Commercialization of Data: Data in technology can broadly be defined as all the results or technical information that have been developed or obtained during the performance of a certain activity. Every day, we go through a number of activities without realising that at every step of an activity, a large amount of our data is being used, collected, and commercially exploited by huge corporations in order to provide us with advertisements, commercial calls, and using it to further their marketing purposes.
The law defines personal data as any information relating to a person who can be identified or identified by either a reference or one or more factors, specifically an individual’s physical, physiological, mental, economic, cultural, or social characteristics.
Personal data is any piece of information that can be verified to identify a specific person, such as fingerprints, DNA, or certain information specific to the said person. Personal data possesses a great deal of commercial value for businesses, which motivates these companies to collect and store this sensitive information. Organizations usually collect many different types of information on people and even if one piece of data does not identify as belonging to someone, it can still be valuable to other information and be sidelined. For instance, a company that requests information on people who download products from their website might put down their occupation as banker, since there are millions of people who might be working in a bank, the information gets sideline since it is of no use for their websites.
During the past decade, people’s awareness of how their personal data is collected and used has increased rapidly. They have come to realise that they no longer have any say in who collects and sells their data, and that this is a problem for basic activities such as shopping, ordering food, and accessing education online. Large internet companies have learned to exploit or sell the same data for different customer or marketing engagements.
The processing of personal data
Data is gathered from a variety of sources, such as data lakes and data warehouses, at the beginning of data processing. In order for the data collected (and later used as information) to be of the highest quality, the data sources used by anyone must be reliable and well-constructed. After the data has been obtained, the data organization phase begins. Pre-processing is the process of cleaning up and structuring raw data in preparation for the next stage. As part of the preparation process, raw data is thoroughly validated for errors. This step is designed to eliminate bad data (redundant, incomplete, or erroneous data) so that high-quality data can be produced for better business intelligence.
The clean data is then entered into its intended location and translated into a language that can be understood. This is the first phase in transforming raw data into usable information. As part of this stage, the data entered into the computer in the previous stage is processed for interpretation. Although the procedure varies slightly depending on the data source (data lakes, social networks, connected devices, etc.) and the purpose (examining advertising patterns, making medical diagnoses from connected devices, determining customer needs, etc.), machine learning algorithms are used to process the data.
This stage is when non-data scientists can finally use the data. It is translated, readable, and often converted into graphs, videos, images, plain text, etc. This data can then be analyzed by company or institution members and applied to their own data analytics projects. The final stage of data processing is storage. After all the data has been processed, it is stored for future use. While some information can be used immediately, much of it can be used later on. To comply with GDPR (data protection legislation), it is crucial to store data properly.
Making money from personal information
This trend of data production and consumption is quickly becoming the norm, with every person producing more data than ever before, and marketers turning to this information to target consumers through advertising. With social media sites like Facebook, Twitter, and LinkedIn being some of the largest sources of data for marketers to use in their targeting, it is clear that nearly everything we do online is monitored and recorded by these companies. It is fair to assume that with all the information you share on social media or through other online activities, your personal life is being scrutinized and sold to marketing companies for profit.
As it violates our privacy, it will be unpleasant for many people to see our sentiments and interests used. Despite the possibility of a change in the way purchases can be made, people would prefer not to participate as their data is being used without their consent under the guise of providing a better customer experience under the façade of providing a better customer experience.
Individual rights protected by Indian IT laws
Following are the certain obligations that are imposed upon the organizations that collect, process, store and transfer sensitive personal data or information of individuals such as obtaining consent, publishing a privacy policy, responding to requests from individuals, disclosure, and transfer restrictions by the Data Protection authority.
The Indian Constitution also guarantees a right to privacy to every citizen as a fundamental right under Article 21, which protects personal data. In a few cases, the Supreme Court has held that information about a person and the right to access that information are also covered by the right to privacy.
The IT Act contains the following relevant provisions:
Under Section 43A, a body corporate that owns, deals with, or handles any sensitive personal data or information contained in a computer resource that it owns, controls, or operates is liable for damages for any wrongful loss or wrongful gain caused by negligence in implementing and maintaining reasonable security practices.
The penalty under Section 72A for making wrongful disclosures of information without the consent of the person concerned or in breach of a lawful contract is imprisonment for a term up to three years, fines up to five lakh rupees, or both, with the intent to cause or knowledge that wrongful loss or wrongful gain is likely to occur.6
In accordance with the Data Protection Rules, individuals have the right to manage their sensitive personal information and any legal entity must publish a privacy policy. Additionally, it provides individuals with the right to access and verify information and requires legal entities to obtain consent before disclosing personal information, except for law enforcement, where consent can be withdrawn.
There are many loopholes in the current legal framework, since regulations are widely dispersed. Furthermore, they are limited to sensitive personal information generated and transmitted electronically. Some terms may even be overridden by contracts.
Commercialization and GDPR
In order to protect the rights of millions of individuals, who are referred to as ‘data subjects’, the General Data Protection Regulation (“GDPR”) is one of the most stringent global standards. According to the GDPR, organizations must follow clear guidelines to protect personal data and avoid unnecessary legal penalties, including data protection concerns.
Data privacy has been recognized by GDPR as a fundamental human right for all EU citizens, and it sets clear standards for protecting personal data while ensuring that individuals can control how their data is used and retained. In accordance with the GDPR, data subjects have the following rights:
Between the ages of 13 and 16, parental consent is required.
Data subjects must have access to their data, know how it is stored by the Data Controller, and understand why it is processed. All recipients of data must be informed of any changes made to incorrect or incomplete data by data subjects and data controllers. Data subjects have the right to object to the use of their data, and Data Controllers must comply with their objections unless they have a legitimate interest that outweighs the data subject’s. A data subject may ask the controller to “forget” their personal information. Organizations may retain data, for example, if it is required to comply with a legal obligation or if it is in the public interest, such as scientific or historical research. It is the right of data subjects to know if their private information was used in an automated decision and to ask for a review or contest of it.
Data controllers must notify the relevant Data Protection Authority within 72 hours if personal data under their obligation is disclosed to unauthorized parties. In some cases, they must also notify the data subjects. Article 17 of GDPR and Recitals 65 and 66 confer a right to be forgotten. It specifies that the data subject has a right to obtain from the controller the deletion of personal data pertaining to them without undue delay and the controller is required to delete the personal data without undue delay.
GDPR only allows individuals to delete their personal data in certain specific circumstances: The right to be forgotten can, however, be overshadowed by the organization’s right to process an individual’s data in exceptional circumstances, such as when the data is used to exercise the right to freedom of expression and information. The right to be forgotten may be compromised by a legal decision, an obligation, or for public health or public interest reasons.
The Indian position on the Right to be Forgotten: At present, Indian laws do not include the right to be forgotten. However, the Honorable Supreme Court in the Puttaswamy case inter alia recognised “these rights include the right to be forgotten – a right to prevent or restrict disclosure of personal data by a fiduciary. Most importantly, consent has been given a crucial status in the draft data protection law. Thus, a primary basis for processing of personal data must be individual consent. This consent is required to be free, informed, specific, clear and, in an important addition, capable of being withdrawn”. This case dealt with Aadhar legislations and the collection of bio-metric data of individuals which falls outside the ambit of personal data as defined under Indian law.
The Personal Data Protection Bill, 2019 (“Bill”) proposes the legislation to include the right to be forgotten. Individuals may then limit, delete, separate, or correct any information about them that is inaccurate, irrelevant, or misleading. The Bill declares that data subjects have the right to prevent data trustees from using such data or information if data disclosure is no longer required, consent to use data has been withdrawn, or if the data is used contrary to the provisions of the law.
As part of the Data Protection Rules, organisations dealing with sensitive personal data or information of individuals must implement certain reasonable security practices and procedures (“RSPP”).Organizations can demonstrate compliance with the RSPP requirement by implementing security practices and methodologies, as well as having written information security policies and programmes. An organization’s information security policies must include administrative, technical, operational, and physical security controls that are appropriate to the information assets being protected.
RSPP compliance can be demonstrated through the international standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”; The Central Government must approve and notify the codes of any self-regulatory organization; and When audits are performed on a regular basis by independent Government-appointed auditors, organizations that have adopted standards as outlined above (ii), (iii), or (iii) will be considered compliant with the requirement to implement RSPPs. The IS/ISO/IEC 27001 standard specified in the Data Protection Rules is a certification that can be used effectively to prove compliance with the RSPP requirement. Obtaining IS 17428 certification, although not required, will serve organizations well as a reference for demonstrating compliance with RSPP requirements.
Breach penalties
Any person who, without the consent of the person concerned, secures access to any electronic record, book, register, correspondence, information, document, or other material in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, discloses such material to any other person shall be punished with imprisonment for a term that may extend to two years or with a fine that may extend to Rs 1 lakh. The GDPR prescribes the following penalties for non-compliance with respect to EU residents in addition to the IT Act:
- A violation of certain provisions of the Act may result in a fine of Rs 15 crore or 4% of the fiduciary’s annual turnover, whichever is greater.
- The failure to conduct a data audit is punishable by a fine of five crore rupees or 2% of the fiduciary’s annual turnover, whichever is higher.
E-commerce Dos and Don’ts
On the company’s website, the following information must be included: Type of personal information collected (including sensitive information) if any. The purpose for collecting such information Disclosures to third parties and the circumstances under which such disclosures must take place. Measures and practices to protect personal information. Establish the procedure for collecting information, such as the cookie policy and grievance officer appointment, by working with the IT team. An organisation must designate an employee as the nodal officer for complaints about blocked access to information on its website. By disclosing personal information acquired while providing services (under the terms of the legal contract), they intend to cause wrongful loss / gain without the consent of the individual concerned.
The Nodal Officer’s name and contact information must be published on the company’s website and communicated to the Department of Information Technology. There is a prohibition on using any electronic signature, password, or other identification feature provided by the data provider fraudulently. Upon receipt or complaint from any person in relation to the blocking or access of any information, the Nodal Officer should examine the complaint and forward it to the Designated Officer of the Central Government appointed by the Rules. Data subjects’ confidentiality and privacy must not be violated by any company.
It is essential to have a comprehensive and detailed Privacy Policy in place for your e-commerce business. Payment processors, mail carriers, and marketing firms are often enlisted by e-commerce retailers to process personal data on their behalf. As a result, e-commerce service providers must comply with the disclaimers and privacy statements of such third parties and warn users of the use of personal information outside of their control.
Your privacy policy must include the following items:
- Contact information for your company
- You process the following categories of personal data
- What you do with personal data and why you do it
- The lawful basis for each act of processing you perform
- Companies with whom you share personal information
- Any data transfers outside the jurisdiction should be disclosed
- Keeping personal data for a long time
- What you can do to facilitate your users’ data rights
- What your users can do if they have a complaint about your data protection policies
As a result
The use of personal data must comply with the principles enshrined in Indian data protection law and GDPR (for businesses catering to EU residents) as well as be sufficiently disclosed to the general public. Contrary to popular belief, privacy statements are more than just cookies and cache policies; they define and sometimes protect substantial individual rights.