INTRODUCTION
Amidst the COVID-19 pandemic, the surge of the digital economy, and rapidly rising Data Privacy concerns, Google released the Android 12 Beta which claimed to bring about enhanced privacy measures and better user control over data collection. The Android 12 updates seek to build a transparent system for data collection where the user is not only aware but can also control access to certain data by certain web applications. However, before delving into the implications of such features on Data Privacy and user safety as a whole, it is important to understand the importance of data for companies and its utilization.
The modern world runs on the belief that without data, a person is blind, deaf and in the middle of the freeway. Data not only forms the backbone of the current globalized and digitalized world but is also the basic foundation of the current economy. Companies like Facebook, Twitter and several such other companies that have a prominent digital presence thrive on observing the online behaviour and engagement of their users. Such companies collect massive amounts of data regarding the interests, web searches, and location of their users, among other things, to show relevant and targeted products, and advertisements for better customer response and interaction.
The data that is collected by the companies are not restricted to one aspect or category – rather, it is large volumes of data – categorized or uncategorized – which is termed as “Big Data”. The major threat that Big Data brings forth is that it is consolidated raw data from various sources and mostly collected without the explicit consent of the user.
Big Data is so exhaustive that when it is decoded and categorized using different techniques, it can provide enough information regarding an individual’s personal choices, wants and preferences which is, in turn, used for better predictions and inferences to craft an approach towards the target consumers.
The collection of data has multiple implications on the privacy of the users and the same can be used for both marketing as well as surveillance purposes. With the growing data privacy concerns among users, the Android 12 Beta update comes in with a proposition that provides the users not only the information which the applications are using and collecting, but also provides more effective user-control over the data.
However, given the tricky and technical nature of such data collection and analysis, it is important to take a closer look at the Android 12 Beta update to better understand the possible implications of the same as well as its benefits and disadvantages, if any.
CHANGES INTRODUCED BY ANDROID 12
Google, the developer of Android 12 Beta (“the Developer”), appears to be concerned about privacy specifically because data privacy has been the most vulnerable flank in its system which has been exploited unabashedly by the digital giant.
The change introduced is also attributed to Google’s primary competitor, Apple which appears to be relatively more pro-user privacy. Further, the iOS 14.5 update introduced an ‘App Tracking Transparency’ feature which now allows users to restrict certain applications from tracking their user information by denying or turning off permissions.
The changes introduced by Google aim to make Android 12 more user-centric than before. The salient features of the update are as follows:
- The Primacy of Privacy
The most important feature that drew everyone’s attention to the Android 12 Beta update is the ‘Privacy Dashboard’ which is primarily designed to provide users an overview pertaining to the information collected by various web and/or mobile applications over the last 24 hours, specifically through the camera, microphone, and location.
The Developer has also added a sensor that works as a warning light every time an application accesses the camera or the microphone, and thereafter allows the user to immediately revoke access. The Android 12 Beta 2 model is seeking to extend and roll out this model not only to Google smartphones but also to other third-party developers.
While this new version of Android comes as a relief to the users, whether the data processing patterns have truly and substantially changed for the better and how the existing concerns on data privacy are being addressed, remains a question to be pondered upon.
- Implications on Data Privacy
- International and Global scenario
Right to Privacy has been recognized around the globe and has been addressed in several international regulations and treaties.
Article 12 of the Universal Declaration on Human Rights (UDHR) recognizes the Right to Privacy and states that there must be no arbitrary interference with the privacy of a person including his family, home, communication or honor. Further, Article 17 of the International Covenant on Civil and Political Rights has recognized the aforementioned right.
General Comment No. 16 to Article 17, released by High Commission on Human Rights has also emphasized that the Right to Privacy is not only limited to physical or existential information, but also includes electronic data, and cannot be impaired by either State or non- State agents without a legitimate reason.
The General Data Protection Regulation (GDPR) was drafted and passed by the European Union (EU) in 2018, which laid down the minimum standards of Data Protection to be followed in the EU. GDPR not only extends the liability of ensuring adequate Data Protection to the Government but also to organizations and corporate entities, and imposes fines and other penalties in case of any breach.
Further, Article 3(2) of the GDPR imposes an extra-territorial jurisdiction over non-EU establishments doing business in the EU. The GDPR defines other primary concepts like consent, Data Processing, Data Subject and Data Controller among others. It is important to note that although Google ensures the users that they can control the data accessed by certain applications, Google itself has the access to all the personal data of such users.
Moreover, such data collected by the developer can be used to create an exclusive database of the users which, according to Article 6 of the GDPR, comes under the ambit of ‘processing of data’.
The GDPR is primarily based on 7 principles pertaining to Data Collection and Data Processing:
a. Lawfulness, fairness and transparency
b. Purpose limitation
c. Data minimization
d. Accuracy
e. Storage Limitation
f. Integrity and Confidentiality
g. Accountability
It is pertinent to note that even though Google has protected third-party applications from the collection of data or allowed for more effective user determination, the data collected by the Developer itself continues to be untapped. Moreover, there is presently no regulation that strictly restricts the Developer from processing the data and/or selling it to or transacting with a third party for mutual benefits.
The GDPR, however, has a robust system that allows for monitoring of the transfer and transactional movement of data by having provisions for assessment of data processing, the proportionality of the activity and by dictating the need for a transparent system with the information and access to the information given to the individuals from whom it is collected.
2. Regulations in India
The only formal recognition given to Right to Privacy is through the landmark judgement of the Supreme Court in the case of Retd. Justice K.S. Puttaswamy v. Union of India [(2017) 10 SCC 1]. However, constant efforts are being put in to bring in legislation that systematically protects the privacy of the individuals.
Presently, Section 43A of the Information Technology Act, 2000 (the IT Act) read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the IT Rules) is the most reliable law with regards to data privacy.
Section 43A of the IT Act stipulates that any aggrieved individual can claim compensation from any entity that is engaged in commercial or professional activities relating to technology if the entity has failed to adopt reasonable security practices and the same has caused significant damage to the individual and his privacy.
Further, the IT Rules obligate the corporate entities to obtain due consent for the processing of data, retaining it and/ or sharing it with any other entities with legitimate reasons for the same. Any contravention under the IT Act can attract either a fine of INR Five Lakhs and/or imprisonment up to three years.
Another landmark step sought to be taken by the Legislation with regards to the protection of personal data is the introduction of the Personal Data Protection Bill, 2019 (PDP Bill) which is yet to be passed by the Parliament. The potential impact or the utility of the PDP Bill can only be determined upon the analysis of the provisions of the same.
The key features of the PDP Bill include the extensive applicability of the PDP Bill, imposing of obligations and responsibilities on the Data Fiduciaries, defining and discussing the rights of the Data Principle, stipulating penalties in case of non-compliance, the establishment of the Data Protection Authority, etc.
Once enacted, the PDP Bill will largely affect the digital-based companies, e-commerce giants, and other corporate entities.
AMLEGALS REMARKS
The Android 12 Beta version is a step that would be embraced and welcomed by the globalized world as it seeks to create a more transparent data collection process. While the update is in consonance with the provisions of the GDPR on face value, there continue to be loopholes as to the use of the processed data, the implications of the use of the data by the Developer, the verification of the use of the data, etc.
On the other hand, the problem faced by the Indian Legislations is the enforcement of a dedicated Data Protection law and the application and implementation of the same. At the same time, there seems to be a lack of clarity regarding the role of third parties, the governance of transactional flow, and the collection of data from multiple sources.
Another major issue with regards to Data Privacy in India is the lack of awareness amongst the citizens. Nearly every person uses a smartphone today, but hardly anyone reads the terms and conditions of the websites or the organizations where they are providing their personal information and data. Therefore, the question that arises with regards to these factors is with regards to the liability of the Data Collectors who collects and manages the said consented data.
Eventually, only time will tell whether personal data can actually be effectively protected in a digital economy by incorporating changes in the law and the regulatory system, or whether the same is merely a sham to provide users a false sense of control, safety and security.
–Team AMLEGALS assisted by Ms. Varada Jahagirdar (Intern)
For any query or feedback, please feel free to get in touch with vineeta.tekwani@amlegals.com or mridusha.guha@amlegals.com.
Leave a Reply