On 18 March 2018, a Canadian data consultant Christopher Wylie, during an interview with The Guardian, made public a set of documents describing Cambridge Analytica’s alleged unauthorised possession of personal private data from up to 87 million Facebook user accounts. It was later learned that Cambridge Analytica, a Canadian data analysis company, collected personal data without consent through an online personality quiz conducted by Facebook in 2014. The data were manipulated to create psychological and personality profiles of Facebook users for targeted campaigns during the US presidential election in 2016.
The disclosure about the leak of personal data from Facebook raised global concern about data privacy and triggered a series of investigations and legislative measures by several governments. Since it was formed in 2004, Facebook has been in the limelight not only for its phenomenal growth and worldwide popularity, but has also faced criticism for using the platform for stealing personal data, and spreading hate speech and fake news. Facebook faced huge global backlash in the Cambridge Analytica episode. Since then, many other large technology companies have been embroiled in controversies for alleged misuse of personal data. Here are some examples.
- In 2019, the European Union’s Competition Commission announced an antitrust investigation against Amazon to examine whether the e-Commerce giant’s use of sensitive data relating to independent retailers who sell on its marketplace violates EU competition rules. The e-commerce platform of Amazon is put to use in two ways: Amazon sells products as a retailer, and provides a marketplace for independent retailers to sell products directly to consumers. The e-commerce giant continuously collects data on the activity of independent retailers on its platform and it is alleged to have used sensitive information about marketplace sellers, their products, and transactions for its benefit. The Commission is presently examining whether the collection and use of sensitive data by Amazon affect competition.
- The European Commission (EU) received several complaints against Google from US and European competitors since 2010 regarding alleged abuse of its dominance in the search engine domain to provide undue benefit to Google Shopping service over other retailers with the purpose for monopolising the market. It was alleged by other retailers that Google was downgrading their placement in results returned in Google’s search results, and thus, favouring own products over competitors. The EU launched three separate antitrust investigations into Google for violating the EU competition laws on anti-trust grounds. Google has been found guilty of antitrust behaviour in the cases related to Google Ad Sense and Android and fined over €8 billion, the highest penalty so far by the EU anti-trust body. Google appealed against the decision to the Court of Justice of the European Union in October 2018.
- Uber’s God View software that gave an aerial view of the real-time movement of cars on the Uber platform to assist in real-time tasks was allegedly used by some employees in 2014 to track the real-time locations of passengers including politicians, and celebrities. In 2017, Uber agreed to settle the accusations by the US Federal Trade Commission (FTC). The settlement with the FTC did not require Uber to pay to settle the allegations, however, the company was required to hire an outside firm to audit its privacy practices every two years for the next two decades, and violations of the settlement could lead to financial penalties.
- In July 2019, FTC announced a record-breaking $5 billion penalty on Facebook, along with some new restrictions, and demanded a more accountable corporate structure to ensure FB users’ privacy. It was for the violation of a 2012 FTC order by deceiving users about their ability to control privacy of their personal information.
Data privacy and protection
Data privacy and protection has been a topic of heated debates in the recent years. People face several confusing situations in the digital era. Take a common occurrence: you get a telephone call from an unknown number, and the caller wants to know who he is talking with. Most of us would question the caller to identify him first. It is because we do not want to share our identification details with a stranger. We are more protective while sharing our data of birth, health reports, or bank account details as these are considered private and sensitive. Those familiar with the global situation during the cold war period would recall stories circulating on how spying agencies like CIA, KGB, MI-5 used bizarre methods to extract information about the leader of a rival country. These agencies used to collect their faeces for laboratory analysis. This unusual method was employed to ascertain the status of health, and also the personality traits of the leader.
In the new digitised economy, with the emergence of social media platforms, e-commerce practices, internet banking and online bookings, companies have sensitive personal information about millions of customers. This makes the issue of data privacy and protection critical. It is because the more data people have about you, the greater hold they can have on your preferences. Data helps companies to develop new business models, and thus, enhance revenue. It is an asset to be protected, was perhaps in the back of the mind of Clive Robert Humby, a British data scientist who coined the term data is the new oil, in 2006. Like oil, data needs to be explored, extracted, and reined to be turned into an asset. Equally true is, if personal data goes into wrong hands, it could be misused. In the last 50 years, countries have enacted legislation for protection of personal data and have also sought to define personal data.
Any information that is related to an identifiable natural person is considered personal data such as name, an identification number, location data, or characteristics illustrating the genetic, commercial, cultural, or social identity of persons. Sensitive data of an individual are more closely guarded against unauthorised access and misuse. So, what constitutes personal sensitive data? It is seen that the scope and definition of personal data vary by regulation. In simple terms, information that could be helpful to identify a person’s racial origin, political opinion, or religious beliefs, or such information like biometric data, health data, financial information like details of bank accounts numbers, etc, are classified as sensitive data. If we scan through the evolution of separate legislation for the protection of different categories of data in the US during 1970-2000, it gives a fairly good understanding of what is perceived as personal sensitive data, as given in the table below:
Regulating protection of personal data
Globally, legislatures have framed laws for data protection, defining data processing procedures.
The United States: As yet, the United States does not have any centralised, formal legislation at the federal level regarding data protection. The country follows a sectoral approach to data protection legislation as given above. In addition to the above list, many US states have passed legislation enforcing the protection of personal data, which experts rate as tougher than those under the federal government. The US Federal Trade Commission has been in news consistently during the last 15 years for its role in imposing consumer privacy and as the leading protector of the data privacy interests of US citizens, through legal settlements, fines on data breaches, and compensation to consumers. The FTC was established in 1914 with the mandate to protect consumers, investors, and businesses from anti-competitive practices. It started the enforcement of the first federal privacy laws – the Fair Credit Reporting Act in the 1970s.
European Union: The European Parliament approved the new EU General Data Protection Regulation (GDPR) in April 2016 replacing an earlier law from 1995. Experts believe that the GDPR that came into force across the European Union on 25 May 2018 has set new standards for data privacy and protection. For global companies with a presence in multiple countries, it is convenient as the law applies equally to all 28 member nations of the EU. The compliance of GDPR will require a wider approach as the GDPR definition of personal data that includes even web data like IP address and RFID tags data. Companies are required to designate a data processing officer (DPO) to oversee compliance. According to a survey, a majority of the US companies located in the EU are planning to invest $1-10 million to address the GDPR requirements and to avoid penalty under the law. This is a negligible amount in the light of the penalty — €20 million or 4% of annual global turnover whichever is higher – for infringements under GDPR. The EU Commission has penalised close to 400 companies so far under the new GDPR including Google and Facebook for anti-trust behaviour.
Data Protection Initiatives in India
Though India has not yet enacted specific legislation on data protection, India amended the Information Technology Act, 2000 to give a right to compensation for improper disclosure of personal information. However, in July 2017, following a landmark judgment by a nine-judge bench of the Supreme Court of India in KS Puttaswamy vs Union of India which unanimously ruled that Indians have a constitutionally protected fundamental right to privacy, and this is a natural right. Subsequently, the government appointed a committee of experts for data protection under the chairmanship of Justice BN Srikrishna that submitted its report in July 2018 along with a draft Data Protection Bill.
On December 11, 2019, the minister of electronics and IT introduced to the Lok Sabha an amended draft of the Personal Data Protection Bill, 2019 (PDP 2019) which, in many respects, resembles with the GDPR. However, there are many additional features in the proposed law which makes it GDPR plus. For example, in addition to personal data and sensitive personal data, the bill also categorises critical personal data which the central government shall notify which shall only be processed in a server or data centre located in India. The Bill proposes a data protection authority (DPA) which may take steps to protect the interests of individuals, prevent misuse of personal data, and ensure compliance with the law. The PDP 2019 allows the transfer of some personal data outside India, but unlike GDPR, sensitive personal data can be transferred outside India for processing, only if a copy of the data is stored in India. Another difference is relating to its jurisdiction.
The PDP Bill’s scope of application extends beyond that of the GDPR, as an entity may fall within scope merely by processing personal data in India though it may not be having an establishment in India. Violations of the provisions under the Act will attract a fine of Rs 15 crore or 4% of the annual turnover of the company. The Bill was referred to a Joint Select Committee composed of parliamentarians from both the lower and upper houses for views. It is a wise move as the subject matter pertains to the privacy of data of around 500 million internet users currently and it may help to address some concerns raised by some stakeholders.
- Exemptions given to the government for processing data without an individual’s consent for reasonable purposes, including the security of the state, detection of any unlawful activity or fraud, etc, are considered quite open-ended and could be used for surveillance. However, the term reasonable is not defined. Such grey areas will be the real test of the even-handedness of the regulating authority.
- A provision in the bill requires social media companies to provide the option for users to voluntarily verify their identities. It is feared that users in response, may send a scanned copy of government-issued IDs to the companies. The information contained in the ID may be used to profiling and targeting by the intermediaries.
- The draft bill proposes setting up a Data Protection Authority (DPA) to oversee the protection of an individual’s data privacy interests, however, the proposed procedure for appointment of members of the authority does not give full confidence as regards the independence of the regulator and its effectiveness.
- The bill, when enacted, will bring several compliance requirements for companies operating in India which did not exist earlier. The companies will have to restructure their data collection and processing set up meaning thereby additional allocation of budget and manpower including the appointment of a Data Processing Officer.
- As per the draft bill, a company has to obtain an approval of the DPA for crossborder transfer of personal data, and in case of transfer of sensitive personal data, a copy of the same has to be retained in India. The stringent condition for localisation of data storage is also being debated. The supporters of data localisation talk about accruing economic benefits and easy law enforcement, while the critics feel that the extraterritorial application of the proposed law will serve the purpose even if the data is transferred outside India.
The way ahead
Browsing the internet either for personal purposes or in connection with the profession has become a necessity, and in the process, often people end up sharing data with sites belonging to an e-commerce player, a social media platform, or an education site. People do it routinely without bothering about the likely implications. Now, with new regulations in place, people have greater control over personal information. The mechanism will ensure transparency in the activities of the companies collecting data and enhance awareness of Data Principal, the natural person to whom the personal data relates to, as defined in the PDP Bill. Under the draft bill, promoting awareness and understanding of the risks, rules, safeguards, and rights in respect of the protection of personal data among data fiduciaries and data principals is among the functions of the DPA. Accordingly, awareness campaigns regarding the rights of an individual under the law needs to be undertaken to check data misuse by companies.
Awareness enhances enforcement and helps change the mindset of people. Regular workshops on the latest trends in data privacy and protection landscape for the workforce by companies will help avoid breach of sensitive data and reduce risks of punitive action. Data privacy and protection need to be introduced along with other online crimes such as cyber-attacks, cyber bullying, phishing, hacking to school students to make the Internet secure for future generations.
(Krishna Kumar Sinha is an industrial policy and FDI expert based in New Delhi. His last assignment was as an industrial adviser in the department of industrial policy and promotion, DIPP, currently known as DPIIT, under the ministry of commerce and industry of the government of India.)