Firms find wealth in your data

Data protection and privacy are the new buzzwords in the corridors of power in India. While a Ministry of Electronics and Technology committee led by retired Supreme Court Justice B N Srikrishna is working on a draft Data Protection Bill, the Telecom Regulatory Authority of India (TRAI) has come out with its own recommendations regarding privacy, security, and ownership of data in the telecom sector.

So much action on paper but what does it mean for the average netizen who clicks away happily on social media, granting numerous permissions and approvals on the way? Metrolife finds out...

How is your data collected?

Every minute you spend online leads to your data being generated, collected and collated somewhere. “There is data that we volunteer. If I create an account for myself on any website I will provide my name, age, banking information and so on,” says Amber Sinha, senior programme manager, Centre for Internet and Society.

“Then there is data which gets collected by telecom companies and companies which provide OTT (Over-The-Top) services, like Google Chrome. Much of this data is collected automatically — my browsing history, what links were open, what ads did I click on in Facebook etc. Most websites use trackers and cookies that continue working in the background. Even when you have closed the link and move on to another website, they still continue to collect data about you,” he adds.

What is the method behind this?

“In order to provide a service, there is some data that they need to collect. For example, a cab aggregator has to get my location in order to connect me to nearest cabs. Yet most companies collect data beyond what might be needed. Suppose you are availing an online service which involves a payment aspect. For authentication, an OTP is sent in the form of a text message. The online services will seek permission to read our messages so that they can automatically pull the OTP, saving us the trouble of having to key it in manually. But the system is designed in such a way that the permission they seek is for my entire message box,” explains Amber.

Why is your data collected?

Macro data is the new gold, we say. “For a company, having access to the data of a customer or a potential customer is valuable. They focus on getting your details (by which I mean more than your phone number and email id; they need your profile so that they can target you better), add you into their database, send you reminders and so on,” explains Kiran Jonnalagadda, co-founder and CTO of ‘HasGeek’.

Who comes into play?

Buying personal details is a common practice among businesses worldwide. “The first party is the only one asking your permission for collecting your data; then more and more organisations buy your data from them. This is widely accepted in the US but it is more underground in India, largely because there are no good laws in this regard. So mostly data is pilfered out of companies,” says Kiran.

Citing an example, he says, “Most big telcos don’t do their field operations themselves, they outsource it to a local party. So the person who comes to install your Airtel or Hathway broadband connection is not from the company. These people have access to your data which is provided by the main company.”

What can you do?

Not much, it turns out. “The IT Act has some provisions but it is mainly at the corporate level. Companies can file complaints against their subsidiaries for data theft but there is not much that you as individuals can do,” says Kiran, adding that most companies struggle with data leaks all the time. This is one of the things that the data protection law will address.

What TRAI said

Individuals users owned their data, or personal information, and entities such as devices were mere custodians and do not have primary rights over that information. If these recommendations are accepted by the government, users will get the power to know what kind of data is being held by each organisation, for what purposes it has been collected, what is it being used for etc.

Data minimisation — only data necessary to deliver a particular service should be collected. There should not be pre-ticked consent boxes.

Users should have the right to remove the information about them that comes in search engine results.

End-user agreements (the ones that we unthinkingly say ‘I agree’ to) should be short, simple and multilingual.

The data protection framework should apply equally to the government and to private entities

What they said

Industry bodies such as Internet and Mobile Association of India and the Indian Cellular Association have criticised TRAI, saying the recommendations were ‘illegal’ and akin to ‘jumping the gun’ ahead of the release of the Srikrishna committee report. Clauses like avoiding use of metadata to identify individuals and data minimisation will be detrimental to building the data business in the country, they said.