With the advent of recent privacy breach by Cambridge Anaylatica which led to misuse of many Facebook users’ data either by tricking them to not taking their explicit consent & not disclosing the motive to data usage or data processing that was to be done by them. This opened the eyes of many.
Until Now reports says that breach could have actually 87 million people and not just 50 million along this its note worthy that this figure accounts for mostly US citizens data that may have been improperly shared with Cambridge Analytica. So their is still no conclusive evidence about how much the data of Indian Facebook users were involved.
Government have No clue & Perhaps Facebook India also didn’t take any responsibility of Answering us. Till now Government of India has not provided any substantial Answer that they may (if any) have got from any entity involved in it like Facebook India, or others. On March 28 it was widely reported that government taking cognisance of the data breach on Facebook by British political consultancy firm Cambridge Analytica, the Government of India has issued a notice asking for names of clients who may have misused the data of Indians from the social network. It was said that Centre has asked six specific questions that are to be answered by 31 March, failing which they could face legal action from the Ministry of Information Technology.
In present situation let’s us see what authorities can do to stop such misuse of data, in fact misuse of any data either offline or online is warranted. It is also important to mention that modus operandi of collecting such data could not be online alone their has to be some local survey agencies hired or NGOs to collect data from people who won’t surf online. Even in this case it was reported that Cambridge Analytica may have been using both mode of data collection. It is alleged that CA markets itself as unique and innovative in its field because they don’t simply predict users’ interests or future behaviours, but also does psychometric profiles. Although they later denied it.
The collected information is then used in creating, managing customized dynamic Marketing or PR campaigns so to influence their decision even for shorter run like say near elections this can be done by using all the means available for marketer or PR managers this can even include use option of using fake news on social media by creating many fake profile for that period or outsource such unethical activities. In case of fake news idea is to bombard users with so much fake or semi correct news or twisted news that in traps user mind & he/she is unable to see Truth behind them even if for short run say till a particular Time period will serve their purpose.
Using profiling to micro-target, manipulate, and persuade individuals, which is still considered as dangerous and a threat to democracy.
From a technical perspective, it doesn’t matter whether you predict gender, interests, political opinions or personality, the point is that you are using some data to learn additional, unknown information. (your sexual orientation, your interests etc.)
It is worth mentioning the profiling is not bad in itself, it is the purpose which will define its role as good or bad. As for example it is being used in other areas as well like making decisions that have far-reaching consequences, from credit to housing, welfare and employment. Intelligent CCTV software automatically flags “suspicious behavior”, to check potential customers that are worthy of Loans, Insurance Risks to calculate premiums, even some research claims to predicts future criminals.
In my opinion answer to all the privacy related issues is a comprehensive privacy law Like European Union Privacy Law named General Data Protection Regulation (GDPR). This was adopted by EU in 27 April 2016. It sets Minimum standards for privacy & Data protection laws that has to be followed by any entity that use data of European Citizen.
GDPR is intended to create a framework or structure within which more detailed rules can be made or its scope can be extended by member states. It clearly define every entities, their role, or terms, it clearly defines Duties, rights of everyone in the scheme of things; like for larger companies its mandatory to have Data protection officer that will be responsible for handling of such data. Accountability of Top management Like setting up policy in place.
Its unique or focused approach is to imparts Transparency, Accountability, & Protect the rights of the users.
Now let us see first which Laws in India are considered to provide privacy or Data protection of some kind, currently Section 43A, Section 72A of Information Technology act 2000, Article 19 & Article 21 is quoted by many as laws for the purpose. Now let me point out briefly how EU GDPR is better or complete framework. Due to space limitation i am not presenting here my detailed analysis. Anyone if interested in More detailed analysis can be find it on my personal blog.
EU GDPR is way ahead in its scope following are some key points:-
Firstly it defines Personal Data, in its Article 4 states that ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Interestingly this definition will incorporate all data or means of data collection which can be used to build identifiable profile of visitors or users like browsing patterns or using advance techniques like device fingerprinting or machine fingerprinting or browser fingerprinting which is a covert way of tracking user or visitors thereby interfering in user privacy as consents are mostly not taken.
Secondly, EU GDPR has strengthened the previous directive, allowing the right to be forgotten by the personal data owners and requesting the deletion of their data by organizations, including published data on the web. The EU GDPR states that “the controller shall have the obligation to erase personal data without undue delay, especially in relation to personal data which are collected when the data subject was a child, and the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.”
This is different or i say much more broad or more powers to end Users. Example in Indian IT law it defined that user can recall consent or take back consent for any future dealings but EU GDPR force organisation to maintain a record of what has collected with consent & if user demands organisation has to delete all records taken by them within reasonable Time subject to Exceptions.
Thirdly EU GDPR includes Beyond the EU companies, the EU GDPR covers companies outside of the EU that offer goods or services to EU Data Subjects (“an identified or identifiable person to whom the ‘personal data’ relates”), even if for free, or that monitor the Data Subjects’ behaviour within the EU.
Whereas in contrast out IT Act law clearly wash their hands off from such provisions by stating that this is outside their jurisdiction. So, the organizations that need to be EU GDPR compliant are:
(i) Companies (controllers and processors) established in the EU, regardless of whether or not the processing takes place within the EU.
(ii) Companies (controllers and processors) not established in the EU offering goods or services within the EU or to EU individuals.
Fourthly, each entity evolved in this whole chain of system of collection, processing, transfer, managing, removing, etc. Are very well defined in the EU GDPR.
Fifth, Sensitive Data includes racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Interestingly all the Economic data comes under Personal Data. However Recital 10 of Regulation provides a margin of manoeuvrer for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’). But Eu Covers Financial Transaction of Data by other standards like PCI DSS (Payment Card Industry Data Security Standard), & others. Sensitive information can’t be put anywhere in public domain else it is not considered Sensitive or is an Exceptions defined.
Notably, recently Zuckerberg said that Facebook will voluntarily implement the European Union’s new privacy rules, known as the GDPR, which take effect in May 2018. “We’re going to make all the same controls and settings available everywhere, not just in Europe,” he said.
Clearly EU GDPR is more upto date modern Law for Data Protection & Privacy which better a just itself in modern time, to address all such issues arising out of modern use technology & globalised World.
And conclude here by saying that we in India needs to frame similar or more stringent comprehensive Data Protection Laws & Framework for all our future needs. This also include separate Data Protection Authorities, etc. Hope good sense prevails & as some reports suggest that this law is being drafted by experts and soon draft will appear in public or in parliament.