In the wake of the recent Facebook data breach and the role of Cambridge Analytica in influencing major political movements like the recent US presidential elections and Brexit vote, the scenario of predictive algorithms combined with big data predicting the actions of a person better than the person himself is no longer the future, it is reality. These algorithms can be used to monitor activities and influence opinions of people in an unrecognizably subtle manner. It can lead people to vote for a particular political party or buy a particular book, without them necessarily realising that it was the result of 'targeted advertisement'.
These developments have created a sense of urgency in India to discuss these issues, particularly in the light of the mass adoption of mobile internet. It is important to not only understand the way in which our data protection laws can deal with issues of mass data breach but also the rights that are available to individuals to handle instances of violation. In light of the Facebook data breach, it is pertinent to analyse the consent obtained from individuals that is used for targeted advertising or monitoring in the context of non-personally identifiable information. The limitations in the present law have been addressed by the government in a white paper on data protection, which presents a number of suggestions to address the abovementioned issues.
The Information Technology Act, 2000, currently governing data protection in India, provides specific protection of sensitive personal data or information such as health records, sexual orientation, biometric information and financial information, compensation claim by aggrieved individuals. Further, it also provides for general protection of privacy and confidentiality by imposing imprisonment and granting compensation for disclosure of information without the consent of the individual involved. While the Indian data protection law has extra-territorial application and would apply to entities outside India like Google and Facebook that collect data of Indian users, practical enforcement of the same may be a challenge under the current framework where no specific powers of enforcement are codified against foreign entities. This issue has also been recognized in white paper on data protection, which has suggested measures such as international cooperation, entering into Mutual Legal Assistance Treaties, requiring foreign entities to have local representative office, or imposing fines on the local branch office or subsidiary. An interesting aspect that emerged from the Facebook data breach is that the breach was not communicated to individuals concerned for many years after the event. To avoid this and to ensure that organizations at least inform the individuals of any data breach, an obligation of notification of breach should be imposed on such companies.
The law currently provides specific protection and enhanced individual rights only in the context of sensitive personal data or information mentioned earlier. It is imperative to extend this to personal information as well. One of the means of providing greater protection to individuals would be to broaden the definition of 'personal information' to include all data or information that may be considered reasonably sufficient to identify such individual. In this context, there may still be issues in cases where certain information may not be identifiable but when combined with other available information, may result in identifying an individual. Therefore, as a general rule, any information that can reasonably identify an individual must come under the protection of the law, regardless of whether such data has been subject to presudonymisation or anonymisation.
Another aspect to be considered here is the time period for which the information is retained by the individual. There is presently a requirement that sensitive personal data or information is not retained longer than necessary for the purpose collected. This requirement should be extended to all personal information such that the scope for data breach is reduced. Further, along this principle, individuals may be provided a right to withdraw consent and demand erasure of personal information.
In light of the above, the proposed data protection legislation should have clear guidelines on the manner of obtaining consent, requirement to notify an individual in case of data breach, the recourses an individual has against any data breach, while also having strong enforcement provisions to ensure that the rights are actively protected.
The author is the Principal Associate at IndusLaw