Beating the Rhetoric
The recent debates in the Supreme Court on the issue of Aadhar have forced us to ask another fundamental question to ourselves –What is the status of the data that we would all generate? Irrespective of how the Hon’ble Court would view AADHAR the question of data and data protection becomes indeed more fundamental in itself. To understand the data position we must however digress from the issue of AADHAR and instead chose to focus on what AADHAR encompasses and what it seeks to do.
AADHAR number issued to each individual would capture biometric data of each individual. Scientists and activists worry that such data might fall into the hands of unscrupulous people tomorrow who make take advantage of the same. Yet to limit the discussion to biometric data alone would be akin to not being able to understand the nuances to data protection. Data on a more basic level is information. This information can be in various forms from medical records to biometric information. It may also mean information of financial details, bank passwords, and corporate formulas among others. In a rapidly changing world which is increasingly being governed by the Internet of Things (IoT) a person generates a number of information each day that he/she interacts. This can take the form of book preferences in Amazon to route preferences in Uber. And each bit of information becomes a window to the person. And this is what makes this information valuable. Companies who are looking to sell products would make a killing to be able to access such information. In the modern world ‘data is the new oil’. It is the new fuel that will run the growth engine of companies. As the business world rapidly transforms itself, it is data that gets that will drive the growth and balance sheet of companies.
In a digital world, the word digital would mean different things to different people. And yet the question of data is not limited to IT companies alone. For over two decades now IT majors have partnered with Formula 1 racing companies helping them design algorithms working on different projections which have increased their efficiency while reducing the fuel intake at the same time. At the core of such partnership is how these companies have tapped into the data of the original brick and mortar companies and used it to design better systems. Thus data and its utilisation is something which will only increase in the years to come. Thus it is not surprising that the protection of data is important as well.
In the past few months there have been repeated attempts in premier banks like Axis and SBI to steal data and financial details of people who have their accounts in these banks. While because of the heightened security that banking companies employ these attempts were largely thwarted yet it opens the question of vulnerability to data theft and the need for data protection. Data protection has two aspects. One at the individual level, the other at an institutional level.
On an individual level data protection has to start recognising that the potential as well as the risks to an individual are immense. And the first step towards that is recognition. Often individuals are not aware of risks that such systems pose. They log into airport Free Wifi as soon as they get one, little realising that they are handing away their data and personal information to private companies. At other times they have no problem sharing phone numbers with shopping malls. Little do the people realise that every action of theirs is potential data which can then be solved by these companies to those who require data for a hefty price all without the knowledge of an individual. Such actions might have even larger ramifications like leaking of personal financial records and cyber theft among others. Hence, as a first step to data protection an individual must be made aware of the importance of data and the need to protect the identity and integrity of that data.
The second part of this problem is with data protection at an institutional level. India is waking up to the problem of data protection. While the right noises have been made and some steps have been taken, yet more concrete steps must be taken in this regard. As a first step all companies and entities must be made responsible for the data that they collect. That data should be confidential and should be used by the company only in a manner and form that the customer had wanted it in the first place. If any company is found violating the same strict punishment must be imposed on those companies.
Secondly it must also be ensured that cross border trading of data among multinational corporations must be under specific guidelines and must not continue unregulated. Unregulated flow of data of citizens in foreign shores can itself signal a threat to national security wherein new forms of cyber terrorism might take place while using identities of those who are citizens of the nation itself. Hence the government must monitor the data that travels out of the national shores in a vigilant manner. On the other hand the lack of a strong data protection regime can harm India’s image and vision to be a market leader and a world leader in cyber security. To counter the same India needs to develop a stronger data protection regime.
One of the first steps that would go a long way in allaying these concerns would be to bring effective changes in Section 43A of the Information Technology Act 2008. The discourse has to shift from maintaining “reasonable” protection to complete protection as India marches into the new era of Industrial Revolution and the next stage of the Digital Revolution. In such changing circumstances it is imperative that India redesigns its data protection and security regime.
( Views expressed by the author are personal)