Data protection regulation must be taken seriously
The risk of social behaviour manipulation, whether for marketing or elections, is just the tip of the iceberg
News of the Washington DC attorney general’s case against Facebook has brought the spectre of Cambridge Analytica back with a bang. The case is not just about the violation of consumer rights by a social media giant, but also about a government executive standing up for the rights of the common man. It reiterates not just the need for protecting personal data but for that need to be filled by government action. For, it is when the “law hangs limp” that breaches flourish.
The saying goes that you become a criminal only when you are caught – the Cambridge Analytica expose is not an isolated incident. It will not be the last such abuse of huge quantities of personal data. The risks of social behaviour manipulation, whether it is for marketing or elections, merely red flags the tip of the proverbial threat iceberg.
While it remains to be proven, the checklist of violations in the US case against Facebook is indicative of what is in store for users of many online platforms – from allegations of misleading privacy settings to indiscriminate sharing of data with third parties and failure to disclose data breach, the list covers them all. The conspectus of the averments primarily brings to the fore the abject absence of choice and consent.
The Cambridge Analytica breach is not contained to either Washington DC, or even just the US. Its tentacles have spread far and wide, encompassing Indians’ personal data within its insidious fold. India’s statistics on data breaches at 52% in the 2018 Thales Data Threat Report- India Edition, is higher than the global average. The stark absence of legal prosecutions against such breaches, is a matter of concern.
India did understand the need for strong data protection laws and planned a standalone enactment in the late 1990s. Instead, a barely discernable and lone provision for data protection was introduced under Section 43 of the Information Technology Act, 2000 (“IT Act”). Commerce substantially dictates evolution of legislations too and data protection is no exception. With India losing a substantial portion of the “business of data” due to its lack of perceptible data protection laws, the stop-gap arrangement, which remains till date was the introduction of two additional provisions under Section.43A and Section.72A of the IT Act, with the former providing civil penalties and the latter, criminal prosecution. The IT Rules for data protection, which were a direct lift from the European Union’s eight data principles under its 1995 directive along with the above provisions, unfortunately did not improve India’s prospects for being tagged a suitable destination for personal data transfers. Post the Justice Puttaswamy v. Union of India privacy judgment and its emphatic declaration of privacy being a fundamental right, there is renewed interest in personal data protection with the individual and not commerce being the focus. Consent by design and emphasis on choice permeates the proposed legislation though there are many concerns in exceptions provided. Inclusion of data localisation in a layered manner is another indication of keeping the focus on user rights. While we await the final draft of the data protection bill and its future, it may be expedient to also take stock of where we stand today and what lies ahead.
There is one commonality in the tepid provisions under the IT Act, 2000 or its slightly stronger siblings under the amended IT Act of 2008 or the Rules framed thereunder – the poor record of enforcement.
India’s record in enforcement of data protection provisions is poor. Strengthening laws is certainly an important first step but the follow through to the last mile is what India needs. The strong position taken by the RBI on data localisation of financial data is a case in point. The deadline imposed by the regulator is long gone and the majors handling the substantial majority of financial transactions did not comply and yet there were no sanctions backing the strong posturing. The message that then goes out, of laws in India, to borrow Justice Krishna Iyer’s words, is that they hang limp and bark but seldom bite.
NS Nappinai is a Supreme Court advocate specialising
in cyber laws The views expressed are personal