With increasing emphasis on digitisation and digital payments, the need for a strong privacy and data security law becomes more urgent. Making the case for privacy for the poor, (CGAP, 15th November 2016), David Medine laid out the way forward: a key first step is getting feedback from consumers about their personal preferences regarding privacy. At the same time, all stakeholders must be brought together – including providers, regulators, policy makers and investors – to discuss solutions. The questions to address include: What personal information is needed to offer products and to be profitable while still providing privacy protections? How can consumer trust regarding use of their personal information be established and preserved? What information should be permissible to use for data mining and cross-marketing? How beneficial are marketing uses of this information for the poor? How can consumers be made aware of secondary uses of their information and perhaps be given the opportunity to opt-out or opt-in to such uses?
Inadequate data privacy can lead to identity theft, to exclusion, fraud etc, and the biggest risk of not providing adequate safeguards is that if and when customers who are using formal systems for the first time experience specific harms or losses due to poor data privacy and protection, they may turn away from formal finance altogether.
India has few safeguards in place, and enforcement of the law is a serious concern. Nevertheless, it is time that the diaglogue on safeguards is stepped up to raise awareness amongst service providers and consumers to get the right structure in place to protect the customers and strengthen the financial system.
As per a report in the Mint, 23rd December 2016, the government is working on a legal framework that will define the liabilities and obligations of payment companies. Ms Aruna Sundararajan, secretary in the ministry of electronics and information technology, was quoted as follows: The government was examining if the IT Act, 2000 needs to be amended to address five key issues.“First, what should be the security framework for any kind of digital payments? Two, the standards and liabilities of the service provider. Third, data privacy and confidentiality. Fourth, storage and access of data. And if someone fails to comply, what penalty should apply, especially where details of millions of citizens (are involved),”
Vrinda Bhandari and Renuka Sane set out five key design elements for India's privacy law (Mint, 9th February 2017) a) the law should require data collectors to specify the purpose of data collection at the outset, and users should be provided with an opt-out clause, so that they can withdraw their consent for the data collection; b)the law needs to focus on use limitation (how data controllers can use the information collected about their users), putting the ultimate onus on the entities that collect and control data. This also involves devising rules of proportionality and the narrow tailoring of exceptions that will govern the balancing of competing interests; c) a law having an impact on privacy must focus on the sharing and transfer of data. Currently, there is no regulatory framework in place to control how data is shared by the data controller with third parties, much less any consideration of the different standards that govern the sharing of information with governmental and non-governmental entities, both within India and abroad; d) the design of the law should recognize the rights of users- guidance can be taken from the EU framework by recognizing the rights to data quality (ensuring accuracy of personal data by allowing individuals access and correction rights); data integrity (ensuring security of data); data-breach notification (requiring users to be informed of any privacy-related breaches); and data portability (allowing users to transmit their personal data across service providers); e) providing for supervision and redress mechanisms in the law.
Posted in Uncategorized