n Kartik Mittal
When news emerged of the massive user data privacy violation by London-based (and now defunct) Cambridge Analytica (CA), it spotlighted the long talked about, but never enforced user data protection laws (GDPR alignment was still underway back then). The London-based data consultancy firm was found to have illegally gathered and used the personal information of more than 50 million Facebook users to build a database to target US voters, and purportedly influence the presidential elections through personalised political advertisements, based on their psychological profile. When the scandal hit headlines world over, it once again brought out the neo-age old debate — of who owns user data and what protection do companies, which handle such massive data, offer to its users. While the CA scandal may go down as the biggest talking point of the year, it may well also be the definitive point for being the biggest change maker in the field of privacy regulation.
As soon as the news broke on the scandal, governments the world over were quick to react and open internal enquiries, including in the US, the UK and India. The fact that major political parties from India were listed as a clientele of Cambridge Analytica was enough to create a political storm in the country.
Beyond its capabilities to influence the masses through algorithmic-aided target messaging, the CA case also unearthed the massive underlying work of companies such as itself, which are able to operate legally in the business of directly handling sensitive and personal user information. The fact that there were no open laws in the field (again, before GDPR came into effect), enabled companies to engage with the massive amounts of personal and private information in a non-transparent manner, without any consequences. Since these revelations, there have been calls from the public and government to investigate how the likes of CA and Facebook were able to gain access to so much information and have put into question the current rules and regulations on data, including user awareness.
GDPR — Europe’s commendable attempt at laying down the law
During Mark Zuckerberg’s testimony to the US Senate, the Facebook founder agreed to a statement ‘whether Europe always gets its laws rights’ — a testimony to the increased awareness and consumer protection that the European Union (EU) strives to achieve.
With the digital age growing in influence by the day, the EU introduced the General Data Protection Regulation (GDPR) regulation, a law guaranteeing data protection and privacy for all individuals within the EU and the European Economic Area (EEA). The law is not limited to the continent, but also addresses the handling and exporting of personal data outside the EU and EEA. The aim of the law is to primarily empower the citizens to control their personal data and secondly, to simplify the regulatory environment for international businesses to operate in.
As per the GDPR regulations, companies will have to report certain type of data breaches within 72 hours of them being detected, even if all the details are not yet known. Failure to comply can entail a fine of up to 20 million euros ($23.6m) or 4 per cent of the organisation’s annual global turnover — whichever is greater. A penalty to report it within the time frame tops out at 10 million euros or 2 per cent of global turnover. These are pretty serious ramifications, which is an indication of the level of seriousness the EU places on consumer protection.
While the Cambridge Analytica scandal unfolded before GDPR compliance, the regulation which has now been enforced since May 25, was first proposed back in January 2012, before being finally approved for implementation in May 2016. Businesses and organisations operating within the EEA region were given a two year window to align their operations with the new regulations in handling data. The fact that the CA scandal emerged just before the GDPR regulations were enforced further pressurised data-driven companies such as Facebook to act on their operating practices, not just within the EU but across all countries. Since the CA scandal, Facebook has confirmed their decision to implement the GDPR in all areas of operation and not just the EU — an industry success story.
The scope for India
Like the UK and the US, the debate about user data privacy has picked up in India over the last couple of years, especially over the Aadhaar system being implemented in the country. With new users being added to the online platforms every day, India needs to implement a similar GDPR type policy programme at the earliest, to ensure proper systems are in place, right from the early stages of digitalisation. This will not only enable companies and organisations to adjust to the regulatory compliance systems well in time before a massive explosion in users, but also help create data rights awareness and empower the citizens.
With India rapidly seeking international investments, implementing international best practices, including GDPR type regulations, it will create an atmosphere that will enable ease of doing business, thereby provide a competitive edge over other developing markets. Apart from the market advantage, data piracy laws also will ensure Indian citizens will have a safe start as they enter this new age digital territory!
The author is Senior Solicitor, Zaiwalla & Co. LLP London. Views are personal.
n Kartik Mittal