My Article on Data Privacy
DATA PRIVACY
--Anwar Rizvi
What is Data Privacy and Why Data Privacy
These days there is a lot of clamor on personal data privacy and information
privacy. All of us are concerned about the privacy of our personal information.
Besides privacy intrusion, the leaking of personal information can be a potential
financial risk.
Increased dependence on technology for most of our routine and day-to-day chores
makes it imperative that we share personal data on Technology platforms. The
most common technology platforms on which personal information has to be
necessarily shared are banks, utility companies, government/federal agencies,
educational institutions, hospitals, online shopping portals, and many more.
Personal data is also shared for having accounts in social media and messaging
platforms like Facebook, Linked In, Instagram, WhatsApp, Twitter, etc.
Privacy is essentially a right to be free from unwanted intrusions. It is the right of a
person to be left alone.
Privacy is also a constitutional guarantee in many countries. It is a fundamental
human right and a core principle of human dignity.
What is privacy? There are various privacy definitions. Data privacy or Information
privacy concerns handling, processing, storage, and use of personal data. It is
about the rights of individuals and their personal information.
Information privacy is the collection and dissemination of data, technology, the
public expectation of privacy, and the legal, social, and political issues surrounding
them.
Ensuring data privacy is a challenge for every data user as they need to use data
while protecting an individual's privacy preferences and personally identifiable
information.
Difference Between Data Privacy and Data Security
Often the terms data privacy and data security are confused in their usage. There
is a tendency to interchange these terms. Data privacy and data security are
different. Data privacy, as explained above, is the right to protection of personal
data. Data security is the protection of personal data from unauthorized access or
deliberate breach with malicious intentions.
Personal data, if breached, could provide valuable information to cybercriminals
who use people's personal information to impersonate them or scam them into
handing over login credentials.
Personal data is collected using technology tools. The use of appropriate technology
tools for ensuring data privacy is imperative. The fields of computer security, data
security, and information security employ specially designed software
and hardware and human resources to address data privacy issues.
Stakeholders in the Data Privacy Play
There are many stakeholders in the data privacy play. Briefly, the stakeholders are:
1) The Data Subject. The data subject is the individual whose personal data is
in question. The data subject is the most important stakeholder. The data
privacy ecosystem revolves around the protection of privacy of personal data.
2) The Data Controller. The data controller is the organizations collecting and
using the data.
3) The Data Processor. The data processor is the organization that processes
the data gathered by the data controller. The data processor is responsible
for ensuring data privacy. In some cases, the data controller and the data
processor can be the same.
4) The Data Regulator. The data regulator is the regulatory or statutory body
that formulates the privacy framework. Generally, the regulators are
Government agencies.
The data controllers and the data processors should build their data management
systems that comply with the regulatory privacy framework.
Data collection, data storage, and data processing are all technology-driven.
Technologies are continuously evolving and improving.
Importance of Data Privacy and Data Security
Personal data is of immense use for many organizations. The fields in which
personal data finds its use is mind-boggling. The use of personal data for pushing
sales is well known. The use of social media platforms and other apps by the data
subjects increases the risk of their personal preferences in many areas exposed to
data controllers and processors. This data is the new gold in the digital world.
Many organizations are willing to pay handsomely for this data.
Services like LinkedIn, Instagram, Twitter, Facebook, WhatsApp have a large
subscriber base. Most of these are free services. Some may offer a premium service
at a cost. Operating these services involves significant cash requirements. These
are all profitable organizations. Since their subscription is free, the revenue model
capitalizes on targeting the subscriber database in many ways.
Facebook paid 19 billion dollars to acquire WhatsApp. Facebook had also acquired
Instagram for one billion dollars. Facebook has seen value in these acquisitions on
account of its popularity and its large subscriber base. Access to the data of the
WhatsApp and Instagram subscribers is a gateway for significant financial gains.
These gains can occur both through legal and illegal ways of using personal data.
Consider these examples:
A) The Facebook – Cambridge Analytica association scandal rocked the world
some years back. Cambridge Analytica has collected and analyzed the data
of 87 million Facebook users without their consent. The analysis of the
personal data helped in knowing the political affiliation of the users. They
used an App specially developed for this purpose. Cambridge Analytica sold
this psychological profile of American voters for political campaigns in the
2016 American Presidential Elections. Facebook accepted responsibility for
this deliberate data breach and paid a fine of five billion US dollars to the
Federal Trade Commission.
B) A low-level hacking forum in April 2021 posted the names, email Ids, and
phone numbers of 533 million Facebook users. These users are from 106
countries. Facebook on its own did not announce this. An Indian business
magazine reported this. After the news was out, Facebook has now come up
with an explanation. In a blog post, Facebook has explained this as data
scraping and not a data breach. Scraping is a common tactic that relies on
automated software to lift public information from the internet. Facebook
also claims that this may have happened before 2019 when it fixed
vulnerability issues.
C) A few days after the Facebook data leak, comes the news of a data leak of
500 million Linked In users. The LinkedIn subscriber's data leaked includes
full names, user Ids, email Id, phone numbers, professional titles, and workrelated details. Linked in has also explained this as data scraping and not a
data breach.
Whatever Facebook and Linked In have to say, Cybercriminals can strike gold with
this scraping.
Manual processing of the data is impossible on account of the sheer volume. The
use of technology and tools for processing data to gather specific outputs has
become the new norm.
The influence of technology in data processing and privacy is fraught with risks.
Unethical hacking of data and selling of data on the dark web has become very
common.
Many feel that data breach or data leak does not always impact the data subject.
While this may be true in some cases, access to the data can be beneficial to many
organizations. Processing the data for specific outputs gives both tangible and
intangible gains. Why should anyone benefit from this data?
Ensuring Data Privacy – Role of the Data Subject
Unless stolen or obtained through illegal means, it is the subject who provides the
personal data.
The dependence on technology and apps in our daily life makes it impossible to
keep data private.
The data subject is the most concerned about the privacy and security of personal
data. Personal data is safe as long as it is not shared. Risks of privacy breaches
increase as the data get shared.
Before sharing personal data with an organization, the subject must know the
following:
The purpose for sharing the data
The regulatory framework for sharing of data
How much and what data to be shared
The reputation of the data controller and the data processor for handling
data security
A clear understanding of the terms and conditions governing the data usage
of the recipient organization
The right to data privacy as per the regulatory framework
Legal recourse in case of breach of privacy
Many data subjects will not have access to the means for getting important issues
on data privacy. However, this should not be a ground for sharing the data freely.
Many apps and websites ask for registration as a precondition for using their
platform. The registration may be required for transacting a business or for
accessing information. Some apps allow the user to access their app as a one-time
user without insisting on registration.
For ensuring privacy and security, the data subjects may consider the following
before sharing any personal data:
1. Make sure that access to the app or website asking for personal data is
necessary.
2. Ascertain the need for registration for accessing an app. Do not register and
share personal data if the app allows access without registration.
3. Read the terms and conditions and data policy of the data controllers and
data processors. Data subjects tend to agree to the terms and conditions
without seriously reading the fine print. By agreeing to the terms and
conditions, the data subject gives away certain privacy rights.
4. Some apps ask for access to the contacts of the data subject. Do not say yes
to this. Agreeing to this puts their data privacy at risk.
5. The data sharing with delivery-based portals comes with the risk of the data
being also accessible to other players in the supply chain. Make sure that
the other players in the supply chain are also trustworthy.
6. Many shopping and utility company portals ask for permission to store the
credit card/debit card details on the portal for quick check out. Do not agree
to give this permission. These portals are potential hacking targets for
cybercriminals.
7. Do not save passwords for access to the financial and other critical sites on
the browsers. Say no if the browser asks for permission to save the
password.
8. Find out the length of time the recipient will keep the data shared. The
recipient should not keep the data beyond what time is necessary.
9. The data recipient should give you the right to withdraw your consent at any
time.
10. You have the right to approach an appropriate data protection authority for
lodging a complaint in the event of a breach of contract.