Research study on Data Privacy

Data Privacy

By Govind Kumar, PGDRM Jan’20-21

 

What is Data Privacy?

Data privacy or information privacy is a branch of data security concerned with the proper handling of data –consent, notice, and regulatory obligations. More specifically, practical data privacy concerns often revolve around: Whether or how data is shared with third parties. How data is legally collected or stored.Regulatory restrictions such as GDPR, HIPAA, GLBA, or CPA.

 

Image Source: Varonis

*No such law in India

 

Security incidents related to Personal Data

 

 

Banking: In January 2019, an SBI server in Mumbai was shown to be unsecured and vulnerable, exposing the data of millions of its customers. The server was not password-protected, so information such as account balances, mobile numbers, and even account numbers was effectively on display. SBI secured the server soon afterwards, but this incident emphasized the need for improving digital infrastructure in the banking sector.

Aadhaar: The World Bank and certain digital security firms reported that in 2018 the Aadhar data of citizens was being sold online, with almost a billion users being affected in just the first few months of 2018. These leaks were a mixture of overt hacks and unprotected servers or leaky government websites. For example, in 2019 the Jharkhand government’s website displayed the Aadhar details of around 100,000 government workers.

Whatsapp Pegasus: In 2019, it was reported the Israeli firm NOs software Pegasus was being used to spy on 19 individuals, including journalists and human rights activists. By hacking into their devices via a simple missed call, the attackers gained complete access to the individual’s data, including locations, passwords, and even the ability to turn cameras and microphones on.

Healthcare: In 2019, a US cybersecurity firm reported that an unnamed Indian healthcare website was hacked, with the hackers stealing the data of 68 lakh patients and doctors. The stolen information included patient details, patient case history, doctor information, and other personal information.

Credit and debit cards: In October 2019, a Singapore-based cybersecurity firm reported that 13 lakh credit and debit card details had been stolen, and were now on sale online. It was reported that it was likely that these data were stolen by placing a magnetic stripe in an ATM that was able to copy the information of the user’s card.

 

Is there privacy on Internet?
Privacy Policies of Telecom Service Providers

 

  • Explicitly states that provision of services is contingent upon consent to process data; may contravene PDPB
  • No additional safeguards for sensitive personal data
  • Reserves right to process personal data post-termination of the contract
  • Data retention timelines and anonymization standards are not visible
  • Unclear whether DND SMS stops messages or stops data collection and sharing
  • Does not take consent before sharing data with third parties; may allow them to have lower security standards than itself

 

  • Notes that Jio, “may not be able to process your request of correction, updation or deletion, in case… it is extremely difficult to implement”. PDPB may not allow for such exemptions.
  • Withdrawal of consent may lead to the cancellation of services.
  • Again, data retention timelines and anonymization standards are not visible.
  • Also, seems to hold its authorized third-party partners to lower standards than itself.
  • The policy lists hacking as a case in which Reliance Jio exempts itself from responsibility in case of a breach of security. Now, the DoT’s user license agreement also specifies that “The LICENSEE shall be completely and totally responsible for the security of their networks”.
  • Lastly, the ambiguity over whether the DND SMS stops the collection and sharing of data persists here as well.

 

  • Seems to view the usage of services as equivalent to the provision of consent for the processing of data. May contravene PDPB as consent may not be free or capable of being withdrawn.
  • Does not mention whether the withdrawal for processing certain data is viewed as grounds for termination of services by Vi.
  • Indicates that Vi may collect data about, “preferences for particular products, services or lifestyle activities”.
  • Inclusion of user in any telephone or similar directory following an opt-out model.
  • Sharing of anonymized information with authorized third parties also follows an opt-out model.
  • Yet again, data retention timelines and data anonymization standards are missing.
  • Also does not specify any consent sharing any mechanism for sharing data with authorized third parties.
  • The ambiguity of the implications of the DND SMS remains here as well.
  • Vi’s policy too seems to imply that it may allow the security standards of the third parties to be lax.

 

Image source: Internet Freedom Foundation

 

Data Privacy In India

Indian Privacy Code, 2018 builds off on an incremental process. It takes its foundation and inspiration from the Privacy (Protection) Bill, 2013 which was drafted over a series of roundtables and inputs conducted by the Centre for Internet and Society, Bangalore. To update and to make its scope comprehensive it has been drafted by distilling 7 privacy principles from various constitutional and expert texts.

7 Principles

Individual rights are at the center of privacy and data protection.

A data protection law must be based on privacy principles.

A data protection law must be based on privacy principles.

A strong privacy commission must be created to enforce the privacy principles.

The government should respect user privacy.

A complete privacy code comes with surveillance reform.

The right to information needs to be strengthened and protected.

International protections and harmonization to protect the open internet must be incorporated.

 

Get the full research study here:  Data Privacy – Govind Kumar Batch 6

 

Disclaimer

This report has been produced by students of Global Risk Management Institute for their own research, classroom discussions and general information purposes only. While care has been taken in gathering the data and preparing the report, the student’s or GRMI does not make any representations or warranties as to its accuracy or completeness and expressly excludes to the maximum extent permitted by law all those that might otherwise be implied. References to the information collected have been given where necessary.

GRMI or its students accepts no responsibility or liability for any loss or damage of any nature occasioned to any person as a result of acting or refraining from acting as a result of, or in reliance on, any statement, fact, figure or expression of opinion or belief contained in this report. This report does not constitute advice of any kind.

 

 

More research studies by PGDRM students:

Research Study on Cashless Economy-Risks and Rewards

 

Design and Developed by KodeForest @ All Rights Reserved by KodeForest

Pages