This article has been written by Amit Dwivedi pursuing Diploma in Intellectual Property, Media and Entertainment Laws at LawSikho, and edited by Shashwat Kaushik. This article gives an overview of consumer privacy and government technology mandates in the digital media marketplace.
It has been published by Rachit Garg.
Table of Contents
The text below aims to discuss what constitutes digital media and how it has become a market for millions. It is a revenue source for the service providers and the consumers, as well as a continuous exchange of their roles in such marketplaces. This article also ventures into the conditions of privacy concerns as a major challenge arising out of the media marketplace. It discusses the applicable laws, their sources, and how they developed. Here, the critical review of inadept laws is vastly covered, as are its most probable concerns, such as surveillance and inadequacy.
Digital media marketplace and its evolution
The growth of technology has proliferated along with human development, and the modernisation of such technologies has led to a rise in online marketplaces of various orientations. Companies are constantly changing the ways we consume traditional services by projecting themselves as industry disruptors. COVID-19 accelerated such behaviour among consumers and companies.
Media marketplace is an online B2C, C2C and sometimes B2B business model that is designed to monetize attention or action by facilitating multi-seller, multi-brand and inter-customer transactions.
Before the internet became popular, newspapers, TV media and radio broadcasts were the only information sources available. After the advent of the internet, there was a galactic outburst of data generation and consumption where not just traditional media platforms grew manifolds but also consumers themselves became the creators of massive data volumes. This paved the way for consumer technologies such as all the electronic and semiconductor devices and other technologies of which these devices were the parents.
Necessity being the mother of invention, as Plato famously said, the reasons for the evolution of the digital media marketplace were high consumer expectations for personalisation and a higher chance of creating multiple revenue pathways.
Its avenues and outcomes
Online shopping, booking accommodation and travel, watching TV online, OTT platforms, news agencies making their print media digitally accessible, etc. are some of the most popular applications. But, apart from that, there have been some of the most advanced areas of its use, such as Artificial Intelligence, Augmented Reality, Quantum Computing, etc. Such media has also been a largely cost effective and quality booster for businesses, as they can now outsource for help, and various online tools can replace costly staffing and increase agility.
Now, due to the large audience and excessive holding capacity of the media marketplace, in which pivots and modifications are constantly happening, a gigantic pool of consumer data, much of which is personal, is built every second. Although it gives rise to new employment opportunities, a major concern still remains that such an amount of data poses an unbridled threat of misuse and theft if not regulated by the law.
Data privacy in India
For democratic rights and freedom to remain intact, our data privacy laws need to be strengthened. As our social structure is an ever-evolving machine, so is the definition of privacy. The right to privacy, as defined in Black’s law dictionary, is the right of a person to go his own way and live his own life free from interferences and annoyances.
During the time when our Constitution was implemented, such a concept in general understanding wasn’t part of the document, but in later years, the discussions started. In 1954, in the case of M.P. Sharma and Ors. vs. Satish Chandra District… (1954), the Supreme Court debated for the first time the right to privacy as a fundamental right, although a majority of 8-judge bench ruled against the idea. But in Kharak Singh vs. State of UP and Ors. (1962), the Supreme Court equated the right to privacy with personal freedom.
Revealing one’s own personal information or data by falling into the trap of services being offered has become a common human trait. The privacy policies of the applications we use on our phones are more of a window into their agenda, which anyone hardly pays attention to. Such apps usually pry on the consumers personal and official data without their being informed, and then they may be subject to misuse, unwanted sales advertisements, calls or worse. Consumer data is a major revenue gateway for some applications because one’s data is currency to the other; hence, ‘nothing is for free.’ For example, most websites today, right on entering them, ask for a mandatory “cookie” acceptance, which in some cases can prove to be a privacy concern. One can search for flights on GoIbibo or shoes on Amazon, and later we encounter advertisements on every other website or social media for the same.
Constitutional mandates and Supreme Court’s observations
Talking of the obvious, the most frequently referred judgement is that of Justice K.S. Puttaswamy (Retd) vs. Union Of India (2017), where the Supreme Court said that the right to privacy is part of life and personal liberty under Article 21 of the Constitution. It also emphasised informational privacy and personal data and how one can control their collection, storage, and dissemination. Also, in a plethora of cases such as People’s Union of Civil Liberties….vs. Union of India and Anr. (1996) and R. Rajagopal vs. State of Tamil Nadu (1994), the right to privacy was recognised. Similarly, the right to privacy being an integral part of Article 21 was mentioned in other cases, such as Ram Jethmalani and Ors. vs. Union of India and Ors. (2011) and in Maneka Gandhi’s case of 1978.
The Judiciary started setting the grounds for the right to privacy long before millennials were born and paired it with Article 21 as its intrinsic part, which can also be derived from the Constitution by having a concise understanding of both Articles 19 and 21.
The enforcement measures provided by the constitution are Article 32 for approaching the Supreme Court and Article 226 for the High Court; thus, appropriate writs can be filed under these articles for illegal infringement of fundamental rights.
Laws and regulations
Till date, there is no single piece of legislation that could address the data privacy of consumers in the digital arena, apart from the Draft Digital Personal Data Protection Bill, 2022, which needs to be enacted. In the meantime, there are various provisions in different laws that can comprehensively be said to be data protection laws in India. Some of which are:
Information Technology Act, 2000
The IT Act embodies provisions such as penalties and compensation for damage to computers (Section 43), compensation for failure to protect data (Section 43A), and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 also known as SPDI rules, which may get replaced when the aforementioned bill is enacted. It is applicable to any person or corporate entity for the protection of the privacy of citizens, with a maximum punishment of up to 3 years with or without a fine. In Rule 3, it specifies what can be considered personal or sensitive data, such as passwords, bank details, health details, sexual orientation, and biometrics.
Other important provisions are punishment for dishonestly receiving stolen computer resource or communication devices (Section 66B), punishment for identity theft (Section 66C), punishment for cheating by personation by using computer resource (Section 66D), punishment for violation of privacy (Section 66E), punishment for publishing or transmitting obscene material in electronic form (Section 67), punishment for publishing or transmitting material containing sexually explicit acts, etc., in electronic form (Section 67A) and for material depicting children in such way (Section 67B), preservation and retention of information by intermediaries (Section 67C) under which Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016 were framed and punishment for disclosure of information in breach of lawful contract (Section 72A).
Apart from these, there are other mandates and rules that facilitate protection against and prevention of misuse of personal data and dealing with emergency situations by authorities imposing penalties, confiscations and limiting or blocking access, such as the CERT Rules, 2013 framed under Section 70B, or the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 framed under Section 69A.
There are other laws that aim to address privacy and data protection issues for consumers, such as the Consumer Protection (e-Commerce) Rules, 2020, to prevent consumers from engaging in unfair trade practises while preserving their rights and interests. The rules apply to OTT platforms and online service platforms such as those offering education, booking transportation, etc. The rules contain provisions for compliance, grievance redressal, controlling market structure, manipulations and penalties.
As protected under SPDI rules, there is yet another piece of legislation to protect digital health data, i.e., the Digital Information Security in Healthcare Act (DISHA), 2018. It created state and national electronic health authorities as adjudicatory bodies of appeal, whose jurisdiction lies with the high courts. The act provides rights to individuals regarding their digital health data to maintain its confidentiality, rectify it, permit collection, processing, storage and transmission, and seek damages for breaches. There is also provision for punishment, which may extend up to 5 years for serious breaches.
Also, there is the Indian Copyright Act to protect computer-generated work and databases, but it needs to be strengthened as compared to the laws of other jurisdictions.
Digital Personal Data Protection Bill, 2022
The Digital Personal Data Protection Bill, 2022 focuses primarily on the specifics. Some key definitions in the document are data (representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication and interception by humans or automated means); personal data (such data by which one can be identified as an individual); data principal (to whom the personal data relates); data fiduciary (body who determines the purpose and means of collection); and data principal (to whom the personal data relates).
The jurisdictional extent of this law will be within India for data processed online or offline and digitised later. It will also apply to such processing outside India if it is done to provide goods and services to people in India. It also sternly mentions that fiduciaries, while keeping the data secure, need to erase it after the purpose is fulfilled. These provisions apparently align with the EU’s GDPR.
There are some of the rights granted within the document. Right to information about the processing of personal data, i.e., how and when one can be informed about the processing of such data. One can also withdraw consent from the processing of such data if it is being shared with a third party. There is a major loophole within this provision, which says that consent will be assumed to be given by the data principal if it is legally required, for state’s security, for employment with the state, etc. Now, such reasons, if not explained, are vague and provide a blanket exception to the government. There is also provision for the correction and erasure of personal data by the data principal. One can erase his data unless it is legally required; thus, this provision has some similarities with GDPR (Article 17), yet on comparison, it appears to be loosely framed. The right to be forgotten was also an intrinsic part of Justice K.S. Puttaswamy (Retd) vs. Union Of India, 2017.
For grievance redressal, the Bill creates the Data Protection Board of India (DPB), which will be an adjudicatory body that will have the power to impose fines and direct actions on fiduciaries in the case of a data breach, but there are no provisions formulated in the bill with respect to its composition, appointment, removal, etc., which again raises questions on its independence since the bill can’t be tested for these parameters according to the constitution.
Despite recommendations from The Srikrishna Committee (2018), the Bill has no provision on Data portability (which allows individuals to safely move, copy or transfer personal data from one IT environment to another); on the contrary, the previous drafts of 2018 and 2019 of the same law had such a provision, including the right to be forgotten. On the other hand, GDPR expressly provides for data portability under Article 20. The Committee also said that if there is such an imbalance of power between individuals and the state in areas where the state is only the service provider, then the data principal won’t have the choice to refuse consent, so the idea of requiring consent will be meaningless. For example, AADHAR required for MGNREGA scheme or to get subsidised grains, etc.
There are penalties for various violations by fiduciaries of different amounts, which can go up to 500 crores, but compared to the amount that data protection agencies around the world have imposed, 500 crores may seem like a drop in the ocean because foreign companies do have credible markets in India (examples given later).
Data privacy laws in other jurisdictions
The United States of America
To date, even this country has no single federal privacy law; rather, it has different federal as well as state laws focusing on different aspects of privacy. Although not all of the states have laws yet in place. The Federal Trade Commission (FTC), established under the Federal Trade Commission Act of 1914, is the highest government body whose major function is to enforce antitrust consumer protection laws. It prevents fraudulent and unfair business practices. For example, the FTC levied a fine of $22.5 million on Google in 2012 for discrepancies in its privacy policies, and in 2018, Facebook paid a fine of $5 billion levied by the FTC for deceiving consumers about the control of their personal data; similarly, Twitter was fined $150 million for an alleged violation of the collection of personal data.
The main federal laws which function in United States
The main federal laws that function in the United States are:
- Children’s Online Privacy Protection Act (COPPA-1998) which regulates and protects data collected about children under 13 years of age. It also contains provisions regarding parental control and access.
- Health Insurance Portability and Accountability Act (HIPAA-1996) which regulated healthcare data and how service providers could use patient’s personal details. It also provides for the editing and control of such data by patients.
- Gramm-Leach-Bliley Act (GLBA- 1998) ensures safety of consumers information and their sensitive data as used by financial institutions for products and services of varied kinds.
- Fair Credit Reporting Act (FCRA), which protects information collected by consumer reporting bodies such as credit bureaus and tenant screening companies. It’s also used by medical information companies.
- Family Educational Rights and Privacy Act (FERPA), which protects student educational records, also gives some rights to parents with respect to the same. These rights no longer remain with parents after child attains 18 years of age or graduates high school (whichever is earlier)
And, some states have their own privacy laws, such as California’s Consumer Privacy Act (CCPA-2018) which was amended by the California Privacy Rights Act in 2020. It is the strongest privacy protection law in the United States. Also, there is Virginia’s Consumer Data Protection Act (CDPA-2021) which is in line with some provisions of GDPR. The Colorado Privacy Act (CPA-2020) is also in place, which contains similarities to California’s CPRA, Virginia’s CDPA, and the EU’s GDPR. Some other states in recent years also have passed such privacy laws. A few of them are Utah, Connecticut and New York, whereas others are on the verge of bringing up their own state laws.
General Data Protection Regulation (GDPR-2018)
It is the most comprehensive and strictest data protection law in the world. Apart from EEA (European Economic Area) countries, it applies to European residents and citizens. Also, certain non-EEA countries that process personal data in EEA jurisdiction. Any activity within the EEA that involves the processing, collection or even monitoring of data is covered by the GDPR, irrespective of the company’s country of origin.
The GDPR used to apply to the UK until the end of 2020, when the UK implemented its own amended Data Privacy Law (DPA-2018) alongside adopting the GDPR, collectively known as the UK’s GDPR. It also applies to Switzerland, with some exceptions, as Switzerland updated its own 1992 Federal Act of Data Protection. Penalties in GDPR go as high as 20 million Euros or 4% of global revenue (whichever is greater). For now, this sets fairly even standards for the world to adopt and also for what it is worth to violate data protection rules.
GDPR lays out some basic principles in Article 5, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability. It provides for data provided by various data controllers or processors to be protected and to remain unambiguous and transparent with the consumer or data subject. It gives 72 hours to data controllers or processors to intimate a breach to the data subject unless the breach isn’t controlled.
The consent of data subjects has been a major focus all along while framing every provision of this regulation. The regulation contains some important rights, such as erasure, restriction, and portability of data, in Articles 17, 18, 19 and 20, respectively, of Chapter 3.
The European Data Protection Board is an independent body that functions as the supervisory authority of different states under the EEA to ensure the enforcement of GDPR. Article 38 of GDPR is a provision to appoint a DPO (Data Protection Officer) in some cases, but GDPR mandates in Article 25 the appointment of a compliance officer in those firms that collect or process personal data.
Every other country around the world has some sort of personal data protection in place. Either in the form of legislation or regulation. For example, Canada has the Personal Information Protection and Electronic Documents Act (PIPEDA-2000), Brazil has the Lei Gral de Protecao de Dados Pessoais (LGPD-2020), Japan has the Act on Protection of Personal Information (APPI-2005).
Similarly, other countries such as Israel, New Zealand, South Africa, etc. have their own laws.
But these laws are either loosely framed or are probably anachronistic in comparison with today’s digital marketplace.
Data privacy and its implied nexus with state surveillance
It is not an unimportant or illegitimate concern for citizens. In the 2020s, the world order is a clear marker to raise such concern. It’s a fact that one has witnessed such examples in the recent past that raised eyebrows and pointed fingers towards state surveillance.
The laws that are deemed to be a privacy protection tool for citizens have fewer enforcement and compliance mechanisms when it comes to the government being put in the role of a data fiduciary, especially in the upcoming bill on data protection in India.
Many of the major areas that US and EU data protection laws address are not covered by the upcoming bill in India. In the upcoming bill, the government can be seen taking a higher pedestal than private data fiduciaries by curing itself through exceptions such as “state security”, “maintenance of public order”, or “state sovereignty”. These are indeed important for the safety of citizens and national integrity, but the loose formulation of provisions and unexplained scenarios with respect to these terms make them vague and very prone to violating fundamental rights.
Some examples that have implied the same concern are that the government did allegedly use the Pegasus spyware to target journalists, activists and political party leaders.
In another example, the government, with the help of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, is alleged to have greater control over social media and online contents, mostly to sabotage freedom of speech and expression and, consequently, privacy. One such example is the WhatsApp case, where the government wanted a message to be traceable by its origin and path, which would have made the end to end encryption of WhatsApp redundant and the privacy of a message a farce.
The Indian Telegraph Act of 1885 in Section 5 attempts to give arbitrary power to the government with respect to call intercepting, although it only applies to certain situations as mentioned in Section 5(2), and again it has similar vague terms as previously mentioned. It has also been pointed out by the Supreme Court in the case of People’s Union Civil Liberties vs. Union of India (1996) as a lack of procedural safeguards and an invasion of privacy.
Some sections of the IT Act (2000) also give arbitrary exceptions to the government, much more vaguely than the Telegraph Act. Section 69 of the IT Act gives the green light to electronic surveillance as a part of an investigation of an offence. Such provisions give the government blanket, arbitrary and unregulated power with opacity on its part to control the citizenry and invade the privacy of people.
In the case of Justice K.S. Puttaswamy (Retd) vs. Union Of India (2017), the Supreme Court said that although privacy can be restricted, the curtailment must be proportional and legitimate. The judgement also said that blanket surveillance and mass data collection violate the right to privacy. It was also said that AADHAR infringes on privacy rights by collecting demographic data on residents. Although the Supreme Court in its 2018 judgement said that the Aadhar Act serves the legitimate state aim and read down Section 57 of the same.
Some famous data breaches around the world
Cambridge Analytica case
In 2010, the personal data of more than 50 million Facebook users was collected by this British consulting firm, predominantly for Political advertising. It included psychological profiles of Facebook users. It was the largest known leak in history, for which Facebook was fined $725 million.
Aadhar Data Breach
This government ID contains names, bank details (as it is linked to bank accounts), and biometric data. It was reported by the Tribune newspaper that over one million ex-employees of MIETY had access to the Aadhar database. It was revealed when sellers on WhatsApp were provided with unrestricted access to such a database.
Similar data breaches have happened with other websites and businesses that are part of the digital media marketplace nationally or internationally. Learning about them is just a Google search away.
In the present scenario of the digital media marketplace, having multiple laws, unlike the GDPR, creates clutter and makes consumers feel antiquated, as in the legal field, multiple amendments and new laws are emerging every year, including court ruled judgements, due to which consumers may become easy prey to manipulations. In India as well, the upcoming bill appears to fail to cover various avenues of data privacy, although many of its provisions are taken from GDPR itself. In today’s date, the EU’s GDPR is an exemplary regulation that is being followed by other countries in either amending their own laws or incorporating a ‘hint’ or a ‘chunk’ of this regulation as it is. Data protection is and will be an essential ingredient of a country’s legal system in the future, so, taking the job of framing the laws seriously is a must to survive democratically.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: