Introduction
With the advent of recent privacy breach by cambridge anaylatics which led to misuse of many facebook users data either by tricking them to not taking their explicit consent & not disclosing the motive to data usage or data processing that was to be done by them. This opened the eyes of many who till now was causally making fun of anyone who talked about privacy policies or best practices or awareness that every online user should be given.
Current Scenarios
Until Now we have reports that breach could have actually 87 million people and not just 50 million along this its note worthy that this figure accounts for mostly US citizens data that may have been improperly shared with cambridge Analytica. So their is still no conclusive evidence about how much the data of Indian facebook users were involved.
Government have No clue & Perhaps Facebook India take No responsibility of Answering us.
Till now Government of India has not provided any substantial Answer that they may (if any) have got from any entity envolved in it like facebook India, or others. On March 28 it was widely reported that government taking cognisance of the data breach on Facebook by British political consultancy firm Cambridge Analytica, the Government of India has issued a notice asking for names of clients who may have misused the data of Indians from the social network. It was said that Centre has asked six specific questions that are to be answered by 31 March, failing which they could face legal action from the Ministry of Information Technology.
The questions that have been asked are:
One, Whether they have been engaged in any assignment to utilize data of Indians from the above cited breach?
Two, Who are the entities that have engaged them for the above?
Three, How did they come to be in possession of such data?
Four, Was consent taken from the individuals?
Five, How was such data collected used?
Six, Was there any profiling done on the basis of such data?
Also The Computer Emergency Research Team (CERT) of the Ministry of Information Technology issued a directive to Facebook users not to share their personal information, location, political preferences, or any other personally identifiable information on the social network. It was also said that the notice draws attention to the alleged “serious breach of propriety and misuse of data intended to profile and influence voting behaviour” that includes claims that “elections in India were sought to be influenced through questionable means”.
Now current Status
Till Now Government either did not share answers given to them in public or they have not received any answers at all. So was cambridge liable to answer to Government of India in first place or was facebook India should have been providing such answer instead clearly we can’t say conclusively on legal aspects but
Now to present situation
Lets us see what Authorities can do to stop such misuse of data, in fact misuse of any data either offline or online is warranted. It is also important to mention that modus operandi of collecting such data could not be online alone their has to be some local survey agencies hired or NGOs to collect data from people who won’t surf online. Even in this case it was reported that Cambridge Analytica may have been using both mode of data collection. It is alleged that CA markets itself as unique and innovative in its field because they don’t simply predict users’ interests or future behaviours, but also does psychometric profiles. Although they later denied it.
Using profiling to micro-target, manipulate, and persuade individuals, which is still considered as dangerous and a threat to democracy.
Psychometrics is a field of psychology that is devoted to measuring personality traits, aptitudes, and abilities. Inferring psychometric profiles means learning information about an individual that previously could only be learned through the results of specifically designed tests and questionnaires: how neurotic you are, how open you are to new experiences or whether you are contentious.
This information is then used in creating, managing customized dynamic Marketing or PR campaigns so to influence their decision even for shorter run like say near elections this can be done by using all the means available for marketer or PR this can even use option of using fake news on social media by creating many fake profile for that period or outsource such un ethical activities. In case of fake news idea is to bombard users with so much fake or semi correct news or twisted news that in traps user mind & he/she is unable to see Truth behind them even if for short run say till a particular Time period will serve their purpose.
What is generally collected
Data brokers and online marketers all collect or obtain data about individuals (your browsing history, your location data, who your friends are, or how frequently you charge your battery etc.), and then use these data to infer additional, unknown information about you (what you’re going to buy next, your likelihood to be female, the chances of you being conservative, your current emotional state, how reliable you are, or whether you are heterosexual etc.).
From a technical perspective, it doesn’t matter whether you predict gender, interests, political opinions or personality, the point is that you are using some data to learn additional, unknown information (your sexual orientation, your interests etc.).
How wide is its spread or areas of influence
Profiling and similar techniques are increasingly used not just to classify and understand people, but also to make decisions that have far-reaching consequences, from credit to housing, welfare and employment. Intelligent CCTV software automatically flags “suspicious behaviour”, to check potential customers that are worthy of Loans, Insurance Risks to calculate premiums, even some research claims to predicts future criminals.
What can be done and why
Now answer to all the privacy related issues is a comprehensive privacy law Like European Union Privacy Law named General Data Protection Regulation (GDPR). This was adopted by EU in 27 April 2016. It sets Minimum standards for privacy & Data protection laws that has to be followed by any entity that use data of European Citizen. GDPR is intended to create a framework or structure within which more detailed rules can be made or its scope can be extended by member states. Its one of most comprehensive & finest piece of Privacy/Data protection law that take in its consideration of many aspects. It clearly define many terms like Data Subjects, Consent, Data controller, Data Protector, Sensitive personal Data, Personnel Data, Data Protection officer or administer that is responsibility to manage such Data.
Not only this it clearly defines Duties, rights of everyone in the scheme of things; like for larger companies its mandatory to have Data protection officer that will be responsible for handling of such data. Accountability of Top management Like setting up policy in place.
Its unique or focused approach is to imparts Transparency, Accountability, & Protect the rights of the users.
Now let us see some points that must be adopted
Defining Key Entities & their responsibilities
Data Controllers, Profiling, Personal data, recipient, third-parties, consent, Sensitive Data, Right to recall data or request for deletion of data under breach of conditions or misinforming user about the purpose of data collection, handling security of the data, data transfer provisions, An entity must have a Legal basis to process data or must define scope, exceptions.
Now let us see first which Laws in India are considered to provide privacy or Data protection of some kind, currently Section 43A, Section 72A of Information Technology act 2000, Article 19 & Article 21 is quoted by many as laws for the purpose.
Lets Dissect it & compare it with EU GDPR Law
Because law is not my domain i will very briefly recall these Laws purposes that are relevant here:-
Article 19:- deals with Protection of certain rights regarding freedom of speech, etc. Its reasonable restrictions or exceptions wherever applicable.
Article 21:- mainly deals with right to live which include right to privacy. It is true our Constitution does not expressly declare a right to privacy as a fundamental right but the said right is an essential ingredient of personal liberty.
Article 43-A of IT ACT :- provides even greater penal consequences for negligence in implementing and maintaining reasonable security practices and procedures in relation to sensitive personal data or information by a body corporate. Compensation for the violation of Section 43 A, can even extent to the tune of Rs. 5 Crores.
Here interesting things to note is Definition of A) Sensitive Data & B) Body Corpotates
As Section 43A of the Information Technology Act 2008 and subsequent Rules apply only to Body Corporate and to digital information. And Body Corporate under the Information Technology Act 2008 is defined as:
“Any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”
so clearly reducing its Scope or Applicability by making limitation of Digital information & Body Corporates. It may not say much about data collected in fields or offline by Individuals or Colleges or Group of Students, or other entities that don’t fit into Body Corporate definitions. Also government agencies and non-profit organisations are entirely excluded from the ambit of this section. Plus as mention previously publicly available information are also exempted.
Sensitive information includes Rule 3 of these Draft Rules designates the following types of information as ‘sensitive personal information’:
a) password;
b) user details as provided at the time of registration or thereafter;
c) information related to financial information such as Bank account / credit card / debit card / other payment instrument details of the users;
d) sexual orientation;
e) physiological and mental health condition;
f) medical records and history;
7) Biometric information;
8) call data records;
9) any detail relating to the above clauses as provided to body corporate for providing service; and
10) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
This however, does not apply to “any information that is freely available or accessible in public domain or accessible under the Right to Information Act, 2005”.
They and “any person” holding sensitive personal information are forbidden from “keeping that information for longer than is required for the purposes for which the information may lawfully be used”
Article 72-A of IT Act :- Act deals with personal information and provides punishment for disclosure of information in breach of lawful contract or without the information provider’s consent. It is to be noted that even data which is outsourced to India gets protection under these section. However, when data is sent outside the territories of India, one cannot seek protection under this Section. India has no jurisdiction in such cases and there is no obligation cast on the countries to which India sends sensitive personal information for processing, to have an equally stringent data protection mechanism. The punishment provided for such disclosure of information in breach of lawful contract is imprisonment up to three years or fine to the tune of maximum Rs. 5 lakhs or both.
Clearly here EU GDPR Steps ahead in scope and states :-
Firstly see how it defines Personal Data, its Article 4 states that ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Interestingly this definition will incorporate all data or means of data collection which can be used to build identifiable profile of visitors or users like browsing patterns, Key typing speeds or styles, or using advance techniques like device fingerprinting or machine fingerprinting or browser fingerprinting which is a covert way of tracking user or visitors thereby interfering in user privacy as consents are mostly not taken.
Secondly, EU GDPR has strengthened the previous directive, allowing the right to be forgotten by the personal data owners and requesting the deletion of their data by organizations, including published data on the web. The EU GDPR states that “the controller shall have the obligation to erase personal data without undue delay, especially in relation to personal data which are collected when the data subject was a child, and the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.”
This is different or i say much more broad or more powers to end Users. Example in Indian IT law it defined that user can recall consent or take back consent for any future dealings but EU GDPR force organisation to maintain a record of what is collected with consent & if user demands organisation has to delete all records taken by then within reasonable Time subject to Exceptions.
Thirdly EU GDPR includes Beyond the EU companies, the EU GDPR covers companies outside of the EU that offer goods or services to EU Data Subjects (“an identified or identifiable person to whom the ‘personal data’ relates”), even if for free, or that monitor the Data Subjects’ behaviour within the EU.
Whereas in contrast out IT Act law clearly wash their hands off from such provisions by stating that this is outside their jurisdiction. So, the organizations that need to be EU GDPR compliant are:
(i)Companies (controllers and processors) established in the EU, regardless of whether or not the processing takes place within the EU.
(ii)Companies (controllers and processors) not established in the EU offering goods or services within the EU or to EU individuals.
Fourthly, each entity evolved in this whole chain of system of collection, processing, transfer, managing, removing, etc. Are very well defined in the EU GDPR.
Fifth, Sensitive Data includes
Racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Interestingly all the Economic data comes under Personal Data. However Recital 10 of Regulation provides a margin of manoeuvrer for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’). But Eu Covers Financial Transaction of Data by other standards like PCI DSS (Payment Card Industry Data Security Standard), & others. Sensitive information can’t be put anywhere in public domain else it is not considered Sensitive or is an Exceptions defined.
Now we let us see how EU GDPR is more comprehensive framework that places a minimum structure that every organisation should have, with an aim to promote standardisation, accountability & transparency regarding usage, storage, & protecting rights of end users or their data. we will only try and point basic advantages or points where it cover important areas which were left out by above quoted Indian Laws.
EU GDPR clearly defines Who will collect the Data in first place & for what purpose that entity will collect data including its legal basis must be clearly mentioned, How it will be collected kept & processed if need be. How users right are preserved, How security should be handled, How consent be taken wherever necessary, etc. It lays detailed responsibilities of actors within whole process or system. It’s scope that cover all third-parties even in foreign countries if they use EU citizens data.
What are exception or relaxation that can be given or granted.
How can entity outsource this function to external or third-parties. How it will have to maintain Records & preserve integrity, security & privacy of the data. Data cannot be used for purpose other than which was earlier consented by the user.
Their Principle here is to collect minimum required data for their purposes, to process it only if it serve some legal purpose.
It has also categorised difference between Personal data & Sensitive Data.
Another starc distinction between current 43A IT Act is that it cover not only online Data but also it is mandatory for offline data collection even within private organisation keeps of its employees. So it is very well defined framework it has 99 sections & covers most aspect needed to provide minimum Standard for privacy or data protection. Law makers of EU GDPR have therefore left open to increase its length or breadth or widen it or increase its scope wherever required by respective states.
Even Facebook CEO Mark Zuckerberg took an apologetic tone in a call with reporters weeks after the Cambridge Analytica debacle that has put a new level of pressure on the social media giant.
“We didn’t think about how people could use these tools for harm as well,” Zuckerberg said.
The call, which lasted nearly an hour, came just after the company’s chief technology officer issued a lengthy statement outlining numerous changes the company is making in the name of privacy and information security. Facebook is also updating its privacy policy.
Notably, Zuckerberg said that Facebook will voluntarily implement the European Union’s new privacy rules, known as the GDPR, which take effect in May 2018. “We’re going to make all the same controls and settings available everywhere, not just in Europe,” he said.
Clearly EU GDPR is more upto date modern Law for Data Protection & Privacy which better a just itself in modern time, to address all such issues arising out of modern use technology & globalised World.
And conclude here by saying that we in India needs to frame similar or more stringent comprehensive Data Protection Laws & Framework for all our future needs. This also include separate Data Protection Authorities, etc. Hope good sense prevails & as some reports suggest that this law is being drafted by experts and soon draft will appear in public or in parliament.
Biblography:-
https://www.i-scoop.eu/gdpr/#EU_GDPR_compliance_from_the_information_management_perspective
https://www.syntec.co.uk/blog/pci-compliance-can-help-achieve-gdpr-compliance/
https://www.linkedin.com/pulse/credit-cards-sensitive-data-under-gdpr-martin-o-dwyer
http://www.privacy-regulation.eu/en/
https://www.eugdpr.org/article-summaries.html
https://www.news18.com/news/india/right-to-privacy-data-protection-laws-in-india-1500047.html
https://indiancaselaws.wordpress.com/2014/08/05/data-protection-information-security-in-india/
https://www.lawnotes.in/Article_19_of_Constitution_of_India
https://cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy
http://www.mondaq.com/india/x/133160/Privacy/Data+Protection+Laws+In+India
http://www.crystalonnet.com/services/governance-risk-and-compliance-services/it-act-43a-consulting
https://www.helpnetsecurity.com/2018/04/06/facebook-search-data-scraping/
Kunal's Blog 