consumer data protection

This article has been written by Venkat Ramaiah, pursuing a Diploma Programme in Business Laws for In-House Counsels from LawSikho.

Introduction 

These days we are all concerned about our privacy and data protection. Hardly a day passes without hearing of some data breach or a con man sweeping someone’s savings by inducing them to click on a site. No wonder when it comes to giving our data knowingly or unknowingly while we do transactions at shops and places, or online, we are really worried about our data security. The shops and businesses too are concerned if they fail to protect the data and privacy of their customers the legal consequences are shockingly deterrent. For example, British Airways was fined equivalent to USD 26 million (October 2020) for a data breach (in 2018) of its customers.

The dictionary meaning of misuse is, as a noun, the wrong and improper use of something and as a verb use something in the wrong way, or for the wrong purpose.

Download Now

Though the words protect and secure are synonymously used in general, when it comes to data and computers, security is mostly concerned against external threat while protection is both from external and internal threat and misuse. So, protecting customer data from misuse is far more elaborate than securing it.

The person (customer) giving the data is the first party, the entity to whom the first party provides the information is the second party and anyone else, including the employees or owners of the entity unauthorizedly using the data, is a third party.

In the days of postcards, we never bothered about privacy or protection; why are we worried now? What has changed? How can the data be misused anyway? These are some of the questions that popup like popcorn in the minds of those who are blissfully not in touch with digital world frauds and crimes.

This article is an attempt to explain and convey the import of the lurking dangers of data misuse both to you as a customer and the establishments handling your data and suggest steps to protect it from misuse. The article has a balanced focus on you as individuals, and businesses – micro, small and medium – handling your information.

The pandemic pulled many small businesses into e-marketing and digital transactions. They tend to ape what they see the bigger businesses do with a little or no knowledge of the implications and consequences of their action(s). This article is an attempt to address the possible concerns they may potentially face.

What is customer data?

Customer data is all that personal, behavioural, and demographic data that is collected by shops, establishments, companies, departments, etc. by any means like:

  • Transactional data tracking.
  • In-store point of sale information capturing.
  • Subscriptions and registrations.
  • Surveys.
  • Online tracking.
  • Social media monitoring.

In this article, the terms ‘customer data’ and ‘personal data’ are used synonymously.

What is data misuse?

Data misuse is the improper and inappropriate use of data for purposes other than as stated or defined at the time of collecting the same (by the second party).

Examples of data misuse

Though when we think of data misuse we think of the internet and hacking (external threats). We would do well to know that there would be a lot of insider threats as well as the collecting organization itself may resort to unethical practices. It is scary but true that even law enforcing units like Police departments are no exception to misuse of data. 

Incidents of insider threat

One of the financial advisers of Morgan Stanley, a well-known global leader in financial services, downloaded account data of about 35,000 of its clients, roughly 10% of its client base. This happened in the year 2015. Data of 900 accounts of these 35,000 clients were shared in an anonymous text sharing site ‘Pastebin’.

Another example is that of American AT&T. When cell phones first came into use, the service provider was giving the instrument too, but it is locked so that it works only on their network and not others – unlocking was illegal then. The workers of AT&T sold customer data to third parties that enabled unlocking of its instruments (cell phones), which resulted in AT&T paying USD 25 million to the Federal Communication Commission, in the year 2015, as a result of this discovery.

Case(s) of police department misusing the data

Here is an example from the USA, considered a shining example of a law-abiding country.

The Minnesota Police have access to the state database on personal driving licenses for official verification purposes. Over a period of two years (2013-2015), 88 police officers across the state misused their access to the data to look up data on friends, girlfriends, etc. outside the call of duty. The state auditors who exposed the occurrence said that more than 50% of the state police officers indulged in questionable searches in the database.

An Associate Press (AP) report said that ‘police officers across the United States misused confidential law database information illegitimately’.

How to Stop Data Misuse?

Fat chance! There are many reasons. It may be that inherently the structure is weak (as in Aadhaar card architecture), or there are not enough security layers, or there is no compatibility between the interconnected systems leaving gaps or myriad other things that may arise out of it. Often it is the insider that has the access, who either clandestinely or inadvertently puts or lets the information to misuse. The great wall of China was neither scaled nor broken, it is the insiders that showed the secret passage for Mongolian Genghis Khan to invade. 

The first requirement for protection and prevention is the awareness of possible internal and external threats and to be perpetually alert to probable misuse. Watch the phrase, no matter how big your security wall is, ‘Never be complacent’.

So, you cannot totally stop data misuse, but you can certainly take steps to govern and prevent data misuse.

With this let us dive into the main topic.

Governing and Preventing Customer Data Misuse

Unless governed and monitored, no matter how many preventive steps you take, the chances of data misuse are high.

Know that protecting data is not just a legal necessity. According to a PricewaterhouseCooper’s survey “85% of people simply would not do business with a company if they have concerns about its ability to secure its data”. 

Customer information (data) is very important for a business to plan, strategize, sustain and grow. To protect the privacy of data is equally imperative for the health of small businesses as it is to the reputation of big businesses. Misuse would result in loss of credibility, affect brand image apart from exemplary damages under various laws. Small businesses are no exception, they must know that they are an easy target for hackers. In fact, during the Christmas season of 2013, hackers obtained credit card and debit card information from millions of customers by targeting small businesses.

Governing

Wondering why govern?

Well, incidents of data misuse keep springing up like weeds. More fertile soil and more weeds! You should keep de-weeding. It is an ongoing activity. It calls for governing, administering, monitoring.

You need to understand the nuanced difference between securing and protecting. In simple words, to secure means to bar or provide restricted access. You secure your valuables by locking them in an almirah and keeping the key with you. You secure your house when going out by locking it and providing access keys only to your responsible and trusted adults who need to access it in your absence. 

To protect is to guard against something (like misuse, abuse, destruction, corrupting, etc.) from those who have access as well as those trying to gain unauthorized access. It calls for continuous monitoring and governing, as distinct from securing, which is a periodic activity that does not need continuous supervision.

So, protection is a two-level activity securing as well as governing.

To govern and monitor data usage, having in-house policies with at least a minimum of rules and regulations is a must. While the big industry is equipped with systems and dedicated departments, it is the small business that scrooges on spending the bare minimum on data protection, either unaware of its vulnerability or ‘who is going to target me anyway?’ attitude. No matter how small a business, if it has customer data it will do well to put in place minimum safeguards to protect it by restricting access to the system and governing the use of its database.

Things to know and measures to take for customer data protection

The Collector has the responsibility

If your business is collecting the information, it is responsible for its protection. So be sure why you are collecting, what you are collecting and how and where you are going to store and who should be provided with the access, on a need to use basis. Irrespective of who in your business loses or misuses customer data, it is your business as the collector of information that is held responsible and penalized. The penalties and punishments according to the new laws and regulations from 2018 the world over are massive as discussed under the heading “Laws and Legal Implications”.

Do not accumulate

We Indians are great collectors and keepers (of trash) – maybe out of a sense of insufficiency or inadequacy.

Do not collect information and store that you do not need. More information you keep, many are the ways to misuse and greater is the temptation for insiders to misuse and outsiders to hack. Say you need positive identification to start with and you are shown an Aadhaar card, after identifying do not store its details, just mark verified by Aadhaar and give your own customer code and password if needed. This way you are not taking sensitive customer information and to that extent avoiding the risk of its misuse.

Scan while copying or downloading data

If you are trying to copy data from a pen-drive or CD/DVD scan it for virus etc., similarly if you are downloading through the internet, make sure that the site is secure (https:// sites are safe; not http:// sites) and preferably store as ‘read only’. 

Detach and keep

For security purposes, we duplicate the data and store it separately. This is not about that; various laws and International Regulations define what is sensitive (personal) data – refer “Laws and Legal Implications” (infra). It is important to note the same and ensure that the sensitive data is segregated from the rest of personal data and stored and secured separately.

Furthermore, know that for statistical analysis of a group or demography, it is necessary to have relevant data but not as sets of identifying sensitive data. Different statistical analyses need different elements of a sensitive data set. Single elements of data by themselves do not affect privacy but only in association with other elements that make them an identifying set. 

Let me explain, gender or age by itself is not sensitive unless it is associated with other details like picture, name, address etc., that help zero-in on the person. So, where possible peel the data segregate and keep in silos, that can be accessed for analysis as elements but are not amenable for association with other elements to identify the individual(s).

The sensitive data set is required only when an individual’s behaviour or trends are to be analyzed (cookies collect and collate this kind of data). Beware, it may not be legal. Check the governing laws. Do due diligence before giving access to sets of sensitive data which you are advised to keep secure and separate anyway.

Create Policies, rules and regulations

Do not just introduce some copy-paste policies to meet a legal requirement or namesake. Have well-considered policies tailored or adapted to suit your business or organizational needs and interests? Keep in mind, the laws as applicable to your organization and the jurisdiction(s) it comes under while drafting the policies. Slightly overdo than underestimate the threat, better to be safe than sorry. Take the help of a lawyer who is in this field, it is worth it. 

Educate, refresh and review 

It is not enough if you put in place some good policies, rules, and regulations. It is more important that you conduct induction programs for new employees and periodic refresher programs for existing employees. Review individual adherence to the policies randomly if numbers are huge, and review all if the number of employees is manageable depending on your resources.

Equally important is to review the policies, rules, and regulations periodically to suit growing needs, and whenever there is a change or new law related to data privacy for compliance.

Secure customer data

Data protection includes data security. The principles of data security whether it is securing customer data, or backup data are the same, only the rigour and extent varies, in that the measures adopted to secure customer data must be more robust. You may refer to articles on data security, here is one by me on ‘backup data security’ giving a comprehensive account of various threats and appropriate security measures to be adopted to secure data.

Laws and legal implications

Though as early as 26 April 2006, the Council of Europe decided and launched ‘Data Protection Day’ to be celebrated each year on 28 January every year, there were no significant laws exclusively on data privacy prior to 2018. Probably neither the possibility of stealing this category of data nor its misuse were considered likely or a threat. But towards the end of 2016 and 2017, details of many cases of private data theft and misuse of gigantic proportions started emerging. 

Their enormity shocked the conscience of people. Regulations were put in place since then by the West. Now, 28 January, the date on which the Council of Europe’s “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” was opened for signature, is celebrated all over the world as “Privacy Day” or “Data Privacy Day” (within Europe it is called ‘Data Protection Day’).

Data, computer systems, internet/www being virtually conjoined like siamese-children, anybody sitting anywhere in the world can access (and steal) information from any place in the world, borders are no barriers. So, let us look at some international laws and regulations starting with the latest.

International Laws and regulations

The Brazilian LGPD

The latest of data protection laws is the Brazilian Geral de Protecao de Dados Pessoais abbreviated LGPD.

Personal Data According to LGPD

The law uses a broad definition of personal data. Personal data is any data that can be linked to an identified or identifiable individual. This includes pieces of data that can be combined with other information to identify any individual.

Briefly about LGPD

  • LGPD is inspired by the European Union (EU) General Data Protection Regulation (GDPR), 2018. But it goes beyond and differs from GDPR in many ways.
  • Non-compliance can result in fines of up to Brazilian Dollars 50 million (about 8 million USD), sanctions and lawsuits.
  • It became officially enforceable from September 18, 2020.
  • LGPD grants enhanced rights to users.
  • It is based on ten legal bases.
  • It embodies principles for the processing that must be complied with.
  • LGPD protects both data processed in Brazil, and the personal data of Brazil-based users irrespective of where the data controller is based.
  • If you have users based in Brazil or if you store or process data within the Brazilian territory, you need to comply with LGPD.

European Union’s GDPR

European Union (EU) was the first to come up with a focused General Data Protection Regulation (GDPR) 2018 whose implementation date was 25 May 2018.

It is a regulating law on data protection and privacy in the EU and the European Economic Area (EEA), including the transfer of personal data outside the EU and EEA areas. According to GDPR, no personal data may be processed unless it is done under at least one of the six lawful bases specified by it, namely: 

  1. Consent, 
  2. Contract,
  3. Public task, 
  4. Vital interest, 
  5. legitimate interest, or 
  6. Legal requirement.

These being regulations and not directives they are legally binding. 

GDPR stipulates that businesses that process personal data must be designed and built with consideration of principles laid and provide safeguards to protect data including pseudonymization* or anonymization** of personal data where necessary or appropriate.
(* It is a data management and de-identification procedure by which personally identifiable information fields in the database are replaced with artificial identifiers.
** It is information sanitization with the intent of privacy protection by removing identifiable information from personal data sets.)

GDPR became a model code for other countries like Japan, USA, Chile, Argentina, Brazil to name a few. 

The deterring penalties for non-compliance of these regulations (the British Airways example given in the Introduction is a case in point) have set the tone for other countries to follow including the latest Brazilian LGPD. 

CCPA of USA

California Consumer Privacy Act (CCPA) was on the lines of GDPR and adopted on 28 June 2018. Based on these, an EU-US ‘privacy shield’ is created for privacy protection so US companies may process EU data outside the EU. 

[The latest decision in Schrems II by the Court of Justice of European Union (CJEU) on July 16, 2020 invalidated this privacy shield.]

The Indian Laws and Data Protection

In India, there are no exclusive laws protecting data privacy. The Personal Data Protection (PDP) Bill, 2019 was introduced in Lok Sabha and referred to the Standing Committee on the same day December 11, 2019, whose report is still awaited. So, till the Bill is passed into an Act and receives the assent of the President, we are to make do with the existing provisions of laws.

The Constitution – What does it say?

There is no specific provision in the Constitution of India granting a right to privacy (nor the concept of ‘data’ was there at that time for specifically mentioning it).

Justice KS Puttaswamy v. Union of India (2017) 

A retired HC Judge filed a petition challenging the constitutional validity of the Aadhaar scheme. A nine-judge constitutional bench unanimously recognized a fundamental right to privacy of every individual guaranteed by the Constitution, within Article 21 in particular and Part III on ‘Fundamental Rights’ on the whole. The earlier decisions in M.P. Sharma Vs. Satish Chandra (1954) and Kharak Singh Vs. Uttar Pradesh (1962) were overruled. What with the present-day large data thefts, and the potential damage that misuse and abuse of data can cause, the Supreme Court ruling is no doubt assuring but not adequate to protect privacy interests. 

About 130 countries now have data protection regulations in some form or other to address data protection issues, it is high time that the Indian parliament pursues and persuades to make the PDP Bill into an Act.

Now let us look at some existing enacted laws: 

Data theft and IPC

We keep calling unauthorized removal and use of data as data theft. If so, can we apply S.378 (theft) of IPC? 

The answer is Yes and No.

‘No’ because according to Section 378 of IPC, “whoever intends to dishonestly take any movable property …” (emphasis added), but data being intangible is not a movable property. 

‘Yes’ if the data stolen is in a tangible form like a hard-disk or pen-drive a case can be made.

How about ‘criminal breach of trust’ u/s 405 of IPC?

Yes, this section can be invoked and if proved punishable u/s 406 or 408 of IPC as the case may be.

The point is that in a criminal case, unlike one under civil or torts no restitution, compensation or damages are possible, only the guilty if proved would be punished.

The IT Act, 2000

The Information Technology Act, 2000 is one Act that has relevance and some provisions that can be invoked in matters of data thefts and misuse. 

S.43(b) of the IT Act may be invoked as applicable which provides for huge penalty and compensation. It is about any person without proper permission downloads, copies or extracts any database, data or information held or stored in any removable storage medium.

  1. 46 of the IT Act provides the Union Government with the power to appoint an Adjudicating Officer to hold an enquiry to adjudge upon complaints filed before such officer when provisions of the IT Act are contravened.

Some such cases related to Privacy are:

  • Vinod Kaushik vs. Madhavika Joshi (2011)
  • Amit D. Patwardhan vs. Rud India Chains (2013)
  • Nirmalkumar Bagherwal vs. Minal Bagherwal (2013)

In the above cases, the Adjudicating Officer was to determine and penalize the unauthorized access of personal data of the respective complainants. 

No matter what the laws are, where and when they fail to deter the wrongdoer, they are more consolation and end of the pipe solution than a real remedy.

Challenges to data protection

Before concluding, let us quickly browse through some challenges to personal data protection.

Legality of data flow

Internet traffic is growing in volume and speed. Just as Coke reached the remotest hamlet where even water is scarce, today the internet is available practically at every village and would soon reach every nook and corner of India with the government’s ‘Digital India’ drive. The speeds are ratcheting up from 3G to 4G to 5G. Anyone sitting anywhere in the world can access (steal) information from a system located anywhere else in the world in a jiffy. It is no more information flow but a flood. A lot of information crisscrosses across the international borders complicating things. But who scrutinizes the data flowing across the borders?

After the CJEU’s decision on Schrems II (hyperlink given under the sub-heading ‘CCPA of USA’ of heading ‘International Laws and Regulations’ supra) to lawfully transfer personal data out of the EU, it is no more a paper exercise. With more and more countries coming up with laws and regulations similar to GDPR and the exemplary penalties they carry, it is important to have a procedure and mechanism in place to assess the impact of data transfer and vet such transfer is indeed lawful.

The Cookie Menace

If you are an internet browser, you know why I call it a menace. Not that cookies don’t have their utility, but by default, most sites made cookies without consent until it was made mandatory by law to obtain consent. Now there is a steady increase in websites that bar the usage of the site if acceptance is not given for cookies. Some even tease you with a piece of information and say, ‘Accept to continue’. This needs to be deliberated and equitably fixed.

Confusion and Concern

A study by the Competition Commission of India (CCI) recently said that, “Data privacy can take the form of non-price competition and abuse of dominance can lower privacy protection”. According to CCI, in the context of competition in the digital communications market, the conflict between allowing access and protecting consumer privacy is an aspect of data (usage). After all abuse of dominance is antitrust. Let me explain with a current example:

We are all aware of the recently proposed WhatsApp’s ‘accept to use or leave’ privacy policy. The fact is that nearly every smartphone user makes extensive use of this app relegating the use of once-dominant email practically to formal communications by taking its place in personal, social, and informal communications. The policy created a commotion to the extent that some approached the Supreme Court, Government of India called a meeting with WhatsApp executives and told that it would be against the soon to be enacted PDP Bill, 2019. This is a typical case the CCI is talking about – abuse of dominance allowing access to consumer data in conflict with consumer privacy. 

There is a buzz on social media asking people to ditch WhatsApp and migrate to Signal. WhatsApp is probably feeling the heat. In the news and social media, we saw that WhatsApp initially came up with the clarification that the policy change is applicable only to users of their app for business purposes and not private individuals. Later, we saw yet another clarification that even for businesses consent is optional and not compulsory to continue with the use of their app. It is confusion galore.

The people who left WhatsApp under the ‘let us migrate to Signal and Telegram movement’ are returning to WhatsApp as evidenced by most downloaded Telegram and Signal messaging apps remaining inactive while WhatsApp is continuing to be the preferred app. 

As per a survey reported in ‘India Today’, 79% of users have said that they are reconsidering WhatsApp, while 29% of the users want to leave as soon as WhatsApp implements the new privacy policy. Is this preference to reconsider because they are putting convenience over privacy or the reported clarifications on the policy by WhatsApp and Facebook? Whatever may be the reasons the question one must ask oneself is:

Is it prudent to trade privacy for convenience?

Summary and Conclusion

There is a difference between security and protection of data. Security is primarily regulating, restricting, or denying accessibility to data to prevent loss or data corruption. Whereas, protecting is safeguarding the interests of the data owner/provider by measures which inter alia include security measures.

There are many international laws and regulations related to data privacy – as many as 130 countries have data privacy laws in place in one form or other. Prominent among them being the European GDPR and the latest LGPD of Brazil. 

India is sadly wanting and lagging behind in this aspect.

To Protect from Third-party misuse:

  • Identify sensitive customer data, segregate and store.
  • Prioritize customer data security, govern data usage.
  • Create policies, rules and regulations, educate employees.
  • Know the law and protect customer rights and your business interests.

In Addition:

  • Union Govt. to pass and give effect to the Personal Data Protection Bill, 2019 as soon as possible to deter wrongdoers and imbue confidence in customers.
  • With lifestyles increasingly nesting on digital technology which is changing everything the way things are done with increased speeds and volume, there are challenges and concerns to be tackled quickly which were not so perceived earlier.

The laws, when they fail to deter the wrongdoer, are more consolation than a real redressal to the affected individual and a huge set back to the business. The best win-win approach is to put in place good and latest security and protection measures. Know that in the digital world and cyberspace what was good yesterday may not be so today and could be obsolete tomorrow. Always stay abreast with technology and law. The key to staying abreast is to be vigilant.

References

[1] Observe IT (June. 2018) – Now part of proofpoint.

[2] Technology Trends – smallbiztrends.com

[3] Kerbs on Security

[4] IT pro portal

[5] Latest Laws .com – Article by Shivani Johri

[6] infolaw.co.uk – Internet Newsletter for Lawyers

[7] The Hindu – (New Delhi Edition January 27, 2021)

[8] Article in ‘Working Solutions’ by Billy West

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here