Our legal framework should be equipped to ascribe accountability on the entities collecting data from individuals
Abhishek A Rastogi
Data privacy has become a sincere concern due to multifarious breaches exposed recently. The Facebook-Cambridge Analytica fiasco is a glaring example of the risk that all of us are living through in this age of brisk-paced and heavily-reticulated information exchange. In this context, our Prime Minister’s concerns over data leaks are well founded. Facebook made it too easy for a person to get extensive personal information of about 87 million people. It is alleged that the leak of this scale involving the data mining firm was used to sway the 2016 presidential election for Donald Trump campaign. There are also discussions about the alleged connection between Cambridge Analytica and Rahul Gandhi’s media presence.
The fact that no one knows how many people have access to the Cambridge Analytica data, or for that matter how many other Cambridge Analytica are still out there, remains a cause of concern. Companies like Facebook itself are using people’s personal information to do highly targeted product and political advertising, and all this is happening under a parochial and limited regulatory framework, even in developed economies like the US. India faces a challenge in monitoring the domain of data mining and regulating the way in which the personal data collected by popular mobile applications and web portals are used by third parties. Under circumstances such confidential or sensitive data is traded in the market, our legal framework should be well equipped to ascribe accountability on the entities collecting data from individuals.
Recently, India raised concerns over 42 Chinese apps on both iOS and Android platforms that were reportedly sending the user’s data back to servers in China, inviting an imminent threat of cyber attacks against Indians. Personal details filled in these Chinese apps have the potential to be exposed in the hands of Chinese hackers who illegally use the data. Some of these apps have already been banned by the US and the Indian government seems to have taken initiatives to follow suit. Besides, usage of these apps by Indian armed forces personnel can be detrimental to data security and can have serious implications on our defence establishments.
China, on the other hand, has been cautious about protecting its own data from exploitation by corporates beyond their control and supervision. While banning use of Facebook may not be a pragmatic approach, Chinese model on data privacy, in its own country, has proved to be extremely effective in allowing the government to have strict control on the data that circulates within and goes out of China. The government does not allow unfettered access to companies with servers outside its territorial control.
Modi’s suggestion that all data-sharing servers should be housed in India is, therefore, a step in the right direction—this issue should be a ‘top priority’ as a lot of companies including Google, Facebook, WhatsApp and Instagram have their servers located internationally, and access to them is regulated only by the US laws. The IT ministry has responded to Facebook’s data security breaches and conducted a thorough review of issues. We can expect draft regulations bringing MNCs like Facebook and Google within the legislative framework to ensure all data collection and sharing can happen under a highly regulated environment.
There is, however, a strong political incentive in bringing data monitoring under the exclusive control of the government as having an unsupervised network can easily shift powers from state to citizens by providing extensive forum for discussion and opinion, which can result in a political quicksand for any government. Mark Zuckerberg of Facebook understands the significance of this data breach ahead of India’s 2019 elections and stated in the US Congress that the most important thing that he cares about is to ensure that no one interferes in elections across the world.
The moot point is not whether we should have a regulation under the Information Technology Act. As internet is gaining importance in people’s lives, the more pertinent question is what should be the ideal regulation for effective and robust national data security framework so that the admitted “mistakes” of Facebook in relation to the Cambridge Analytica mess don’t get repeated in the future.
The author is Partner, Khaitan & Co. Views are personal
(Pratyushprava Saha, senior associate, contributed to this article)