Sushmita Ravi & Vivek Verma
Trading of Personal Information & Unsolicited Commercial Communications
A recent judgement of the Delhi State Consumer Disputes Redressal Commission, which imposed an exemplary fine of Rs. 75 lakh on Airtel, the Cellular Operators Association of India (COAI), ICICI Bank and American Express Bank, on a complaint of consumer harassment by unsolicited telemarketing calls and text messages, is a testimony of what you are trading-off for your privacy and personal information. The Commission’s judgement in this case was reportedly based on the fact that mobile service providers traded subscribers’ personal information in violation of their contractual obligation to treat it as confidential. Although the Courts have in the past, issued restrictive directions on similar cases of breach of privacy, this was the first time in India that any entity was ever penalized for Unsolicited Commercial Communications (UCC). As of today, the Commission’s ruling is under Supreme Court’s scanner.
Constitutional Protection against Breach of Privacy
In the year 1997, the Supreme Court of India in People’s Union for Civil Liberties (PUCL) v. Union of India directed the Reserve Bank of India (“RBI”) to institute measures to reduce unsolicited calls on the ground that the right to privacy is a fundamental right guaranteed under Articles 19 and 21 of the Constitution of India. However, these guidelines issued by RBI in November 2005 only applied to banks and financial institutions and did not have much impact. As of today, the issues still remain unresolved and there has been filed a number of PILs which are pending disposal before the Apex Court seeking protection of privacy rights.
New Privacy Bill: What is there in Store?
The new Privacy Bill aims at to establish an effective regime to protect the privacy of an individual and their personal data from Governments, public authorities, private entities and others. It sets out conditions upon which surveillance of persons and interception and monitoring of communications may be conducted. The new Policy also provides for constitution of a Privacy Commission.
Let us have a sneak peek into the Draft bill. Chapter-I deals with definitions where the term sensitive personal data is widely defined and includes many aspects of data protection. The next chapter deals with regulation of personal data followed by a chapter dealing with protection of personal data . The fourth chapter provides for setting up of a Data Protection Authority Regulation by Data Controllers. The fifth and sixth chapters deal with data processors and surveillance and interception of communications. The final chapter prescribes penalties for offences committed under the Act .
However the bill has been criticized on the ground that it seeks to cover both the government and private sector under one legislation. In countries like U.S. , there is one privacy legislation controlling the manner in which the Federal Government collects and uses the data of its citizens. Then there are sector wise legislation governing how the private sector and state governments use and share data in the sectors of health, banking, etc. The proposed bill carries the responsibility of curbing violations of right of privacy among citizens as well as the regulates the sensitive data use by the government and private bodies. The implementation of the same definitely poses a huge challenge.
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
On 13 April 2011, the Ministry of Communications and Information Technology (MCIT), Government of India, notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Rules”). As per these Rules, Sensitive Personal Data or Information (SPDI) consists of the following:
- Financial information such as bank account or credit card or debit card or other payment instrument details;
- Physical, physiological and mental health condition;
- Sexual orientation;
- Medical records and history;
- Biometric information.
- Clear and easily accessible statements of its practices and policies;
- type of personal or sensitive personal data or information collected under rule 3 of the Rules;
- purpose of collection and usage of such information;
- disclosure of information including sensitive personal data or information as provided in rule 6 of the Rules, and
- reasonable security practices and procedures as provided under rule 8
The Rules also provides for guidelines for collection and usage of such information. The Rules mandated the compliance of Reasonable Security Practices and Procedures by all body corporate.
Tracking User Information and Preferences
Spyware: Microsoft defines ‘Spyware’ as software that can perform certain behaviours, usually without first obtaining the consent from the user, for the same. Example of such behaviour may be collecting personal information and preferences of the user, displaying unwanted advertisements while a user surfs internet (by covertly installing adware on their system), etc. Most of these spyware are generally designed in a manner so that it is difficult to be removed. Such spyware even has the ability to make changes to the user’s computer and cause their computer to slow down or eventually crash which may again result in loss of valuable data and information. Other than the computers, these spyware may also be installed on a user’s cell phone. Once a phone is infected with the spyware, it can enable the tracker to have access the device’s text messages, emails, call history, contacts and files from applications such as Facebook and Whatsapp. The spyware can even be used to switch on a phones camera and microphones to record conversations without the knowledge or consent of its owner. There have also been reports in the past, of government keeping a close eye on social media and arresting people for publishing tweets or Facebook updates that defame the government authorities or the State. For instance, early this year, a Saudi court sentenced one of its citizens to eight years of imprisonment for a number of charges, including mocking the King on social media. Very recently, Aaron’s Inc. and its franchise in United States were accused with a proposed class action in Georgia Federal Court by two attorneys alleging it used spyware installed in its rental computers to capture photographs and collect and store privileged and personal information from its customers.
Cookies: In laymen terms, ‘Cookies’ are small text file or computer ID that are downloaded to the user’s browser when they surf the internet. It ensures automatic logins and authentication when a user wants to access a website again, and can store information related to a user’s online browsing pattern and preferences. These cookies, when used as a form of spyware, can pose serious internet security threats and compromise a user’s online privacy. It can help the advertiser learn about a user’s online habits and shopping preferences and then build a consumer profile accordingly. This is called behavioural tracking. Thereafter, it starts showing specific advertisements matching the user’s interests. Some of these cookies can also covertly install adware or spyware applications on the hard drive of the user’s system or cell phone device. One good example of such cookies is “ATDMT tracking cookie” which can record the websites a user visits and the ads he/she clicks on, in addition to recording personal information like, credit card numbers and passwords to online accounts, etc. There have been several instances of identity theft related to ATDMT tracking cookies so far.
Author: Sushmita Ravi & Vivek Verma
 People’s Union for Civil Liberties (PUCL) v. Union of India and Anr AIR 1997 1 SCC 301
Image from here