Hi there!

What a month August has been for Data Privacy – specifically in India!

Privacy took centre-stage when the Hon’ble Supreme Court ruled that Privacy is a Fundamental Right in India – putting to rest years of ambiguity on this issue and paving the way for a firm foundation to be laid for a Digital India. MEITy* served notices to 21 smart phone makers to provide details about the data protection measures taken following fears of Personal Information being stolen. It also started investigations into Alibaba’s UC browser – the second most used browser in India – amidst suspicions of user data being sent to Chinese servers. The TRAI** turned its focus on privacy, bringing out draft guidelines on data privacy and holding an open house on the same. RBI proposed an interesting rights-based privacy framework instead of the prevalent consent-based approach. And, at a more ‘macro’ level, Nandan Nilekani & his associates presented their vision of ‘data democracy’ as India deals with the upcoming unstoppable data deluge.

Meanwhile, the rest of the world has been busy as well. Ahead of Brexit, the UK brought out a ‘statement of intent’ on a new data protection bill and an official policy paper in a bid to ensure free flow of data with the EU. Google rolled out ‘play protect’ for Android to enhance data privacy of mobile apps. Uber succumbed to pressure and rolled back its feature of tracking users even when they are not using its app. Privacy concerns around IOT continue to be top-of-mind with the US GAO bringing out a report on ‘vehicle data privacy’ and the NIST published draft guidelines on IOT privacy and security. Pew did an interesting survey on the future of online trust. And, as always, children and privacy remains critical – an expert shares her view on what she calls ‘sharenting’.

Read on for details… and do send in your comments to privacy@arrka.com


Shivangi Nadkarni

Co-founder & CEO – Arrka Consulting



The #RighttoPrivacy Judgement

The Hon’ble Supreme Court passed its much awaited judgement on Privacy – ruling that Privacy is a Fundamental Right in India. It was a ‘hold-head-high’ moment for India. The 547-pages long judgement is a study in privacy by itself, bringing out the history, the legal developments around the world and examining various contours of privacy in great detail. A ‘must-read’ for any privacy practitioner.

We at Arrka did a blog post on the background and the proceedings of the Supreme Court hearings. You can read it here: http://arrka.com/index.php/2017/08/07/is-privacy-a-fundamental-right-in-india/

We followed this up with a note on the points the judgement brought out in the context of ‘Information privacy’ which may be of relevance to organizations along with some FAQs. You can read that here: http://arrka.com/index.php/2017/08/31/righttoprivacy-implications-for-organizations/

A copy of the full text of the judgement is here: http://www.thehindubusinessline.com/multimedia/archive/03195/Right_to_Privacy___3195287a.pdf


MEITy’s Actions

With fears of stealing of Personal Information like contact lists, photos and messages of Indian users and being sent to other countries – especially China – MEITy served notices to 21 smart phone vendors to detail out their data protection practices. This news item gives details: http://www.newindianexpress.com/business/2017/aug/16/government-puts-mobile-phone-makers-on-notice-over-data-privacy-1644043–1.html

There is also this fear of Indian users’ data being sent to servers in China via Alibaba’s UC Browser, the second most used browser in India (I didn’t know this fact, btw!). Further, the allegation is that the browser continues to retain control over a user’s device even after the browser is deleted. MEITy has launched investigations into this. More details here: http://www.digit.in/internet/uc-browser-under-government-lens-for-leaking-user-data-to-servers-in-china-36704.html


TRAI Rolls Up its Sleeves

TRAI brought out a consultation paper that addresses issues pertaining to data privacy. It is looking at the whole issue from a consumer interest point of view. It also held an open house to discuss the key issues with its stakeholders. The regulator hopes to finalise its recommendations in two months’ time – and says that some of its proposals may serve as inputs to the Justice Srikrishna committee that is working of developing a data protection framework for India. Interested folks can downloaded the paper here: http://www.trai.gov.in/consultation-paper-privacy-security-and-ownership-data-telecom-sector


RBI Gets into the Details

In a report by the RBI’s Household Finance Committee, the RBI has a section dedicated to data protection. In this, it recommends adoption of an alternate framework that is ‘rights-based’ in lieu of the current ‘consent-based’. Stating that with data being collected in all forms at all times, users are facing ‘consent fatigue’ and don’t really understand the privacy terms they are signing up for. In a rights-based approach, users enjoy certain statutory rights over their data and any entity collecting or using their data have to ensure that these rights are not violated by them. In my opinion, this is a good approach for India where a user’s personal information will get safeguarded independent of their actions. Further details are available here: https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=877#AF


‘Data Democracy’ and a ‘Consent-based architecture’

A core group of mainly technologists, led by Nandan Nilekani (before he took over as chairman of Infosys!), presented a vision for India to deal with the deluge of data that is round the corner. Stating that while India will become ‘data rich’ before becoming ‘economically rich’, the current reality favours businesses rather than the individuals whose data they control. Since India is still framing its laws and regulations, the team proposes establishing a ‘data empowerment and protection architecture’ whereby a user sits at the centre and essentially controls – via a consent provider – the flow of data from ‘data producers’ (like telcos, banks, etc – who already have a ton of a user’s personal info) to ‘data consumers’ (who would want to use this data). There is scepticism around the workability of this model. However, it is a very interesting approach and worth looking into. Here are the details: https://aadhaar.foundingfuel.com/article/how-data-is-eating-the-world-and-what-india-needs-to-do



In the UK

As the UK prepares for Brexit, it is trying to address the reality of digital markets. Britain’s data economy has the potential to grow to £240 billion by 2020 while that of the EU could rise to €643 billion – more than 3% of its GDP – in the same time period. Hence the UK is preparing to ensure that it has a robust updated Data Protection law in place as well as a secure data-sharing partnership with the EU – else it could lose out.

In keeping with this, the UK government has published the following:


The ‘Biggies’

Google rolled out ‘Play Protect’, its security certification standard for Android devices and apps, in India. A certification provided to phone manufacturers, it looks at, among many things, the authenticity of pre-loaded apps on devices, protection against malware causing data leaks and theft, identification of intrusive/fake apps and sites on its playstore, etc. Take a look at the program here: https://www.android.com/play-protect/

Uber finally gave in to the wide-spread criticism it has been receiving for tracking users even when they are not using the app and has stopped this practice. Here is one of the many news reports giving details: https://9to5mac.com/2017/08/29/uber-tracking-riders-five-minutes/


Internet of Things

It is the era of ‘connected vehicles’ – where vehicles can collect and share data about where drivers go and how they drive, information that used to be impossible or very difficult to collect. As the number of connected vehicles grows, private companies, including automakers, are considering how to use this data to generate revenue. According to a 2016 industry report, the estimated worldwide revenue from connected vehicle data could add up to between $450 billion and $750 billion by 2030. The concerns around privacy abound in this scenario. The US Government Accountability Office (GAO) recently released a report of a study on Vehicle Data Privacy. Many interesting points there. Take a look: https://www.gao.gov/assets/690/686284.pdf

Meanwhile, the US NIST published new draft guidelines from on IOT security & privacy controls: http://csrc.nist.gov/publications/drafts/800-53/sp800-53r5-draft.pdf

Those of you with interest in IOT should keep track and may want to go thru the above documents.


Survey on the ‘Future of Online Trust’

The Pew Research Centre released the results of a very interesting survey they did on the future of ‘online trust’ – how it is expected to evolve, whether it would grow thanks to technology, whether people would just get inured to risk and prefer convenience over privacy, whether the very nature of trust would change, etc. A worthwhile read for anyone in the digital space: http://www.pewinternet.org/2017/08/10/the-fate-of-online-trust-in-the-next-decade/


Children and Privacy

Stacey Steinberg, a law professor at the University of Florida, has made ‘sharenting’ – a term for how parents share details of their children online – her focus of her academic work. While she has published a paper on the topic recently, in this interview she outlines some ‘sharenting’ best practices. A must-read for any parent: https://www.consumerreports.org/privacy/how-to-protect-your-childs-privacy-in-the-era-of-online-sharenting/

*MEITy – Ministry of Electronics and IT, Govt of India

**TRAI – Telecom Regulatory Authority of India