Even though the Personal Data Protection Bill is yet to become law, big tech firms like Google, Meta, Amazon and various e-commerce platforms are liable to be penalised for sharing users’ data with each other if consumers flag such instances.
A senior consumer affairs department official told FE that under the Consumer Protection Act, 2019, the department can take action and issue directions to such firms. “Since the data belongs to a consumer, if the consumer feels that their data is being shared amongst firms without their express consent, they are free to approach us under the Consumer Protection Act,” the official said.
Explaining the kind of data which is shared between firms, the official said, “Any search on Google by a consumer leads to the same feeds being shown on Facebook. This means that user data is being shared by big tech firms. If it’s with express consent of the user concerned, it’s fine. If not, users’ can approach us. The Consumer Protection Act and Central Consumer Protection Authority are empowered to act on such complaints.”
In fact, under its new privacy policy, WhatsApp has said that it can share business data with its sister firm, Facebook. The Competition Commission of India has objected to this as a monopolistic practice and the matter is in court.
Under the Consumer Protection Act, the department of consumer affairs has powers to penalise companies for misleading advertisements and unfair trade practices. Consumers have the right to seek redressal against unfair/ restrictive trade practices or unscrupulous exploitation of consumers.
Using powers under the Act, the department recently ticked off e-commerce major Amazon and edtech firm Byju’s for alleged anti-consumer practices. While Amazon was pulled up for its algorithms which prioritise its private labels and products of companies where it has investments, Byju’s was asked to stop advertisements that furthers its business at the cost of misleading consumers.
Protecting personal data is the prime objective of the Data Protection Bill, too. Once it becomes law, citizens can intimate all digital platforms they deal with to delete their past data. The firms concerned will then need to collect data afresh from users’ and clearly spell out the purpose and usage. They will be booked for data breach if they depart from the purpose for which it was collected.
Data minimisation, purpose limitation and storage limitation are the hallmarks of the Bill. Data minimisation means firms can only collect the absolute minimum required data. Purpose limitation will allow them to use data only for the purpose for which it has been acquired. With storage limitation, once the service is delivered, firms will need to delete the data. According to the consumer affairs department official, while the Data Protection Bill will streamline such practices, users can also invoke their rights in such matters under the Consumer Protection Act.