Days after a data breach at Facebook was uncovered, the government is looking into various ways of preventing unauthorised use of digital information, especially for commercial purposes. According to a source in know of the matter, Minister of Law & Justice and Electronics & Information Technology Ravi Shankar Prasad on Thursday held a meeting with senior IT ministry officials to analyse the steps need to be taken for prevention of commercial misuse of user data.
“With a focus on the upcoming elections and potential misuse of data to influence the free choice of voters, the government is looking at ways to protect commercial exploitation of user data. While Facebook may resolve its issues, technology will find another way to do this. Such aspects will be studied by the government and a policy decision will be taken on it,” a senior government official said, adding that Thursday’s meeting was only a preliminary one and that more high-level discussions will be held going ahead.
The official also said that the said policy “may or may not” be a part of the data protection law, which is currently being worked upon by a IT ministry-appointed committee headed by Justice BN Srikrishna. “The data protection law by itself may not address all the issues pertaining to commercial misuse of data,” he said.
Even before the data breach issue with Facebook, several incidents of user data being leaked by telecom company employees — also popularly known as data brokers — have come out where such staffers have sold personal data to commercial entities for marketing purposes. Currently, the Telecom Regulatory Authority of India (Trai) has regulations in place for deal with unsolicited commercial communications, but these norms are limited to messages and communications through phones and other digital platforms are out of its purview.
One of the challenges the government could face towards its attempt to prevent unauthorised use of personal information for commercial purposes is the fact that individuals have a higher ‘publishing power’ than commercial organisations, as pointed out by the Srikrishna committee in its white paper.
“Collection and usage of personal data for personal uses or household purposes is outside the scope of data protection laws in several jurisdictions such as UK, EU and South Africa. It will be difficult to identify processing for personal or household purposes as individuals have more ‘publishing power’ which was earlier available to commercial organisations. The EU has formulated certain criteria to determine whether the processing falls under personal or household purposes. These may be examined further for the purpose of articulating the exemption in law,” it said.