A happy discovery of Indian business and industry is the speed with which customers are willing to adapt to technology. KV Kamath, CEO of India’s second largest bank says that Internet usage among its customers has shown a dramatic rise from 4% in the year 2000 to nearly 20% in 2006.
While the increase in Internet usage has several positive benefits, including speed of transaction and reduction in costs, there is a price to be paid in terms of increased security threat. The underworld of Net-savvy criminals love to target financial institutions that have a large customer base in order to maximise the chance of a successful hit. So ICICI Bank, like all large financial organisations, has an entire team working round the clock on Internet security and to catch e-crime early enough to avoid serious damage. From hacking to phishing to cloning ICICI’s website, it has faced it all. Today, its call centre executives are trained to sound an alert as soon as they get three calls with an ‘unusual’ complaint or query. A corollary to such high Internet usage is growing concern about privacy issues and protection from identity theft.
Financial institutions, including banks, credit card companies and insurers, as well as government agencies such as depositories, tax authorities, hospitals, telephone companies and employers now sit on a vast amount of ‘personal identifiable information (PII)’ in digitised form. This information can be easily stolen by hackers, sold and forwarded by delinquent employees or misused by companies as part of their sales strategy. Similarly, databases such as the Credit Information Bureau of India Ltd (Cibil) store credit histories of individuals, which are freely shared among their institutional subscribers. But the individual cannot access, challenge or update the contents. With biometric information beginning to be stored digitally for PAN cards, voter identity cards or for trading on stock exchanges, the danger of identity theft becomes chillingly real and has nightmarish consequences.
The fact that technology makes it so easy to misuse personal information and encroach on a person’s privacy has triggered a debate over whether India’s privacy laws are adequate to protect people. One view is that there are provisions under different statutes, such as the Indian Contract Act, the Indian Penal Code, the IT Act, Consumer Protection Act and Special Relief Act, that deal with protection of the privacy guaranteed under Article 21 of our Constitution. The corporate strategy of articulating and publishing privacy policies or seeking customer approval (usually through a general check-box provision) for any future use of personal information is also considered adequate.
Others, including this writer, believe the right to privacy has to be clearly defined, delineated, protected and codified through statute so that affected individuals are not forced to clutch at inadequate provisions under different laws to prove their privacy has been violated and then hope that a judge or consumer court will concur with their claim. This is especially important with respect to government investigation and en-forcement ag- encies, that already tap telephones with impunity and even intercept personal e-mail communication on the slightest suspicion. While on the one hand it is important that these agencies have qu-ick access to information in times of increased terrorist threats, we need legislation to ensure officials are strictly liable if the information is misused or tampered with for harassment or extortion. We also need protection and proper recourse for victims of identity theft to be able to prove their innocence.
Digital privacy has to be clearly defined and codified so that affected individuals can readily find protection and redress
Would companies really want strict privacy laws? After all, neither government agencies nor private companies would be overly interested in legislation that could lead to higher compliance costs and bigger liabilities. Fortunately, Nasscom (National Association of Software and Service Companies) has opted to take the lead in “evolving a road map and creating an eco-system for privacy discussions in India.” It kicked off the process with a small study to check awareness about privacy issues as well as cultural aspects of privacy in India and followed it with an interesting, if inconclusive, discussion last week with IT experts, technology and e-commerce companies and a cross section of interests from various disciplines, including regulators.
At the end of the animated discussion, it seemed clear that a well-defined privacy law was imperative and overdue. More important, Nasscom is best placed to take the discussion forward because the composition of its membership ensures they are most acutely aware of the dangers and consequences of not having privacy protection. Nasscom will also be able to bring on board the experiences of its members in dealing with privacy legislation in other countries and to point out the lacunaa or loopholes that may exist elsewhere.