Report of Chai-pe-Charcha meet held under the auspices of IndiaWatch / Cyber Frat – Mumbai / Cyber Peace Foundation on Aug 27, 2017 in Mumbai
Topic of the day:
“Privacy from national, personal and business perspective; and fallout”
38 people registered and 10 attended: Gaurav Batra, Dinesh Bareja, Manasdeep, Smith Gonsalves, Satish Kulkarni, Prem Gurnani, Ajay Bhayani, Ashwin Chaudhary, Arnold D’Silva, Hrushikesh Panigrahi, Kuldeep Pawar, Aman Kumar, Pravir Kumar Sinha (on FB Live)
The event was broadcast live on Facebook but I don’t think that the broadcast was good quality, as the voice was not too clear and the broadcast was only one angle (the camera was static). We hope to do better the next time and come to a point where anyone can participate in the discussions, remotely too. Pravir Kumar was online !
It was the first day of Ganpati and not many could make it to the meeting, However, we did manage a decent crowd comprising of regulars as well as some first-timers.
The following points came up in the discussion:
The Supreme Court judgment is welcome and the primary concern was how this will be converted into deployment. We, as a people, have a loose definition (or understanding) of privacy – we do not demonstrate much respect for privacy and we needs to imbibe this into our culture. As a law, how much will this be respected is also a concern in view of our casual attitude towards rules and regulations (for example even with strict laws for traffic, along with police oversight, we break rules and have a casual attitude). Most importantly a Data Protection Law is needed and is long overdue before we start understanding Privacy.
Now we need to think about deployment of the judgment and this will be a challenge for all (government, business and citizens). While the government and business seem to be concerned about compliance with GDPR we have to also think about the challenges up ahead for the national right to privacy.
Another point which came up is the observation that there is no global organization for privacy, and that there should be a global level benchmark. In India there is no privacy hygiene, however, it was also pointed out that India still has to accept the concept of cyber hygiene and now there is the additional “burden” of privacy hygiene. Additionally, the government must bring about awareness among citizens about the concept of privacy and how to live with it and protect themselves.
As said earlier it is now a wait and watch period to see how this comes into practice and how the term “reasonable restrictions” will be defined. Most importantly, privacy is not yet defined and this has to be done – will the Hon’ble Supreme Court define it or will the government define it, remains to be seen.
The discussions shifted to Aadhaar – there is a lot they have to do to be privacy compliant. Aadhaar was to respond with a yes/no to queries for identify verification, but it is responding with full details of the Aadhaar holder. Then there can be no check on the use / misuse of this data once it is captured by the vendor, or the vendor can be hacked. The example is the Jio data breach. We got to learn that the Aadhaar data base was designed with security in mind by TCS and that the JIO breach was due to shared credentials which was misused by the hacker who was arrested.
In both cases, we should not be worried as data is safe!
There are many areas which the government must look at immediately – data being sent out by credit card companies, credit rating agencies have opaque policies, medical information is not secured etc. In short, across the board, data controls are required. there has to be high level of awareness and respect for personal information by companies, govt entities, and individuals.
A privacy law is required and it should define privacy, what is my right, what is the penalty / legal recourse in event of a breach, what is the expectation from data collectors, and the concepts of privacy safeguards like consent etc…
To sum up concerns : there is no official definition of privacy and this must be provided by government asap, along with their point of view on reasonable restrictions; we have zero awareness of privacy at all levels and have to start from scratch; concept of privacy and respect for the same should be taught from school level; there is no law for obtaining information from children and this must be enforced to include parental consent; CCTV, smart devices, smart cities are coming up and it seems there is low level of consideration for privacy and data protection; new laws for data protection, disclosure and privacy must be promulgated asap; aadhaar must ensure privacy and stop the practice of providing full information
Some suggestions (in conclusion): bring in citizen awareness of privacy from birth and have strict guidelines and penalties; define privacy clearly with enforcement mechanism; CERT-IN should actively increase their involvement to communicate and adopt global practices in view of the judgment.
Some more pics..