Demonetisation: Privacy laws need to be in place before giving the biggest push to digital transactions

By Asheeta Regidi Demonetisation is currently the trending buzzword in India. The recent withdrawal of Rs 500 and Rs 1000 notes has driven most people to cashless transactions in order to get on with their day to day lives. Cashless transactions certainly have their benefits. Apart from sheer convenience, they give the ability to defeat problems like corruption, black money and tax evasion in India. For example, when salary payments in Afghanistan went online in 2009, police officers in Wardak were stunned when their salaries rose by 30 percent. This 30 percent was not a raise, but the portion siphoned off by corrupt senior officials. However, rushing into a cashless society without adequate preparation is very risky. One major issue that arises is the large-scale invasion of people’s privacy that can result from going cashless. This problem can last only so long as India’s privacy laws remain as inadequate as they are. What data is at risk? The obvious result of going cashless is an increase in the use of the smartphone for making transactions. An increasing number of apps that can enable such payments will be downloaded, which includes e-wallet apps, apps with in-built wallets and mobile banking apps. Every use of these apps on the smartphone generates data. To understand what kind of data can be collected, consider a few popular mobile apps: E-wallets E-wallets can enable shopping, bill payments, electricity payments and much more. But this also gives the e-wallet company access to all this data about you. MobiKwik states that it collects transaction details, which can be used and disclosed as per its privacy policy. Paytm installs cookies on your device. It assures customers that the cookies do not collect personal information, but it is unclear what information is collected. Taxi apps The data collected by taxi apps give them the ability to make detailed records of all your travel details. For instance, Ola Cabs, in addition to personal details like credit/debit card information, your name, address, etc., also collects tracking information. This can include date, time, pick-up and drop-off locations, etc., of each ride. Business Apps Many businesses are providing their own apps to ease payments. The lack of cash in India made these a viable option. For example, the Starbucks app allows customers to pay directly using their smartphones. The app, however, stores information such as your name, birthday, address, device information, IP address, your purchases and so on. The collection of this data enables these companies to have detailed records of your every move. When you consider large corporations like Google and Facebook that already have access to and are merging huge volumes of data about you, imagine adding detailed records of your every financial transaction, your every purchase, your every ride. Many apps collect a lot more information than they claim they do, instead of taking data on a need only basis. For example, many apps take permission to access your contact list, your SMSs, your mails and even your media files. All of this data can be collected and stored in the databases of the companies. Privacy policies can change Most such companies which collect data seek it for the purposes like targeted advertising and for improvement of services. However, they can be used for a number of ‘internal’, purposes. Additionally, this data can be disclosed, to the government and to ‘third parties’. Most privacy policies do not guarantee the security of their databases. Still others disclaim liability for the loss of data. Most importantly, these privacy policies can be changed, and without proper notice to their customers. Even deleting their accounts is not an option, since the companies retain the data even after the use of their services is discontinued. Indian laws protect ‘sensitive personal data’ only The problem is that India’s privacy laws do not govern the collection and use of any data other than ‘sensitive personal data’. The Information Technology Sensitive Personal Data Rules, 2011 defines ‘sensitive personal data’ to include specified details like the password, financial information, biometric information and identity related information. This will not protect the vast troves of data in the hands of these companies. As a result, all the data in the possession of these companies will only be as protected as the companies decide they should be. Nor do these rules bind governmental bodies which collect data. The data in possession of the government through the Aadhaar system is, therefore, unprotected. The right to privacy itself, is not a guaranteed fundamental right in India. In fact, on account of several conflicting judgments on this issue, the issue has been referred to the Supreme Court for a final decision, and is currently pending. There has been no known progress in the passing of the Right to Privacy Bill. Prioritise privacy first Digital payments are clearly the future, but this should not be at the cost of the people’s privacy. The lack of privacy with payments, including the lack of faith in the government, was one of the driving factors behind the creation of virtual currencies. The anonymity offered by these currencies made it highly attractive for transactions, both legal and illegal. However, if New York’s BitLicense regulations are anything to go by, virtual currency will soon be so tightly regulated that there will be no difference between them and transactions with normal currency. Technology is a wonderful thing, for the ease and convenience it brings to the people. That very technology should not encourage illegal uses, but neither should it become a means of invading people’s personal lives. The use of regulation to prevent the misuse of money is a good move, but depriving the people of any privacy can also go the wrong way. Before the next step is taken towards a cashless society, the government needs to first ensure privacy. Use the law to allow technology to remain a boon, not a bane. The author is a lawyer with a specialisation in cyber laws and has co-authored books on the subject.