This article has been written by Anuram pursuing a Test Prep Course for Cracking Certified Information Privacy Manager (CIPM) from Skill Arbitrage.

 This article has been edited and published by Shashwat Kaushik.

Introduction

Privacy is a state in which one is not observed or disturbed by other people. Data is not a new term; data collection was done using the paper-pen method from earlier times, which is now replaced by computer-based technology. The data of millions of people around the world is collected every minute and it can be used to collect various sources of information. Privacy is the right of a person and is recognised as a fundamental right.

Download Now

To counter the issues faced by data collection, “the European Union” introduced the GDPR (General Data Protection Regulation) in 2016 It sets a new threshold for international good practices and privacy, which relates to data. Other countries, such as “Singapore, Australia, and India,” have also jumped on the waggon by passing the Digital Personal Data Protection (DPDP) Act of 2023.

Why privacy is important and how is it affected by the collection of data

The privacy of an individual is a fundamental right. Each piece of data collected from a user is information about the user. Technology is advancing at an astonishing rate, and the laws are always a step behind. The laws are made from the consequences, not from foresight. Data privacy laws are shaped by the consequences they aim to address. The Digital Personal Data Protection Act (DPDP) is an example of this. Data privacy laws are a response to risks and harms revealed by data breaches that aim to safeguard individuals’ privacy rights and establish clear rules for organisations that are using personal data.

The smartphones we use daily have access to our personal information, habits, secrets, and favourites; if the phone is lost and the contents leaked, it would potentially harm us. Similarly, the data that is collected from you can do the same if it’s not monitored or if there is a breach. Every person is unique and they have unique characteristics, from their biometrics to their mental aptitude. All of this data is available to the companies. Even tech giants like META were fined by the European Union for failing to comply with GDPR. There are numerous incidents like this where there is a violation of the transfer of personal data by the users. As time passes, the quantity of data being gathered is bound to increase, and with that comes the possibility of numerous breaches in data protection and privacy. To combat this, governments are putting in place privacy laws, and individuals or organisations who violate these laws will be subjected to heavy fines.

Data is the new oil

A study shows that an average user spends 401 minutes on the internet, i.e., six hours and 41 minutes per day on internet. The term data is used to explain its significance and how data-driven the future will be. The raw data is not very useful; the data is collected multiple times from various sources and clubbed together, possessing immense potential, and using the data, decisions, analyses, comparisons, and all sorts of analytics can be made.

If one uses Google Maps, Google will get to know the location of the user similarly If one visits a certain restaurant, Google will ask for a review of that place. How does Google know that the person has visited the restaurant? It’s from the data collected from the location. In this digitalized world, data is like a goldmine and companies are collecting data at an astronomical level, from small startups to big MNCs.

Data may be classified into personal data, sensitive personal data, and non-personal data.

Why data is being collected

The data collected from an individual tells a lot about his preferences and interests. For example, the data collected from a food delivery app will have data related to what’s their favourite dish and how often they order it. The data collected is used for personalised ads; the data collected from one’s search queries, shopping history, location data, and other data can be used to specifically show one target ads and as the saying goes, “If you are not paying for the product, then you are the product.” The companies collect data to increase sales, development, analysis, customary experience, and other functions. The customer experience, personalised ads, even when companies use biometric data of employees for authentication, and even the suggestions of movies and series on Netflix and Amazon Prime are results of the collection of data.

The data is even used in sports, where the athlete’s performances are compared with their past, which helps measure the improvements. The collection of data helps a lot in the expansion of this digital world.

Concerns related to the collection of data 

The world we live in today is digitalised. It is technically advanced and is advancing rapidly. As technologies make our lives better, there is another side that is affected, i.e., privacy. The use of technology raises several concerns related to the privacy of people. Most organisations are making decisions driven by data collected from sales to marketing advertising, the performance of employees, and other purposes where data can be used.

There is no doubt that organisations collect data, but the data collected must be in an ethical way. If unethical means are used in the collection of data, there are various consequences for the data subjects. The collection of data is necessary for various functions but it must not cross the line of ethics. Unethical collection of data will put the safeguards and well-being of the data subjects at risk. Governments across the world are implementing data protection and privacy laws to clamp down on the unethical collection of data. There are various concerns relating to the collection of data and some of the concerns are listed below.

Consent and transparency

The data collected must be with the consent of the user; if not, that is an invasion of the privacy of an individual. Valid consent can be obtained through the privacy policy, cookie policy, or terms of conditions. The user must know what data is collected and what purpose it is collected for. 

The Supreme Court of India, in its landmark decision of Justice K.S. Puttaswamy (Retd) vs. Union of India, held that the right to privacy is a fundamental right. This decision was a significant milestone in the history of Indian jurisprudence, as it recognized the importance of individual privacy in the digital age.

The case was brought before the Supreme Court by Justice K.S. Puttaswamy, a retired judge of the Karnataka High Court. Justice Puttaswamy challenged the constitutional validity of the Aadhaar Act, which required Indian citizens to provide their biometric data to the government. He argued that the Aadhaar Act violated his right to privacy and that it could be used for surveillance and other forms of government overreach.

The Supreme Court agreed with Justice Puttaswamy and held that the right to privacy is a fundamental right protected under Article 21 of the Indian Constitution. The Court held that the right to privacy includes the right to be free from unwarranted surveillance, the right to control one’s personal information, and the right to make decisions about one’s own body.

The Supreme Court’s decision in Justice K.S. Puttaswamy (Retd) vs. Union of India has had a profound impact on Indian law and society. It has strengthened the protection of individual privacy in India and has served as a model for other countries around the world.

The Supreme Court’s decision in Justice K.S. Puttaswamy (Retd) vs. Union of India is a landmark decision that has had a significant impact on Indian law and society. It has recognised the importance of individual privacy in the digital age and strengthened the protection of this fundamental right in India.

Transparency in the handling of personal data is crucial for building trust between individuals and organizations. Unfortunately, many people are unaware of the extent to which their data is being collected, stored, and utilised. This lack of transparency can lead to feelings of vulnerability and a sense that one’s privacy is being violated.

To address this issue, organisations must be more forthcoming about their data practices. They should provide clear and concise information about what data they collect, how it is stored, and for what purposes it is used. This information should be easily accessible and presented in a way that is easy to understand.

In addition, organisations should obtain explicit consent from individuals before collecting and using their personal data. This consent should be informed, meaning that individuals should be made aware of the specific purposes for which their data will be used. It should also be freely given, meaning that individuals should not feel pressured to consent. Data protection laws such as GDPR and CCPA recognise consent. Consent is one of the legal bases and it is a widely used legal basis. Article 6 of the GDPR explains consent and states that an individual’s consent should be clear and specific. The data must only be used for that specific purpose. If general consent is given by the user that does not permit the organisation to use the data anyhow they want, this was widely discussed in the Facebook analytical scandal. The GDPR explains that if other legal bases can be applied, such as contract, legal obligation, legitimate interest, and others, consent may not be required.

Advertising

Advertising, such as personal, targeted, and intrusive advertising, is also a concern for collection of data. Most of us might have already experienced this by searching for a product on Google and seeing recommendations of similar products on Instagram and other apps. It is not a coincidence; it is the effect of collecting data and showing targeted ads. These targeted ads are the result of data collected from your searches, products you might have liked, and other relevant data. Even though they sometimes seem like convenience, the facts are that the data is collected and used to manipulate the customer. If there is neither consent nor any other lawful basis behind the targeted ads, it is a violation of data privacy.

The data collected from various sources is used for targeted advertising. The information collected from  IP location, search history, and other details is used by the companies in advertising. An article by MIT Technology Review dives deep into this topic. Even with using ad-blockers the data collected from cookies, scrolling habits, and location is used to show advertising in which the subject is interested. The Personalised ads will boost the revenue and sales of products and services of the organisations. These can be seen on social media platforms and different websites, and if there is no legal basis for this marketing or advertising, the data subject has the right to make them stop or take action. 

Data breaches

The collection of vast amounts of data poses yet another threat, the threat of breaches. Data controllers are organisations or people who are responsible for the collection of data. The data controllers decide why and for what purpose the data processing happens. The data controller can also appoint a separate entity to process data, called a data processor. The data processor collects data on behalf of the data controller; the data controller may also appoint multiple data controllers. So sometimes the company to which the data subject is subscribed is someone other than the one who collects their data.

The vast amounts of data collected must be stored. If the storage of this data is not properly secured, the threat of breaches or leaks of personal data is high. Even if it is a large or multinational organisation, this concern still exists. For example, if the data is also handed over to other third parties for analysis or other processes, there is a chance of a breach or unauthorised access.

If the breaches are not identified within time and dealt with, they may result in loss of personal data identity thefts, financial losses, discrimination, damage to reputation, and other losses depending upon the data collected. Hence, proper surveillance, security measures, proper storage of data, and data minimisation can help reduce these. The latest report by HINDU states that India ranks 5th in the list of most breached countries. Data breaches pose serious consequences, especially in the case of personal data.

Secondary use of data

The data collected or processed must be used for a specific purpose for which a legal basis must have been obtained. If the Data processor or data controller wishes to use the data for other purposes, additional consent from the users must be obtained. Data is shared with other third parties and it is the responsibility of the data controller to ensure that the collected data is only used for the purpose for which it was originally mentioned.

The data collected can be used for various purposes but it must never deviate from the purpose it was collected for. Legal bases such as legitimate interest can be used to use data for separate purposes but it requires balancing the legitimate interests and fundamental rights of the data subject.

Bias and discrimination

The data is collected based on algorithms that are generated by human beings. If the data collected is biassed, the end product will also be biassed, and therefore biassed data inputs and biassed data algorithms can perpetuate the existing societal basis for discrimination.

The collection of data must be fair to the subject and it should never be discriminatory. The root cause is not the algorithm; it’s because of the discriminatory collection of data. If the algorithm turns out to be discriminatory, the reason lies in the data collected. So it is necessary for data controllers and companies that collect data to ensure that the collected data is not discriminatory or biassed.

Protection of privacy

The laws governing data privacy and protection vary from country to country and each country has its own set of laws. One of the most important laws is the GDPR privacy law. The GDPR protects personal data. Personal data means any information relating to an identified or identifiable natural person, both inside and outside of the EU, that offers goods and services to customers in the EU or monitors the behaviour of individuals within the EU.

India has also implemented a new law called DPDP (Digital Personal Data Protection), which aims to protect personal data.

According to the article by Harvard Business Review, it is estimated that the EU has been fined over 1400 times and a total of 3 billion euros for violations of GDPR. As new technologies such as AI are being generated, which also use data from the user to grow or expand the data protection laws, they ensure that the rights and privacy of individuals are protected.

The rise of technology has led to a significant increase in the collection, storage, and processing of personal data. This has raised concerns about the privacy and security of individuals’ personal information. In response, several countries and regions have enacted data protection laws to safeguard the privacy of individuals. These laws aim to protect individuals from unethical data collection and use by organisations.

Some notable data protection laws include:

  1. General Data Protection Regulation (GDPR): The GDPR is a landmark data protection law that was enacted by the European Union in 2018. The GDPR sets out a comprehensive framework for the protection of personal data. It applies to all organizations that process personal data of individuals in the EU, regardless of their location. The GDPR grants individuals a number of rights, including the right to access their personal data, the right to rectify inaccurate data, and the right to erasure (the right to be forgotten).
  2. Personal Data Protection Act (PDPA): The PDPA is a data protection law that was enacted by Singapore in 2012. The PDPA is based on the GDPR but is tailored to the specific needs of Singapore. The PDPA regulates the collection, use, disclosure, and storage of personal data by organizations in Singapore. It also grants individuals a number of rights, including the right to access their personal data and the right to correct inaccurate data.
  3. California Consumer Privacy Act (CCPA): The CCPA is a data protection law that was enacted by California in 2018. The CCPA grants California residents a number of rights, including the right to know what personal data is being collected about them, the right to request that their personal data be deleted, and the right to opt out of the sale of their personal data.
  4. India’s Data Protection Law, Digital Personal Data Protection: India’s data protection law, the Digital Personal Data Protection Bill, is currently being debated in the Indian Parliament. The bill aims to protect the privacy of individuals by regulating the collection, use, and disclosure of personal data by organisations. The bill also grants individuals a number of rights, including the right to access their personal data and the right to withdraw consent for the processing of their personal data.

These data protection laws are an important step in protecting the privacy of individuals. They help to ensure that organisations collect, use, and disclose personal data in a responsible and ethical manner.

Steps taken for the protection of privacy

  1. Enactment of privacy laws:
    • Governments enact comprehensive privacy laws that set out specific rights and obligations for individuals and organisations regarding the collection, use, and disclosure of personal information. Laws like the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States are prime examples.
  2. Establishment of data protection authorities:
    • Independent data protection authorities are established to oversee the implementation and enforcement of privacy laws. These authorities have the power to investigate complaints, conduct audits, and impose penalties for violations.
  3. Data subject rights:
    • Privacy laws grant individuals various rights regarding their personal information. These rights typically include the right to access, rectify, erase, restrict the processing of, and object to the processing of their personal information.
  4. Consent requirements:
    • Organisations must obtain consent from individuals before collecting, using, or disclosing their personal information. Consent must be freely given, specific, informed, and unambiguous.
  5. Data security safeguards:
    • Privacy laws require organisations to implement appropriate security measures to protect personal information from unauthorised access, use, disclosure, alteration, or destruction.
  6. Data breach notification:
    • Organisations must notify individuals and relevant authorities promptly in the event of a data breach that results in the unauthorised access or disclosure of personal information.
  7. Transparency and accountability:
    • Organisations must be transparent about their data processing practices and accountable for complying with privacy laws. They must provide clear and concise information about how they collect, use, and disclose personal information.
  8. International cooperation:
    • Countries often collaborate to ensure consistent protection of privacy across borders. This includes mutual recognition of data protection standards and mechanisms for cross-border data transfers.
  9. Legal remedies:
    • Individuals who believe their privacy rights have been violated may seek legal remedies, such as filing a complaint with the data protection authority or pursuing a civil lawsuit.
  10. Continuous review and adaptation:
    • Privacy laws are subject to regular review and adaptation to keep pace with evolving technologies and societal expectations. This ensures that the protection of privacy remains effective and meaningful in a rapidly changing world.

Steps taken for the protection of privacy in India

  1. The Constitution of India:
    • Article 21 of the Constitution of India guarantees the right to privacy as a fundamental right.
    • This right protects individuals from unlawful surveillance, intrusion, and interference in their personal lives.
  2. The Right to Information Act, 2005:
    • The RTI Act provides citizens with the right to access information held by public authorities, including government agencies.
    • This right helps individuals protect their privacy by allowing them to access and correct their personal information held by the government.
  3. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016:
    • The Aadhaar Act provides for the establishment of a unique identification number (UID) for Indian residents.
    • The UID is intended to simplify access to government services and benefits but has raised concerns about privacy and data security.
  4. The Personal Data Protection Bill, 2019:
    • The PDP Bill is a comprehensive piece of legislation that aims to protect the privacy of individuals and regulate the processing of personal data by entities.
    • The Bill includes provisions for the consent of individuals for the collection and use of their personal data, the right to access and rectify personal data, and the establishment of a Data Protection Authority to oversee the implementation of the law.
  5. Judicial interventions:
    • The Supreme Court of India has played a crucial role in protecting privacy rights in India.
    • In several landmark judgements, the Court has upheld the right to privacy as a fundamental right and has issued guidelines for the protection of personal information.
  6. Regulatory measures:
    • The Reserve Bank of India (RBI) has issued guidelines to banks and financial institutions on the protection of customer data.
    • The Telecom Regulatory Authority of India (TRAI) has issued regulations to protect the privacy of telecom subscribers.

Conclusion

The digital world is evolving at an astonishing rate, from startups to big companies relying on data. In this day and age, decisions are based more on data collected and processed. The digitalised world runs on data, and even in sports, when observed, it can be seen that data is used to monitor the athlete’s progress. When this astronomical amount of data is involved, there will inevitably be breaches and loss of personal data. To counter these losses and breaches, laws are being implemented that help protect privacy in this digitalised world. The data will always be collected, but the collection of data must not be unethical.

References

LEAVE A REPLY

Please enter your comment!
Please enter your name here