INTRODUCTION
With the advent of the Internet, the cyberspace has witnessed the introduction of several technology-based platforms. One such platform is social media, which is an interactive hub wherein people can connect to each other virtually. With billions of users connected online, social media sites are a powerful and informal way to communicate with the world.
Even though the social media users make their personal information available to the public, there is still an expectation of privacy. The users often feel that they can control the personal information they make public by deciding who has access to it and how it will be used. However, the internet is a safe place only for those people who are aware of the risk and the security and can take steps to protect themselves.
It is often noted that when we search for anything on the internet, and later when we access any social media platform, the said social media platform starts recommending advertisements for similar goods and services. Hence, the question which needs to be addressed is that is our data and our personal activity over the Internet truly secure?
In this article, we will attempt to enlighten with the current position as to the data privacy laws in India, how consent, even though superficially present in the contracts with such platforms, is not present in its truest sense and why there is a need for a concrete data protection law.
DATA PRIVACY AND SECURITY ISSUES
Social media platforms are a means of communication between the Data Owner or the Data Producer and the viewers or the end users, for online communications that use Online Social Networks (OSN) to form virtual communities. An OSN is a web-based platform that allows users to develop social networks or relationships with others with similar opinions, interests, hobbies, or real-life connections.
OSN service providers collect a lot of data about their customers to deliver personalized services, which might also be used for commercial purposes. Due to such commercial or business purpose, the data of the users may be shared with third parties, or across the borders.
The aforesaid transfer or sharing of data might result in data breaches wherein hackers can use the personal information to gain access to, and infringe on an individual’s privacy. A huge bulk of sensitive information about individuals is now available online, owing to the rise of social media and the rising popularity of online communication via OSNs. The availability of sensitive data that is publicly accessible can result in the exposure of user privacy.
Personal data can be traced back to an individual or organization and aids in determining ones identity. Everything from a person’s purchasing habits to his or her medical records falls within the purview of personal data. No corporate entity or online platform can freely distribute this information without the Data Subject’s explicit authorization and consent.
THE EXPLOITATION OF PRIVACY BY SOCIAL MEDIA PLATFORMS IN THE GARB OF CONSENT
The social media platforms need to obtain explicit consent and authorization from all the users about processing the personal data of the users. In order to obtain such consent, the websites usually incorporate the required terms and conditions within the Privacy Policy or General Terms and Conditions of the website.
It is often noticed that the users agree to the Terms and Conditions of the website without even reading it properly and thereby end up giving consent for data sharing or data processing. Such consent is typically a result of lack of attention and lack of awareness from the user’s end.
The social media applications or platforms tend to employ Standard Contracts wherein the other party or the user in this case, does not have the option to negotiate or alter the terms of the contract. Therefore, as a result, the users compulsorily need to accept the Terms and Conditions or Privacy Policy in order to use the particular social media application or website.
Several social media giants such as WhatsApp, Instagram, Facebook, Telegram, etc. have such Terms and Conditions which mandatorily need to be accepted and acknowledged by the users.
However, on the broader aspect, the aforementioned Terms and Conditions or Privacy Policies end up violating the fundamental Right to Privacy of the users and puts the user information at risk for breach or exploitation. Due to the lack of Data Privacy Legislation in the country, the social media platforms stand largely unregulated from the aspect of data privacy and consumer data protection.
All the websites use ‘cookies’ to track the personal information of the users, which is thereafter used to display advertisements to the target audience. Cookies remember and store the personal information of the user, after taking consent from the user, and thereafter track the user activities as and when the user visits the particular website. Use of such intricate technological advancements shall be regulated once the Personal Data Protection Bill, 2019 (PDP Bill) is enacted.
THE CORE PRINCIPLES OF DATA PRIVACY
The following principles must be enshrined to safeguard users’ data from potential exploitation by large corporations or online platforms, and the Government in pursuit of their own goals:
1. Transparency: The general public must understand the types of data gathered by any website or other electronic methods, as well as what data is retained, how it is used, and what is shared with third parties (directly or indirectly). All data collecting technologies, including web beacons or other systems for tracking user behaviour or data, must notify the users about the collection of personal information. This information must be adequate for users to identify and pursue disclosure and control measures relating to these Data Collectors.
2. Disclosure for Users: Users must get complete disclosure about the usage or processing of their personal information by the website or application, or by any third parties accessing that information, directly or indirectly, for each website and application.
3. Control: The “do not track” requests of the users must be honoured, blocking disclosure by third-party cookies and retention of non-relationship-critical data between sessions. Users must be able to quickly identify, terminate, remove, and uninstall any material or program that has been installed on their devices or cloud services. Users must be able to easily erase personally identifiable information from any website, cloud service, or collecting device. Therefore, the users must be provided the ultimate control over their personal information and data.
4. Notification: Users must be informed directly and promptly if their personal information is leaked or misused by any entity that collects or stores such information.
5. Accountability: The Data Controller must be responsible for implementing measures that affect the privacy of the users.
THE PDP BILL AND SOCIAL MEDIA
The PDP Bill which is expected to become India’s first Data Protection law soon is unquestionably a move in the right way. The purpose of the PDP Bill is to regulate the collection, usage, storage, and transmission of personal data of individuals, i.e., the Data Principals, by commercial organizations and Governments, which fall under the ambit of Data Fiduciaries.
It is essential that users have certain rights against Data Fiduciaries in a data protection framework that claims to be rights-based. Users shall be entitled to the Right to Confirmation and Access, the Right to Rectification and Deletion, the Right to Data Portability, and the Right to be Forgotten under the PDP Bill.
The PDP Bill proposes extending the scope of the laws to encompass both personal data and non-personal data and establishing the Data Protection Authority (DPA) – an independent public authority to supervise its implementation.
The PDP Bill requires a Data Fiduciary (including social media intermediaries) to acquire consent for data collection under Section 7 of the Bill and consent for data processing under Section 11 of the Bill. While seeking consent under Section 7, by providing notice to Data Principal at the time of collection of personal data, a Data Fiduciary must state the purposes for which the personal data is to be processed under Section 7(1)(a), and inform the Data Principal about the individuals or entities, including other Data Fiduciaries or Data Processors, with whom such personal data may be shared under Section 7(1)(g). In this regard, Section 11(3) of the Bill requires a specific agreement to process any sensitive personal data.
AMLEGALS REMARKS
Data privacy is an evolving issue in the present-day Internet-driven society. As companies and multi-national conglomerates collect information from and about online users in bulk, and as the Government seeks greater access and surveillance capabilities, it is critical that India prioritizes privacy and implements strong safeguards to protect the privacy of both Indian citizens and foreigners whose data resides in India temporarily or permanently.
Social media is not limited to just connecting with people, it is also a business hub for several small-scale or home-based businesses. Therefore, a lot of personal information and sensitive personal information is exchanged over messages on several social media platforms. Such personal or sensitive personal information should be safeguarded by the Data Fiduciaries and not shared with any third party.
In the backdrop of the above, the PDP Bill is the need of the hour, so that the data processing and sharing mechanism is strictly regulated. The alarming potential of these social media platforms to collect endless amounts of information from their users without their knowledge or agreement, along with the users’ lack of attention in this respect, is what privacy activists are most concerned about.
– Team AMLEGALS, assisted by Mr. Hraday Jaiswal (Intern)
For any query or feedback, please feel free to connect with aditi.tiwari@amlegals.com or mridusha.guha@amlegals.com.
Leave a Reply