• 5

  • Likes

Public perception and public discourse on data privacy and protection have changed drastically all around the world. People are now apprehensive about sharing information on social media and other platforms. The New York Times, alongside The Guardian and The Observer, recently reported that Cambridge Analytica stole personal data of millions of Facebook users to use for clickbaiting. This information has taken the US by storm and many people called for deleting Facebook. The public debate on data privacy and protection reached its peak in India after the landmark Puttaswamy judgment by Supreme Court (2017).[1] However, it is important to understand how and why such personal data exploitation happens, the consequences of a data privacy law, and what we can learn from such laws in other countries.

There have been major breaches of trust by technological companies in recent times. The activity-tracking application Strava accidentally revealed the locations of secret military bases through its data-populated heat maps. The dating platform Grindr shared its users’ HIV status with third parties. India's giant one billion public database of Aadhaar has been repeatedly hacked. Recently, European Union has questioned Google for demanding Android smart phone manufacturers to install the Google app along with its search option.

The data privacy debate is mostly about ignorance of the users with regard to compilation and sale of their personal data. The terms and conditions are too long to read and users just sign them agreeing with many questionable clauses. The hype around social media platforms instills a fear of being left out among users, not to miss the personal and professional updates posted by their colleagues, family and friends. It is not easy to abandon social media because of the networks and connections, as well as the addiction. When it comes to other websites like Google or Amazon, their usage is linked across services through browser cookies and cross-device tracking. Every click is saved by the service providers to sell the products based on user’s usage patterns, often without the users being aware of it. 

The revenue model of platforms like Google, Twitter, and Facebook gives free service to users in return for their personal data. The service providers (mis)use the data in various ways. One, private data is used for targeted advertisements of products and services. This raises serious privacy concerns. Yet this is the least pernicious way of using data and one can always choose to not to view those advertisements. An example of the same is the Netflix recommendation engines. Two, private data can be unethically used as secondary data for analysis of market trends and forecasts. Three, private data of likes, posts, comments, and clicks are sold to third parties. Cambridge Analytica obtained raw private data of millions of users without many of them knowing about it. Since the users did not consent to share their data with the third party, this is classified as a criminal offense.

There are also security concerns with networked and borderless nature of present technology. Since most of these technology companies are based in the USA, the data of users is stored in the servers located in the USA. Currently, Indian law enforcement agencies require approval from the department of justice in Washington, DC, Federal Courts in the US, and the Federal Bureau of Investigation for accessing data of users in those social media platforms. Because of these reasons, Chinese government has regulated the popular platforms like Facebook, Twitter, WhatsApp, etc. and favours Chinese counterparts like WeChat. A possible solution could be to mandate the tech companies to have their data server that contains Indian users’ information in India itself. This will be not a logistical issue because there are approximately 500 million Internet users in India. 

Given that every possible industry from retail and automotive to finance and healthcare uses data driven technologies, the need for clearly defined data privacy laws is very pertinent. Among the privacy laws around the world, General Data Protection Regulation (GDPR) of European Union stands out among others as the most recent and stringent data protection or privacy law. GDPR that will come into effect from May 25, 2018, is a game changer and it gives more power to consumers. It ensures that consumers know, understand, and consent to the data collected about them. It clearly defines personal data as something that can be used to identify either directly or indirectly, such as name, phone number, email address, place of birth and even one’s IP address. It gives the right to be forgotten, which obliges the controller of data to erase personal data without undue delay. The controller also needs to ask for content in an intelligible and easily accessible form, using clear and plain language. This mandates the terms and conditions agreements to be simple and ensures that consent given by the user is an informed decision. Consumers will also obtain the rights to access what data companies store about them, to correct inaccurate information, and to limit the use of decisions made by algorithms, among others. It also ensures that data are only collected for specified, explicit and legitimate purposes, are accurate and up-to-date, and not kept for longer than necessary.

In India, the privacy laws are still at primary stage and general public are not much aware of them. A study titled Connected Life conducted by Kantar TNS in 2017 showed that only 26% of consumers in India have concerns about their personal data, compared to 40% globally. Around 39% of consumers in India trust social media platforms compared to 32% globally. Thus, the privacy debate has not evolved here as much as in European countries. Privacy laws in India do not define personal data. The only recognizable legislation for protecting data in India is Information Technology Act, 2000. It talks about hacking and tampering of computer sources and penalizes unlawful access to data. It basically forbids corporate bodies to share and leak sensitive information, but it does not set any security standards for other kinds of data. Even the definition of sensitive information is limited to data like passwords, financial records, medical records, and biometric information. It also gives guidelines to corporate bodies to have their own privacy policy. It is found that those privacy policy drafts are not followed strictly and very few customers know about them. Above all, the public institutions are not in the purview of the Act. Even in Aadhaar Act 2016, the clause 30 gives government the power to collect biometric information deemed to be sensitive. Clause 29 discusses protection from sharing, displaying and posting data publicly. However, concerns of opting out, right to erasure, consent, etc. are excluded. Therefore, India needs a broader data privacy and protection law that covers every aspect of privacy debate, clearly defining personal data. It must issue guidelines for using data in both public and private spheres, along with foreign service providers. Currently, a committee led by former Supreme Court judge, Justice B. N. Srikrishna, is outlining a data protection framework for India. The final recommendations are yet to be seen.

The platforms discussed above have made the world more connected and brought terabytes of knowledge and information at our disposal. Also, services like Aadhaar have equipped governments to reach out to the beneficiaries in a more efficient manner with few misappropriations and improved the accountability of vendors. However, all the public and private organisations that compile, store, and utilise user data should realise that there is a huge potential of personal data to be misused for manipulation and cyber crimes. We need a comprehensive data privacy and protection law that not only recognizes and protects privacy as adjudged by Supreme Court, but also considers the future trends that are bound to arise from the ever innovating technological industry.


Ahluwalia, S. (April 3, 2018). In an age of leaks, just lock your data & sell it. Observer Research Foundation. Retrieved from https://www.orfonline.org/research/in-an-age-of-leaks-just-lock-your-data-sell-it/

Bhatia, G. (April 29, 2017). The Supreme Court’s Right to Privacy Judgment – I: Foundations By Gautam Bhatia. Retrieved from http://www.livelaw.in/supreme-courts-right-privacy-judgment-foundations/

Kantar TNS. (2017). Connected Life. Retrieved from http://connectedlife.tnsglobal.com/

Malik, A. (June 12, 2017). Real privacy debate is about Internet companies who are the repositories of enormous data. Observer Research Foundation. Retrieved from https://www.orfonline.org/research/real-privacy-debate-about-internet-companies-who-are-repositories-enormous-data/

Ministry of Law and Justice (2016). The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. Retrieved from https://uidai.gov.in/images/the_aadhaar_act_2016.pdf

Ministry of Law, Justice and Company Affairs (Legislative Department). (2000). The Information Technology Act, 2000. Retrieved from http://www.dot.gov.in/sites/default/files/itbill2000_0.pdf

Roofthooft, B. (June 5, 2017). Is the GDPR a game-changer? The Reference. Retrieved from https://www.the-reference.com/en/blog/bartroofthooft/2017/gdpr-game-changer

Saxena, S. (May 15, 2017). Data Protection in India. Live Law. Retrieved from http://www.livelaw.in/data-protection-india/

Sterling, B. (Feb 20, 2018). The General Data Protection Regulation: What it says, What it means. Wired. Retrieved from https://www.wired.com/beyond-the-beyond/2018/02/general-data-protection-regulation-says-means/

Image Credits: https://www.unglobalpulse.org/privacy

[1] On 24th August 2017, a nine-judge bench of the Supreme Court delivered its verdict in Justice K.S. Puttaswamy v/s Union of India, unanimously affirming that the right to privacy is a fundamental right under the Indian Constitution. The case became a constitutional issue when the Attorney-General for India defended the challenge to Aadhaar Scheme by stating that Constitution did not guarantee any fundamental right to privacy.

Share this article

Written By Chanakya Yadav

Bachelors student in Materials Engineering, IIT Madras.

Leave A Reply