“Right To Know” is a Right to be protected under the proposed Data Protection Act

As we enter the final stages of public consultation on the drafting of the new Data Protection Act of India following the release of the White Paper by the Justice Srikrishna Committee, one aspect of the law that needs attention is the “Right to Know” of an individual which often conflicts with the” Right to Privacy” of another individual.

Right To Know is a different concept

“Right to Know”  is a concept that GDPR also has ignored and there is an opportunity for India to introduce this concept into the discussions of Privacy.

Let me explain with an example why this concept is different from other known concepts including “Right to Information”.

When some body calls us on a phone, the first question we would like to know is “Who is calling?”. If the other person says, sorry, I value my privacy and would not like to reveal my identity or I would like to talk  under a pseudonomous name, the question arises as to whether this is a valid Privacy argument or not.

Similarly, when I receive an e-mail from some body who says he is Jignesh420@gmail.com, I have the right to know whether he is really somebody I know or not. I donot trust the display name since I know that Google does not do a KYC before allocating the user name. I therefore donot know if the e-mail is a “Spam”, is an attempt to “Impersonate” or is an attempt to commit a fraud on me. If I want to know more about the person, I need to know his IP address.

However, Google in its misdirected concept of Privacy hides the IP address with a proxy address from Google which cannot be deciphered without the intervention of law and takes too much of time and effort and often bribing of the law enforcement personnel just to send a notice to Gmail administration.

I therefore ask a question to the law makers,

Do I not have a right to know the true IP address of the person who has sent me an e-mail?

If Privacy activists want the IP address to be hidden in the email while it is in transit, I demand that Google should introduce a procedure by which every recipient of an e-mail should be able to raise a one click query to know the IP address from which an E-Mail has been sent to him and Google should automatically provide the information.

Similarly, any ISP should also provide the last mile resolution of the IP address to any person who can prove that he has been in receipt of a communication from such IP address.

This is what I consider as the “Right to Know” and it extends to the Facebook and Twitter accounts as well as social media such as the Whats App.

If “Right to Know” is upheld as a Right of an individual, it does not conflict with the right to privacy of an individual except that such right stops at the door steps of the rights of the receiver of a communication. On the other hand it provides a new right to the recipient of an electronic communication just like the “Right to Speech” co-exists with the Right of Privacy in law.

This “Right to Know the IP address” extends to other instances such as

a) Right to Know the identity of a Domain Name Registrant

b) Right to know the identity of the owner of a Telephone number or Mobile Number from which the recipient has received at least one call or is reasonably suspected to have been used for the commission of an offence.

…. and may be for other instances as well to be  defined just like the multiple parameters we may use for classifying “Sensitive Personal Information” under the law.

Aadhaar has recently introduced a link on its site to provide information on Aadhaar usage history of a person which is a great measure towards transparency. But the information provided is on the basis of a transaction code that cannot make any sense to the Aadhaar user. It has to provide the name of the entity that made the query either directly on the website itself or through a link for which there can be a second OTP authentication. This falls under the “Right to Know”.

The procedure for extracting the information in the above cases must be simple and nothing more than

a) Identification of the person who is making the request with something like the digital signature or Aadhaar

b) Statement of the suspected contravention of law or proof of being a recipient of an attempted communication

c) A commitment not to misuse the information for any purpose other than the stated purpose with an undertaking to be liable for consequences of misuse

I request Justice Srikrishna Committee to consider this suggestion and incorporate it into its recommendations.

(Comments Invited)

Naavi

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.