDIA COMMONWEALTH DATA FORUM 2018, GIBRALTAR 22 nd February

2 The rapid evolution of ICT has aided the overall economic and social development of any country. In parallel, we have also witnessed a quantum leap in the quantity and value of data that is being generated through the use of modern communications services Each step of a user's interaction with ICT services, whether through traditional telecom services, Internet services, devices, applications or other forms of content, results in the generation of large amounts of data All information about an individual is not personal data. The information must be such that the individual is either identified or identifiable from such information For instance, a car registration number, by itself, does not reveal the identity of a person. However, it is possible that with other information, an individual can be identified from this information Anonymisation, by contrast, refers to data where all identifying elements have been eliminated from a set of personal data. 2

3 Over the last decade, there have been vast improvements in surveillance technology and the availability, storage, and mining of personal information online, supported by developments in big data analytics This has created a public policy conundrum over balancing the benefits of big data with the threat to the right to privacy. In an environment of pervasive surveillance and intrusive technology, there is a need for improved protection of privacy rights through a mixture of legislation and regulation, and building public awareness and demand for safeguards. Privacy is rarely eroded by a single act or by a single person. Instead it comprises multiple small acts of surveillance and information collection, both by the State and private actors - from the monitoring of our call records and the contents of our calls to tracking our movement and browsing history The advancement of big data technologies and the ensuing ease of re-identification have disrupted the faith placed in anonymisation as measures to protect the privacy of an individual. 3

4 Worldwide Key Telecom Growth Indicators Growth Indicator As on 2017 Forecast for 2023 Mobile Subscriptions 7.8 B 9.1 B Smartphone Subscriptions Monthly Data Traffic Per Active Smartphone Total Monthly Mobile Data Traffic 4.4 B 7.3 B 2.9 GB 17 GB 14 EB 110 EB Source: Ericsson Mobility Report Nov

5 Worldwide Key Telecom Growth Indicators IoT Connections Outlook (in billion) Category As on 2017 Forecast for 2023 CAGR Wide-area IoT % Short-range IoT % PC/laptop/tablet % Mobile phones % Fixed phones % 17.5 billion 31.6 billion Source: Ericsson Mobility Report Nov 2017

6 Big Data is usually characterised by volume as in massive datasets, velocity which relates to real time data, and variety which relates to different sources of data. Other technological developments such as artificial intelligence, machine learning, the Internet of Things are all part of the Big Data ecosystem and their use is becoming increasingly commonplace The 5G era is on its way and huge data explosion is expected through typical use cases of mmtc, embb and urllc Since technologies such as 5G,Big Data, the Internet of Things and Artificial Intelligence are here to stay and hold out the promise of welfare and innovation, we will have to develop a data protection framework which can successfully address the issues relating to these technologies, so as to ensure a balance between innovation and privacy 6

7 The Government should enable and facilitate the industry to grow by way of creation of newer services. There is a global trend in the creation of new services on the basis of data. These services provide significant value to customers, and businesses. The country may be at risk of falling behind, if action is not taken to encourage the creation of such businesses. This could be done through enabling newer players to bring in innovative services, while also ensuring a level playing field. While the transition to a digital economy is underway, the processing of personal data has already become ubiquitous in both the public and private sector. 7

8 Data is valuable per se and more so, when it is shared, leading to creation of considerable efficiency. The reality of the digital environment today, is that almost every single activity undertaken by an individual involves some sort of data transaction or the other. The Internet has given birth to entirely new markets: those dealing in the collection, organisation, and processing of personal information, whether directly, or as a critical component of their business model. The low costs of storing and processing information and the ease of data collection has resulted in the prevalence of long-term storage of information as well as collection of increasingly minute details about an individual which allows an extensive user profile to be created. 8

9 In the course of delivering services, Service Providers have the ability to gain access to a lot of information and data pertaining to their subscribers. This includes call detail records, calling patterns, location data, data usage information, etc. Though the above mentioned data is the personal data of the individual but the ownership rights, authority to use, transact and delete this data are presently ambiguous. In order to protect the privacy of users of telecom services it is important that ownership rights, authority to use, transact and delete personal data are ascertained, and to ensure that all the players in the chain are bound to follow certain safeguards while collecting, storing and using the data pertaining to their subscribers. 9

10 WHAT IS DATA OWNERSHIP? Data ownership is the act of having legal rights and complete control over a single piece or set of data elements. It defines and provides information about the rightful owner of data assets and the acquisition, use and distribution policy implemented by the data owner. Data ownership is primarily a data governance process that details an organization's legal ownership of enterprise-wide data. A specific organization or the data owner has the ability to create, edit, modify, share and restrict access to the data. Data ownership also defines the data owner s ability to assign, share or surrender all of these privileges to a third party. This concept is generally implemented in medium to large enterprises with huge repositories of centralized or distributed data elements. The data owner claims the possession and copyrights to such data to ensure their control and ability to take legal action if their ownership is illegitimately breached by an internal or external entity. 10

11 WHAT IS DATA GOVERNANCE? Data governance refers to the general management of key data resources in a company or organization. This broad term encompasses elements of data use, storage and maintenance, including security issues and the way data flows from one point to another in an overall IT architecture. Because raw information is a key resource for most businesses and organizations, data governance is a logical area of overall IT strategy focus for many large enterprises. A data governance plan may be crafted to specify protection mechanisms for data use and storage. This type of plan may identify key point people who are responsible for various data processes, such as backups and protection against hackers. The role and responsibilities of data controllers should also be defined 11

12 Digital revolution has permeated India as well. Recognising its significance, and that it promises to bring large disruptions in almost all sectors of society, the Government of India has envisaged and implemented the Digital India initiative. This initiative involves the incorporation of digitisation in governance; healthcare and educational services; cashless economy and digital transactions; transparency in bureaucracy; fair and quick distribution of welfare schemes to empower citizens. With nearly 450 million Internet users and a growth rate of 7-8%, India is well on the path to becoming a digital economy, which has a large market for global players. This digital economy is expected to generate new market growth opportunities and jobs in the coming years Much of that new information will consist of personal details relating to individuals, including information relating to the products they have purchased, the places they have travelled to and data which is produced from smart devices connected to the Internet 12

13 Data Traffic per active Smart Phone (GB per month) Middle east and Africa North East Asia South east asia and Oceania Latin America India Central and Eastern Europe Western Europe 7 48 North America Source: Ericsson Mobility Report Nov

14 Highest Data consumption 1b GB/month Data Explosion in India 1.4x USA 1.7x China 2.0x Japan Rise of Digital Indian 70% Smartphone time on social platforms Time spent on mobile apps per day 200 Minutes Source: Based on analysis done by E&Y India 14

15 Existing safeguards for Data Protection in India In India, MNOs are bound by a number of requirements relating to the protection of user data. These requirements flow both from telecom sector specific laws and conditions as well as general provisions contained in the Information Technology Act, 2000 (IT Act). The Indian Telegraph Act, 1885 (Telegraph Act) puts a general obligation on MNOs to prevent unauthorized interception of messages and to maintain secrecy. There are restriction from altering, intercepting or divulging the contents of any message, except as required by law However, designated public officials have the right to intercept telephonic communications under identified circumstances The IT Act also contains provisions relating to the protection of data and the interception of information by authorised agencies. These provisions are applicable to MNOs as well as to other intermediaries such as webhosting service providers, search engines, online payment sites, online auction sites, online market places and cyber café 15

16 The IT Act define "Personal information" to mean any information that relates to a natural person, which can be used, either directly or indirectly for identifying such person. "Sensitive personal data or information" is defined to be a sub-category of this information, to include items such as passwords, financial information, health conditions, sexual orientation, etc Whosoever possesses, deals or handles any "sensitive personal data" or information in a computer resource is required to maintain reasonable security practices and procedures relating to such data. It will be liable to pay compensation to the affected person in case of any negligence in implementing such measures resulting in a wrongful loss or wrongful gain to any person. The Act also provides for the punishment for intentionally or knowingly disclosing personal information relating to a person that was acquired for providing services under a lawful contract, without the consent of the person concerned or in breach of a lawful contract 16

17 Recently, the Supreme Court of India recognised the right to privacy as an intrinsic part of the fundamental right to life and personal liberty under the Constitution of India The Court recognised informational privacy as an important aspect of the right to privacy that can be claimed against state and non-state actors. The right to informational privacy allows an individual to protect information about herself and prevent it from being disseminated. The Court recognised that the right to privacy is not absolute and may be subject to reasonable restrictions 17

18 In India, domain experts are engaged for drafting a data protection framework encompassing following broad principles : Technology agnosticism- The law must be technology agnostic. It must be flexible to take into account changing technologies and standards of compliance. Holistic application- The law must apply to both private sector entities and government. Differential obligations may be carved out in the law for certain legitimate state aims. Informed consent- Consent is an expression of human autonomy. For such expression to be genuine, it must be informed and meaningful. The law must ensure that consent meets the afore mentioned criteria. 18

19 Data minimisation- Data that is processed ought to be minimal and necessary for the purposes for which such data is sought and other compatible purposes beneficial for the data subject. Controller accountability- The data controller shall be held accountable for any processing of data, whether by itself or entities with whom it may have shared the data for processing. Structured enforcement- Enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralised enforcement mechanisms. Deterrent penalties- Penalties on wrongful processing must be adequate to ensure deterrence. 19

20 Way Forward.. The issue of data protection is important both intrinsically and instrumentally. Intrinsically, a regime for data protection is synonymous with protection of informational privacy Instrumentally, a firm legal framework for data protection is the foundation on which data driven innovation and entrepreneurship can flourish. Fostering such innovation and entrepreneurship is essential if country has is to lead its citizens and the world into a digital future committed to empowerment, experiment and equal access. 20

21 Thank You 21