Insights into Editorial: For a data firewall: On need for a data protection law
The report by a German cybersecurity firm that medical details of millions of Indian patients were leaked and are freely available on the Internet is worrying.
The firm listed 1.02 million studies of Indian patients and 121 million medical images, including CT Scans, MRIs and even photos of the patients, as being available.
What is even more worrying is that the number of data troves containing this sensitive data went up by a significant number in the Indian context a month after Greenbone’s initial report was published.
The updated report also places Maharashtra at the top of the States affected by the leak.
According to the Supreme Court in the Puttaswamy judgement (2017), the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy, whereas the growth of the digital economy is also essential to open new vistas of socio-economic growth.
Risks associated with leakage of data:
- Data is the large collection of information that is stored in a computer or on a network. Data is collected and handled by entities called data fiduciaries.
- While the fiduciary controls how and why data is processed, the processing itself may be by a third party, the data processor.
- This distinction is important to delineate responsibility as data moves from entity to entity.
- For example, in the US, Facebook (the data controller) fell into controversy for the actions of the data processor — Cambridge Analytica.
- Such information has the potential to be mined for deeper data analysis and for creating profiles that could be used for social engineering, phishing and online identity theft, among other practices that thrive on the availability of such data on the Darknet restricted computer networks which exchange information using means such as peer-to-peer file sharing.
- The reason for the availability of this data is the absence of any security in the Picture Archiving and Communications Systems (PACS) servers used by medical professionals and which seem to have been connected to the public Internet without protection.
- Public data leaks have been quite common in India from government websites enabling the download of Aadhaar numbers to electoral data rolls being downloaded in bulk, among others.
- Unlike the data protection regulations in place in the European Union and in the U.S., India still lacks a comprehensive legal framework to protect data privacy.
- The Draft Personal Data Protection Bill 2019 is still to be tabled but could enable protection of privacy.
Brief about Data Protection Bill, 2019:
Ministry of Electronics and Information Technology (MeITY) in July 2017 constituted a ten-member committee of experts headed by former Supreme Court Judge, Justice B.N. Srikrishna to study various issues related to data protection in India and also to draft a Data Protection Law.
It submitted a report titled A Free and Fair Digital Economy Protecting Privacy, Empowering Indians.
The report has cited Puttaswamy Judgment and highlighted that sphere of privacy includes a right to protect one‘s identity.
The Bill includes exemptions for processing data without an individual’s consent for “reasonable purposes”, including security of the state, detection of any unlawful activity or fraud, whistleblowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.
This right recognises the fact that that all information about a person is fundamentally their own, and they are free to communicate or retain it for themselves.
This core of informational privacy, thus, is a right to autonomy and self- determination in respect of one‘s personal data an must be the primary value that any data protection framework serves.
Data Principle, Data Fiduciary and Data Processor:
Data Principal means the natural person to whom the personal data relates.
Data Fiduciary means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.
Data Processor means any person, including the State, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary.
Data localisation: It is the act of storing data on any device physically present within the borders of a country.
Storage of Data not on Rights Based Approach:
Government sees storage of individual data for public good and does not take into account a rights-based approach.
This gives government the right to use, monetise and exploit data in any manner it desires so long as it guards against security incidents such as breaches and unauthorised access.
This mindset of the government has allowed selling or transferring sensitive personal data by the fiduciary to a third party in the Data Protection Bill of 2019.
The committee sought to codify the relationship between individuals and firms/state institutions as one between “data principals” (whose information is collected) and “data fiduciaries” (those processing the data) so that privacy is safeguarded by design.
While the 2019 version of the Bill seeks to retain the intent and many of the recommendations of the Justice Srikrishna committee, it has also diluted a few provisions.
For example, while the Bill tasks the fiduciary to seek the consent in a free, informed, specific, clear form (and which is capable of being withdrawn later) from the principal, it has removed the proviso from the 2018 version of the Bill that said selling or transferring sensitive personal data by the fiduciary to a third party is an offence.
There are other substantive issues with the Bill pertaining to the situations when state institutions are granted exemption from seeking consent from principals to process or obtain their information.
So, considering the report on medical data leak, there is a need for rights based data protection law which –
Includes comprehensive surveillance reform prohibiting mass surveillance. Provides for judicial oversight mechanism for targeted surveillance. Prohibit selling of transferring of personal data by the fiduciary to any third party.
Yet, considering the manner in which public data are being stored and used by both the state and private entities, a comprehensive Data Protection Act is the need of the hour.