Guest Post: Issues with the Proposed Privacy Legislation

Our guest blogger, Ms.Apurba Kundu, who had earlier blogged on exhaustion under the Plant Variety Protection Act, now shares her views on the proposed Privacy Act.

Issues with the Proposed Privacy Legislation

Increased policing on the internet and the ability to trace people has resulted in generating a chorus on the need for privacy legislation. A report on such a proposed legislation, called the Privacy Act, was submitted by Justice A.P. Shah on October 16, 2012. The expert group led by Justice Shah has identified a set of recommendations which the government may consider while formulating the framework for the proposed Privacy Act.

Personal Identifiers or Personally Identifiable Information (PII) have been discussed at length in the report. Personal identifiers are essentially a type of personal information, but unlike intimate information such as ‘sexual orientation’ or annual income, personal identifiers are intended to uniquely identify an individual and to reveal any additional information that is attached to the identifier or generated by the use of the identifier.

Examples of Personal Identifiers in India may be the UID number, Personal Account Number, Passport Number etc. Vast amounts of information can be marshaled through the use of these personal identifiers making it possible for complete profiles to be created of individuals and to track them across databases.

Legislations such as the UID Bill, Passport Act, and Income Tax Act do not specifically relate to personal identifiers, although they make use of such identifiers. Consequently, although a large number of personal identifiers are being collected, it is not clear as to how the information so collected is preserved.

It would not be far-fetched to assume that both governmental and private sector organizations could access and use information directly or indirectly generated by personal identifiers for multiple purposes without explicit authorization from individuals. As more and more databases are unified with the UID number, the question of personal identifiers becomes even more relevant.  

In the context of preserving the integrity of such information, it is relevant to note that Sections 43A and 72A of the Information Technology Act, 2000 clearly require protection of personal information which is collected. Thankfully, Section 11 of the RTI Act too forbids disclosure of information relating to or supplied by a third party which has been treated as confidential by the third party.

However, the report does not discuss non-PII. Besides the Shah Committee report on Privacy Act, even the Approach Paper for legislation on privacy prepared by Mr. Rahul Matthan which identifies current challenges posed by Personal Identifiers or Personally Identifiable Information (PII), does not mention non-PII.

Protection of non-PII is equally important since such information can also be used to identify individuals. We already know that IP addresses can be readily linked to individuals. It is also possible that information deemed as non-PII at one point in time may assume the status of PII at a later point in time. An interesting paper titled “The PII Problem: Privacy and a new concept of personally identifiable information” discusses the issue of non-PIIs in detail.

As technology develops, the treatment of information as PII or non-PII may turn on the context of use, and this complicates the issues associated with distinguishing between PII and non PII. In the age of behavioral marketing strategies, the implications of non-PII that can be used to identify potent customer base without the knowledge and consent an individual are huge. Therefore, it would help to provide for appropriate safeguards in the proposed Privacy Act for protection and use of non-PIIs as well.  

An interesting study was done by two computer scientists, Arvind Narayanan and Vitaly Shmatikov of Netflix movie rentals. Netflix supposedly de-identified database of ratings publicly available as part of a contest to improve the predictive capabilities of its movie recommending software. They found a way to link this data with the movie ratings that participating individuals gave to films in the Internet Movie Database (IMDB) and concluded thus:

 “Given a user’s public IMDB ratings, which the user posted voluntarily to selectively reveal some of his . . . movie likes and dislikes, we discover all the ratings that he entered privately into the Netflix system, presumably expecting that they will remain private.”

Clearly, non-PIIs too need protection. Information obtained through cookies and secondary sources can easily be matched with registration data, IP addresses etc. Whenever a marketing technique makes an individual identifiable by others and relies on his/her identity, the law should provide him/her with relief.

There are stereotypes that Facebook generation is not too concerned about privacy, but individuals should have legal rights to know what is done with their PII and non- PII. Addressing non-PII related issues in the Privacy Act will increase obligations concerning data security, transparency, and data quality, and rightly so.