Justice for all: Invasion of privacy and grand data theft
“Mobile number?” That’s invariably the first question you are asked in a matter of fact tone at billing counters in most commercial establishments. Never mind if you are not interested in a points tally for some discount or offer. Never mind if you are a young woman and there are shady characters standing within ear shot and the monitor faces others in the queue. Never mind that your number is registered with the Telecom Regulatory Authority of India’s ‘Do Not Disturb’ list and you don’t want to add to those exasperating tele-marketing calls and messages. Never mind that privacy is a fundamental right today, as ruled by the Supreme Court in Justice K.S.Puttasamy (Retd) Vs Union of India and you choose not to part with this personal detail.
A popular sports store in Chennai refused to proceed with billing unless the customer revealed her mobile number. After pointing out that it would be an invasion of her privacy, the salesman insisted on her email ID. The customer had two choices. To either reveal her personal data or to walk out empty-handed after spending more than an hour picking items and trying them on. On escalation with the manager and the social media team, the store dug in its heels and reiterated its stand that a mobile number or email ID are “mandatory” for billing as it helps them in facilitating returns and refunds. Wouldn’t the bill serve that purpose? How outrageous for a company doing business in India to mandate that its customers must give up their privacy in order to buy a product!
A prominent private bank brought a machine to obtain fingerprints of customers at the time of opening savings accounts. When the customers refused and waved the privacy card, they made a climbdown with an “oh it’s optional” line. But the bank insisted on Aadhaar card. How can a practice banned by the highest court of the land be an option?
The devil in most cases is in the software used that has not been changed to keep pace with the recognition of privacy as a guaranteed fundamental right. It appears that systems do not accept a blank field against mobile number. Hence the insistence by the folks at counters. Some bypass the glitch by entering their own mobile numbers when customers refuse to give theirs. At the very least, why can’t the software be updated to accept ‘Privacy Chosen’ as an answer? In other cases, personal data is brazenly sold in the market. Now you know why you would end up with calls from multiple companies when your vehicle insurance is due. Ask them how they got hold of your details, pat comes the reply: “database”, as if your personal information is their fundamental right.
These practices underscore the urgent need for the Personal Data Protection Bill, 2018, to see the light of day. Seeking regulation of the processing of personal data of individuals by both the government and private entities incorporated in India and abroad, the bill makes consent of the individual mandatory. ‘Personal data’ is defined as any information through which an individual can be identified. It also contemplates the setting up of a national-level Data Protection Authority to keep a watch over data fiduciaries.
There is an alarming lack of awareness among stake holders that the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, drawn from Section 43A of the Information Technology Act, 2000, provide for compensation to individuals for a security breach of personal data. A 3-year jail term and a fine of Rs 5 lakh is prescribed for wrongful disclosure of personal data by any person including intermediaries, under Section 72A of the Information Technology Act.
Just as well with the Supreme Court in the Puttaswamy case holding that the privacy of personal data is an “intrinsic element” of the right to privacy, flowing from the Right to Life and Liberty under Article 21 of the Constitution.
It is more than a year since the apex court had struck down Section 57 of the Aadhaar Act, 2016, as ultra vires the Constitution, having failed to meet the three fold test of legality, legitimacy and proprtionality. Although telecom companies are barred from linking Aadhaar numbers with SIM cards and banks also prohibited from doing the same with account numbers, on the ground, this is flouted with impunity. The Srikrishna Committee Report had a separate section on the Right to be Forgotten. However, it’s the legal safeguards on privacy that are forgotten today.
(The writer is an advocate at the Madras high court, columnist and author)