The government’s demonetisation decision of November 8 has, while kicking off a noisy debate on its disruptive, positive and negative impacts, launched the country on the irreversible path of digital payments as a substitute to cash.

While the pros and cons of demonetisation will be debated for some time, expanding digital transactions in our economy has obvious advantages. However, the creation of the digital payments ecosystem needs to be well-planned, keeping the citizen in mind. Presently, the discussion is predictably centred around devices and infrastructure to expand the reach of the ecosystem nationwide. But there are critical issues relating to the rights, privacy and data security of transactees that must be addressed.

With this push for digital payments, and many of its most important governance reform initiatives such as the banking-for-all Jan Dhan Yojana, Aadhaar and Digital India well underway, the government can no longer ignore these issues. India is among the top five nations most vulnerable to cyber attacks. As government policy and programmes increasingly move to digital platforms, citizens could find themselves vulnerable to data misuse and without any rights to protect that information and data.

In this backdrop, the statement of the government’s lawyer to the Supreme Court in July last year, that privacy is not a fundamental right, is a position that needs to be revisited. The time is ripe for the government to begin the process of architecting a comprehensive privacy and data security framework. With the security and privacy of 1.2 billion citizens at risk, a serious, focused and apolitical discussion on the subject is required. What are the rights of those whose data is held with companies and government departments? Do we have the legal frameworks, resources and infrastructure in place to protect these rights? What are the immediate areas of intervention for the government? I have long argued for a charter of digital rights – a kind of Magna Carta for digital Indians – and it is now time to begin thinking about this seriously.

Legal limitations

The current Information Technology Act, with its limited data protection and privacy-related provisions, does not provide for an all-encompassing, comprehensive legal framework for privacy and data security. There are glaring gaps that must be plugged through such measures:

Expansion of the definition of sensitive personal data under Rule 3 of the Sensitive Personal Data Rules: The categories of sensitive personal information (passwords, financial information, sexual orientation among others) are inadequate. Other categories of information such as mobile big data, machine-to-machine (M2M) data, and user behaviour should also fall in the ambit of sensitive personal data. Emails and chat logs as well as records of internet activity, including online search history, are particularly vulnerable to abuse and misuse. Government agencies and departments, non-profits must also be accountable to ensure data protection: At present, Section 43A of the Information Technology Act only covers body corporates engaged in “commercial or professional activities”. This excludes from any accountability government agencies such as the Unique Identification Authority of India, which issues Aadhaar numbers, and others that are among the biggest gatherers of data in the country. Section 72A of the Information Technology Act needs revisiting: Under this section, third parties or intermediaries can only be held liable if it is proved that they made a violation “with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract”. This demands that the petitioner prove not just the violation but also that it resulted in gain or loss. Most data holders invoke this defence to dodge accountability, as shown by two cases reported last year, one involving Airtel and Israel-based Flash Networks and the other related to Mahanagar Telephone Nigam Limited in which the telecom service providers were accused of inserting spy codes in browsers.

Accountability is key

These are just some of the weaknesses in the current Information Technology Act, making a review necessary. Meanwhile, the Supreme Court has constituted a nine-member bench to examine the validity of the assertion that the right to privacy is a constitutional right under Article 21. Regardless of the outcome of that, the government can immediately and urgently review the need for a legislation ensuring data security and privacy to citizens.

It is said that data is the new oil. With the push towards e-payments and making India a digital economy, the ramifications on citizens are significant. Most citizens do not know what kind of data is being collected by digital payment portals and apps. The transformation to a digital payments system will involve significant changes in consumer behaviour and habits. In the short term, digital payments will depend on very weakly secured Unstructured Supplementary Service Data (a platform for mobile banking) and public hotspots, given that a large number of Indians are still not connected to the internet. This means that the only way to incentivise merchants, payment gateways and other players in the digital payments ecosystem to be responsible is to ensure a legislative framework that makes them accountable for user data security and privacy. To do this now would be the right thing, rather than wait for a crisis of widespread online fraud and misuse to impact and slow down the move to digital payments.

The writer is a member of Parliament from the Rajya Sabha.