The Hindu Business Line 22 Mar 2018

FB’s admission of mistake not enough; India needs stronger data protection laws, say experts 

by The Hindu BL Bureau

Facebook’s data leak scandal has brought back focus on the need for stricter data protection laws in India.

While policy makers here have had a piecemeal approach to the issue, internet advocacy group says the Digital India story could run into trouble without adequate rules in place.

In addition, digital players such as Facebook should be more proactive in helping consumers understand how they should protect the information they share on any platform.

Prasanth Sugathan, Legal Director, Software Freedom Law Center (SFLC.in), a legal advisory service in the digital space, said: “ India’s existing legal framework on data protection is severely under-equipped to safeguard citizens in the modern world. For instance, as per the Information Technology Act and Rules, no one can claim legal remedies against corporations that mishandle their data unless it can be conclusively proved that the mishandling in fact caused wrongful loss. This is clearly inadequate, as data breaches can still be highly damaging in the long run, even if no immediate harm is caused.”

The Facebook data breach, acknowledged by founder and CEO Mark Zuckerberg as a mistake, has sent shock waves across the globe with many commentators seeking strict punitive measures on companies that misuse user data.

Zuckerberg stated on Wednesday that there will be stricter limits on the data that app developers can access. He added that apps that have had access to user data before change of Facebook platform policies in 2014, will be investigated, and audits will be conducted and errant or uncooperative actors banned.

“While this tightens how app developers can use the platform and makes it more closed, it is not necessarily the best or even the only way to deal with the issue,” Nayanatara Ranganathan who leads data protection issues at Internet Democracy Project, a research and advocacy group based in New Delhi. “Facebook continues to collect information, and profile and micro-target users in all kinds of ways. Profitability of data collection, storage and use makes this practice common among not just other apps on your phone, but also among government actors.”

Time to re-evaluate

The larger issue, though, is that digital players’ core business model is based on harvesting and trading vast amounts of personal data belonging to its users.

“When a multi-billion dollar enterprise functions by monetising its customers’ personal data, exploitation in the interest of revenue maximisation becomes almost inevitable. Incidents like the Cambridge Analytica debacle cannot be prevented merely through knee-jerk reactions like suspending the offenders and public apologies. What needs to be done rather is for Facebook to re-evaluate its entire business model, and place far greater emphasis on principles like transparency and accountability,” said Sugathan.

Privacy protocols

He added that Facebook needs to be more proactive in educating users on privacy protocols. Many important privacy settings are currently buried deep within its complicated settings, and it is unreasonable to expect the everyday user to spend hours trying to optimise his/her privacy settings.

“For starters, Facebook must default all privacy settings to their least intrusive states at the very outset, and clearly indicate to users how they can opt-in to particular data-sharing arrangements. The current practice of emphasising ‘opt-out’ rather than ‘opt-in’ is unsustainable and therefore needs to change,” he said.

But privacy self-management is hard. How many services can a user be expected to manage? “Having default privacy-preserving settings, easy-to-understand controls and multi-language support is important; but let’s not make Facebook’s privacy controls the hill to die on. There should be a standardised baseline requirement for notices across the board. Standardising will not only help users, but also the service providers,” said Ranganathan from Internet Democracy Project.

Market experts point to the the regulations formulated by the European Union — General Data Protection Regulation (GDPR). This aims to bring in restriction and mandate on ‘Consent and the Right to be Forgotten’ for businesses or customers based in Europe.

“This means, the law would enforce restrictions on data capture and data erasure, which in a nutshell would help protect consumer data on a larger context. The word ‘consent’ within the law wil have a specific definition of what it means to the company and the data owner,” said Rajarshi Dhar, Industry Analyst, Digital Transformation (ICT) Practice, Frost & Sullivan.

Originally published in The Hindu Business Line.