Indepth: Data misuse and limitations of the Personal Data Protection Bill 2019
The Personal Data Protection Bill drafted by the panel led by Justice BN Srikrishna, called the Srikrishna Commission, more than a year and a half ago will be tabled in Parliament on December 18, 2019. The original provisions of the Bill focused on two areas of data economy, namely data localisation and ensuring that ‘consent’ was essential for the collection of data.
The Bill defined ‘consent’ as the free, informed, specific and clear acquiescence of the user to have their data collected. Additionally, the user could choose to withdraw consent at any point and have the data deleted on request.
Social media platforms would bear the onus of creating a ‘voluntary verifiable account mechanism’ for every registered user. Most of these players are global organisations that process our user data in servers that are abroad.
If the Parliament passes the Personal Data Protection Bill 2019, it will make India the second country in the world to implement a data protection bill on a national scale, safeguarding the data of a population of at least half a billion users that will comprise the Internet ecosystem in 2019.
Harikrishnan Pillai, Co-Founder & CEO, TheSmallBigIdea, remarked, “Data is the new currency. Anybody with access to the Internet and a few apps could collate data and use it the way they want. People who owned personal data were not liable to safeguard it. Because of this, personal data of a large percentage of the population is out in the market.”
The personal data that Pillai is speaking about refers to any kind of data that relates to you from which you can be identified. Social media, third party apps, and websites that collect your personal data have privacy guidelines are often broad in their scope and can be open to interpretation.
In plain speak, it is saying that your data can be shared with other organisations that might be based overseas and stored out of India. If data is currency, then this is the digital equivalent of laundering data offshore. Even if you pull the data out of the input platform, there is no reason to believe that your data which was shared would also be deleted.
That comes to the second important provision of the Bill, which speaks about data localisation that deals with this issue specifically.
Nihal Nambiar, AVP – Strategic Solutions, iProspect India, explained, “(data localisation) is more of a jurisdictional issue. Servers physically located in the country can be subject to physical scrutiny, if required. But if data is stored abroad, the time required for inter nation legal proceedings is too high. It may not be an entirely preventive measure, but it could help as a deterrent and perhaps post mortem.”
An example of such an ordeal was captured in the Netflix documentary ‘The Great Hack’, where an American professor of digital media and app development sued the British company, Cambridge Analytica, and induced them to give up his political profile.
The same professor in a Business Insider interview on August 2019 went on to say, ‘Quitting your Facebook account doesn’t do anything. You can try to do the work of going your settings and being really hygienic about your data, but it’s only going to reduce the scope of your data leaking all over the place.’
He used Climate Change as a metaphor for the problem faced by the industry, stating that individual action is not enough, we need a collective response.
Many would say that the Personal Data Protection Bill 2019 is a huge win in terms of policy and a welcome reform in the industry. Meanwhile, some would say it doesn’t go far enough to address the problems in the data pipeline.
The Data Pipeline
A data pipeline allows you to consolidate data from multiple and makes it available for analysis and visualisation. The pipeline ensures the efficient flow of data from one location to the other.
Putting it very simply, “Data collection is a very dynamic process that varies from platform to platform. There are three essential parts to it – input, processing and output. The Personal Data Protection Bill will classify inputs into three parts, where they are making sure the input is completely right so that the output is perfect,” explained Shrenik Gandhi, Co-Founder & CEO, White Rivers Media.
Like Gandhi states, the Bill is solely concerned with input data. In every user interaction with a digital interface, some user data is being collected and transported into the data pipeline. Most of this data is harmless and is used to improve the quality of user experience on digital platforms. But with 5,000 such data points, Cambridge Analytica was able to craft highly accurate profiles of half of the citizens in the US and was alleged to have influenced the results of the 2014 elections in favour of current President Donald Trump.
The Bill puts data into three buckets– Critical, General and Sensitive. Data included in the sensitive bracket is financial, health, sexual orientation, biometrics, religious or political beliefs and affiliation, which can only be stored in India. Critical data can be arbitrarily defined by the Government of India and will be stored and processed in India. Whatever data doesn’t fall into these respective buckets will automatically fall into the third bucket – General. Under the current form of the bill, General data doesn’t need to be processed or stored in India.
Praveen Nijhara, CEO, Hansa Research, an organisation that regularly conducts survey, collects consumer data and does market research for their clients, said that data under the purview of ‘Sensitive’ is rarely collected by their organisation. “Sometimes we collect health data if a healthcare client in requesting for it. However, in those cases the data collected under condition of anonymity and cannot be traced back to the user.”
In fact, most of the data collected in the ecosystem is publicly available and would be usable under the current law and guidelines. The other part of the problem is so called ‘informed consent’ that is defined in the Bill. Most users have become habituated to selecting the ‘Agree to Terms and Condition’ checkbox that is a precondition to signing up to any social media service. Not to mention that to sign into most 3rd party apps, you are required to login via your Facebook or Google IDs. The deeply integrated nature of the digital ecosystem means that a simple flaw in the coding architecture can be exploited to great effect.
“The Bill takes into account past malicious data breaches, present GDPR law that is in effect in Europe and keeps in mind that data is the currency of the future. While theoretically it makes a lot of sense to have this law, the real art and fun will be in the execution,” concluded Gandhi.
Is the ball in your court?
“Data can be collected legitimately directly through tools which observe/ measure user actions (analytics), declared data (online surveys, polls, forms) as well as through data brokers. Then there are also illegitimate ways like phishing, Trojan apps, etc.”, said iProspect’s Nihal.
He added, “The vulnerability comes at point of data collection as well as data storage.”
Two important distinctions that the Bill clearly makes are clearly defining the responsibilities of the ‘data principal’ and the ‘data fiduciary’. While the ‘data principal’ or user is required to give his informed consent and withdraw it if necessary. The ‘data fiduciary’ or the entity that processes data will ultimately be responsible for proper handling of the data.
Responsibility and culpability largely lie in the lap of the data fiduciary in case of malpractice. A violation of the provisions of the Bill, a data fiduciary might incur as much as Rs 5 crore or 2 per cent of their global turnover in case of a data breach or minor violation. A major violation constitutes processing and use of data without consent, where the penalty is a hefty Rs 15 crore or 4 per cent of their global turnover.
“Apps and websites who promise to secure data, often fall prey to smarter and more stronger hacking incidents, exposing critical personal data. People who do not understand the modalities of these mediums, end up falling prey to online phishing activities,” said TSBI’s Pillai.
He affirmed, “The challenge with even a part of data being available, with someone with malicious intent, is that they can use those parts to collect more information about you. Access to one door can open access to others.”
When Facebook was testing its ‘View As’ feature, hackers found a vulnerability in the code and were able to siphon off 50 million users’ data. Under the current Bill, that would be considered a minor violation.
What about data brokers?
While Google and Facebook usually make the headlines when it comes to data breaches, there is far more ambiguity in laws regarding ‘Data Brokers’. Who are Data Brokers? Essentially companies that aggregate or buy customer data and monetise it. These entities collect online and offline data from various sources like your social media history, web history, offline and online purchase history and warranty information, credit card information, government records, phone numbers, email addresses, age, gender, income, education and occupation.
Most of this data can be mined legitimately using sophisticated digital tools. Some of it may be obtained illegally by exploiting poor digital infrastructure. Most often these entities sell this data to the highest bidder.
According to TSBI’s Pillai, that data can be misused in a variety of ways:
- Misuse can be something as grave as cleaning up your bank account or tracking your kids’ school in and out time or something more fundamental like not providing services equally.
- Data leaks that are financial in nature are the obvious ones where threat levels are perceived higher. However, it’s the data leak of the ‘softer’ kinds that can create hiccups in your day to day life.
- Data about you can classify you in cohorts. Companies/ Government Agencies can use these cohorts to deliver a relevant message or to discriminate you. For example, if you have friends on social platforms with bad credit score, it might have an impact on the rates that you get from a bank.
- Data about your sexual orientation can deny you a room in a hotel. So, while these need not be considered grave, but it directly clashes with Fundamental Rights of an individual and are early signs of us moving towards a warped new-age discriminatory regime.
“With evolution of behavioural science, it is easy to predict affinities and likelihood of unsuspecting consumers to make choices they would have otherwise not have made,” concluded iProspect’s Nihal.