Cambridge Analytica was one of the biggest eye-openers about the use of personal data harvested off Facebook without consent to try and influence elections.
By TV Mohandas Pai
& Nisha Holla
In 1948, the United Nations established a historic mandate by adopting the Universal Declaration of Human Rights. For the first time, there was a declaration of inalienable rights for all humans. Coming at the tail end of five hundred years of violent invasion, occupation, slavery, colonisation, and two devastating World Wars, the Universal Declaration facilitated fundamental change in the way democracies and other governance systems worked. By and large, a wave of peace and respect for fellow humans across the world emanated from the Declaration.
As we head into 2020 and a new decade, looking back brings into sharp relief the digital revolution that has swept over the world. Societies have increasingly moved towards the use of digital devices to increase their communications and knowledge. Of the approximately 7.7 billion people on the planet today, roughly 4.5 billion have access to the internet (bit.ly/2ZW034B).
Contrast this with 2000, when only 738 million people had access to the internet. Social media was almost non-existent, whereas today, 3.7 billion are active social media users. The adoption of digital across the socio-economic spectrum has fundamentally changed the way we live and access information, goods, and services. Every part of our lives can be digitised, tracked and logged. Everyone has inevitably become a digital citizen.
On the digital provider side, we see the rise of digital monopolies that have grown so large in the last two decades; they effectively exercise control over most of the world. These monopolies started in different forms—Google as a search engine, Facebook as a social media network, Amazon as a digital shopping site, and so on. Today, these giants are akin to supermassive black holes slowly agglomerating a galaxy of services around their irresistible gravitational pull. They keep growing, they keep aggregating (like Facebook bought Instagram and Whatsapp), and they keep amassing data of the common global citizenry.
When one newly signs onto a digital platform, there is a long and oft-unread set of Terms and Conditions. These T&Cs effectively mean we have given away the rights to our data resulting from the usage of the platform to the managing company, such as Google or Facebook. The data now belongs to them and not to us. They can use it however they want, including in ways leading to monetisation. Most importantly, if there is a security breach, they cannot be held responsible. Moreover, since these companies are American, for example, Indians have no standing in US courts to take legal action against them for breach of private data.
On the one hand, in this knowledge-economy era, access to digital platforms and the internet is a necessity. On the other, there is effectively no protection of the data on the web with digital monopolies and data piracy. Loss of privacy has led to massive personal losses, financial and otherwise. Cambridge Analytica was one of the biggest eye-openers about the use of personal data harvested off Facebook without consent to try and influence elections. The inalienable rights mandated by the UDHR is openly in question because of the wild nature of the internet that was an unknown entity back in 1948.
It is time to formulate a Universal Declaration of Digital Rights, which upholds the spirit of the UDHR in the digital realm. There are different principled positions across the globe on what constitutes stable digital security. On one extreme is China which has created a firewall around their network, effectively restricting the digital services and websites Chinese citizens can access. China is a surveillance state where all notion of privacy has been quashed. On the other extreme is a zero-censorship state where there are no restrictions, and every citizen will have to look out for their security. No nation is at this extreme today because there are fundamental problems which cannot be handled with a zero-censorship policy like controlling child pornography, rampant sale of drugs on the internet, and so on. Most states have adopted censorship and data security policy that lies somewhere in between these two extremes of total control and zero-censorship.
Fundamental questions are being raised over individual protections in the digital age. Governments are waking up to the vast amounts of personal data companies store about their citizens and what it is being used for. The European Union recently formulated a significant boost to its data protection laws with the General Data Protection Regulation (GDPR). The GDPR lays out a framework to protect data that are personal identifiers like names, contact details, geo-location, and indicators like race and religion. It mandates that users or data subjects—who are providing their data to use a platform service—are accorded the rights to be informed about the usage of their data especially in automated decision-making and profiling, to access their data and port it, to rectify or erase their data from the platform, restrict processing, and raise objections.
GDPR places the burden on organisations to prove that they have a legitimate reason for holding onto personal data, to be much more upfront about data storage, why, and how it is being used, and use simple language while explaining data opt-in and opt-out. Moreover, if their database is hacked, they must notify users within three days, and immediately if they are at high risk like the cases when personal non-anonymised data is breached. Non-compliance warrants hefty fines and public outcry.
Today, organisations have a default opt-in procedure, with often no way of opting-out without getting off the platform altogether. With frameworks like GDPR making the fundamental assumption that people want control of their data, the right to opt-out, specific ways to opt-out, and demanding clarity on what to opt-out off is paramount. Moreover, since the GDPR mandates that not only EU-operational companies but any company with European users have to comply, this legislation now extends practically to the whole world. India is also active in the process of understanding how to protect its citizens’ data so that we can pass legislation similar to GDPR.
The right to privacy is a prime example of a digital right which would include the right to have secure encryption implemented and to private digital communications. The right not to be profiled includes freedom from automated profiling and bulk surveillance, the right to get information about your data, to keep personal data protected, to opt-out of profiling, and anonymous access and participation. Another digital freedom worth putting on paper is the right to personal safety and security, which would include protections from the leak and abuse of your personal data. Rights to digital self-determination including control of our data, to object to the use of personal data, to challenge/opt-out of standard terms and conditions, to portability, and others are another example of sacrosanct rights.
These are but a sampling of some rights that a Universal Declaration of Digital Rights must formulate and mandate. Apart from affording personal protections, the UDDR will also form a basis for resolving digital conflicts like hacking, cyber-security and national security matters between nations.
While it is essential for every country to safeguard its citizens’ interests, the time is ripe for a multilateral agreement—a Universal Declaration of Digital Rights—with an unambiguous and aligned view of the inalienable rights of the modern digital citizen. The principles of the UDHR where everyone has the right to life, liberty and security must now transcend to the virtual realm.
Pai is Chairman, Aarin Capital Partners. Holla is Technology Fellow, C-CAMP