Monday, February 7, 2011
State of Personal Data Privacy of the Indian Citizen
I received an SMS which read “Greetings! U & Ur spouse r eligible for a Free 32” LCD TV* as customers of Holiday and Lifestyle Festival. Pls sms & confirm your Name & Name of Car Owned *(T & C). The SMS is a blatant attempt to harvest demographic details of subscribers for the purpose of creating a phone directory for telemarketers. There are other variants of this SMS which ask for age and gender. Unsuspecting subscribers who respond to this SMS link their name to what was originally a random telephone number helping the SMS originator build a database which would probably be sold for a fee several times over.
Personal Data Privacy is not a high priority issue for Indians. Indians by nature take a genuine interest in the lives of friends, neighbors, colleagues commonly asking questions of personal nature, quite contrary to Western culture. As a consequence this issue does not reflect high on the political agenda hindering the development of a regulatory and legal framework.
The focus on personal privacy is due to the large IT offshore industry which processes personal information of western citizens who require such information to be protected in accordance with laws in their countries. This prompted IT related bodies to build personal data privacy frameworks, lobby to amend the Indian IT ACT to provide legal safeguards which enable such companies enter into specific contracts which include legal penalties for data breaches. But these actions are industry specific and do not extend to the Indian consumer.
Recently personal privacy took a center stage when the personal conversations of a leading industrialist were leaked to the public after his phone conversations with a lobbyist were intercepted as part of an ongoing investigation into a telecom scam. The conversation themselves were private and did not have much relevance to the ongoing investigation but were leaked as part of the hype. The Indian Government is modifying the act to ensure stringent safeguards for phone taps based on directives of the Supreme Court, but the larger issue of personal privacy was not picked upon.
Incessant telemarketing calls and SMS spam have become a gross intrusion in personal space of the average Indian. TRAI (Telecom Regulatory Authority of India) has introduced regulation on SMSes and calls, which restrict the total number of SMSes per sender per day, require identification of promotional SMSes with codes, enforce the registration of telemarketer’s and the mandatory use of a Do Not Disturb list.
In the absence of a proper regulatory and legal framework where penalties can be imposed for non compliance to these regulations, they may be not implemented in spirit. For the government and enterprises dealing with personal data it is the cost of upgrading systems and changing employee awareness in dealing with subscriber data. To a certain extent regulatory frameworks like PCI standards have ensured that credit card data is protected. But that is all.
And for the telecom operators it would result in choking off a handy source of revenue. Therefore it was not surprising that I could not find a link on my service provider’s portal to report the spam even though I had subscribed to the Do Not Disturb Registry. Or that services that prevent telemarketers calling you such as DND list subscription and the introduction of caller tunes to inform callers that you are roaming (the cost of national and international roaming calls are astronomical) are least advertised. The fallout is the increased vulnerability of the Indian consumer to fraudulent messages.
In an Internet world, which now requires some aspects of personal data to be kept secret to prevent spam, scams and other sorts of personal intrusion, the trusting Indians will find themselves increasingly susceptible to cyber crime and identity theft. Large programs like UID and E-governance will not work well if personal data once digitized is not protected properly.
The clear definition of personal data and adherence to certain norms and conditions when corporate and other entities collect, store, process and transmit such data is urgently needed. Quick introduction of a comprehensive data protection act with strict deadlines for implementation is pivotal to ensure that the coop is not bolted once the birds have flown.