Data Privacy and Big Tech: Is lack of concrete data policies potentially harming the consumers and competition in India?

The Facebook-Cambridge Analytica data breach in early 2018 is one of the most significant known data leaks in Facebook as well as the Big Tech history. This data breach was particularly disturbing as the personal data of millions of Facebook users was harvested without consent by Cambridge Analytica to be predominantly used for political advertising. The illegally obtained data was utilized to build psychographic profiles, determining users' personality traits based on their Facebook activity, so much so that it is believed to have led Donald Trump to the White House.

The term "Big Tech" or "Tech Giants", is widely used in journalism to refer to the largest and most dominant companies in the information technology industry, like Amazon, Apple, Google, Facebook, and Microsoft.

Why Has Big Tech Come In The Line of Fire Again?

In the U.S., the leaders of Amazon, Apple, Facebook and Google have been in the line of fire for leveraging their positions in the market to crush competitors with the power of data.

The story was covered in great detail by Wired.com and the reporter Gilad Edelman. The report informs us that the United States House Judiciary Subcommittee on Antitrust, Commercial and Administrative Law has, as of July 2020, concluded what is being called the ‘highest-profile hearing into antitrust and competition since the 1970s’. The hearing marked the last step before the subcommittee prepares its final report capping the investigation that started in June 2019. The members of the subcommittee came down heavily on the CEOs of Amazon, Google, Facebook, and Apple with damning evidence of the ‘alarming conduct by their companies, culled from explosive internal documents that are now part of the congressional record’ in the U.S.

Major Allegations on Tech Giants

The committee brought to light some extremely anti-competitive actions by these tech giants. Based on the evidence on record the lawmakers pointed out that in 2009, Amazon deliberately sold diapers at a loss in order to price Diapers.com out of the market and forced the company to accept a takeover—after which Amazon raised diaper prices back up. Like Amazon, Apple was also on the hot seat for alleged unfair treatment of third parties like developers who have to depend on Apple to reach iPhone customers through its App Store. Further, it was highlighted how Facebook acquired Instagram and WhatsApp in order to keep them from eating into Facebook’s business.

“Overall, the subcommittee managed to highlight a number of clear instances of the four companies buying up the competition to make themselves stronger or discriminating against rivals on their own platforms,” reported Edelman.

How Does This Impact the End Consumer?

When a situation arises where a company gets so big that it is easily able to crush or absorb the competition to an extent that it can neglect what the customers want without having to jeopardize its profits, it spells bad news for the customers.

In a digital economy, this predatory behaviour can have even more far-reaching consequences as these companies continue to indulge in exclusionary tactics through deep discounting, preferential listings, or exclusive arrangements on their platforms.

As the privacy and antitrust worlds cross over, the problem becomes even more prominent. A classic example is the use of exploitative methods by social media networking platforms to arm-twist users into sharing data to use their services. 

Some of the Existing Robust Approaches to Data Protection Across the World

The US follows a laissez-faire approach and does not have a federal regulation for data protection. Currently, California is the only U.S. state with a data privacy law in place, the California Consumer Privacy Act (CCPA) with ‘opt-out’ provisions. Other states in the US are eyeing the CCPA as a model for their own, but none of those is expected to be adopted until 2021. However, in general, the U.S. courts have collectively recognised a right to privacy by piecing together the limited privacy protections reflected in the First, Fourth, Fifth and Fourteenth Amendments to the U.S. Constitution.

In contrast, EU is governed by the General Data Protection Regulation (“GDPR”), which is completely ‘opt-in’. In an interesting turn of events, Europe's highest court struck down the Privacy Shield agreement between the European Union and the United States as reported by CNN Business on July 16, 2020. About 5,000 companies, including Facebook that relied on the Privacy Shield pact for transferring information across borders, have now been left in the lurch with this decision. The stringent ruling emanated from a seven-year legal battle brought initially against Facebook and the Irish Data Protection Commission by privacy advocate Max Schrems. According to Schrems, the Privacy Shield did not properly protect EU citizens' data from US surveillance practices.

Understanding the Contours of the Indian Approach in View of the Personal Data Protection Bill, 2019

Subject matter expert Rahul Chaudhary, Partner, PSL Advocates & Solicitors says, “It is correct that the proposed Personal Data Protection Bill, 2019 incorporates various elements of the GDPR. However, it is important to appreciate that there are significant variations and even improvements under the Proposed Bill as compared to the GDPR. The Justice Srikrishna Committee in its report has undertaken a detailed analysis of various aspects of data protection legislation across the globe, and it was only after distilling the essence of those legislations that the Committee had proposed a bill.  One of the more obvious improvements is that the financial data is considered as sensitive personal data and is, therefore, accorded a higher degree of protection under the Proposed Bill. Obligations relating to maintaining detailed processing records and notification requirements in case of a data breach appear to have been moderated, whereas the responsibilities of data protection officers (to be appointed by data processors or data fiduciaries) are more expansive as compared to GDPR. It would, therefore, not be correct to presume that simply being GDPR-compliant would automatically make one compliant with the Proposed Bill if it were to be passed in its present form and vice-versa.”

Speaking in particular about the big data and the tech giants, Sonal Kumar Singh, Managing Partner, AKS Partners shares, “the current laws governing personal data privacy in India have outlived their purpose and relevance especially with the rise of Big Data, AI, Blockchain and Internet of things. Data privacy has never been more relevant and more crucial than it is right now. The existing menace of uncontrolled and largely unregulated offshore data transfer by BigTech has highlighted the shortcomings of the existing SPDI Regulations including the lackadaisical approach of the regulators in enforcing the provisions.

The PDP Bill, inspired by EU’s GDPR, is the most talked-about legislation that impacts digital commerce as we know it. Data localization, privacy by design, mandatory audit requirements (by significant data fiduciaries), right to data portability, right to be forgotten, data minimisation, compulsory registration (with data protection authority by significant data fiduciaries) are just a few examples of the paradigm shift that the PDP Bill will introduce. Once fully enacted, the PDP Bill with its extensive notice requirements, should empower the data principals to make informed decisions before permitting collection and processing of personal and sensitive data. Sensitive personal data may be transferred outside India after explicit consent of data principal and pursuant to an approved intra-group scheme or after approval of the data protection authority. While the data localisation norms mandate that a copy of the sensitive data so transferred must be maintained locally in India, it prohibits the offshore transfer of critical personal data (which may be notified by the government).

It is noteworthy that the PDP Bill has also substantially increased the penalty (extending up to 2% to 4% of the worldwide turnover), which will compel BigTech to ensure serious compliance and may even avoid another Cambridge-Facebook scandal.”

It is indeed promising to learn that the Justice Srikrishna Committee Report on Draft Personal Data Protection Bill, 2018 believes as a general canon, data fiduciaries (data collectors) must only be allowed to share and use personal data of users to fulfil the expectations of the data principal (consumer sharing personal data) in a manner that furthers the common public good of a free and fair digital economy. 

It remains to be seen if the Bill will translate into an effective Act and echo the sentiments of the committee, which has recommended that the law shall have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India. However, in respect of processing by fiduciaries(data collecting entities) that are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling, which could cause privacy harms to data principals (consumers who share their personal information) in India. Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India. However, the data protection law may empower the Central Government to exempt such companies that only process the personal data of foreign nationals not present in India.