Lessons From EU’s Data Protection Policy: How To Shield The Online Privacy Of 500 Million Indians

It took the European Union (EU) over 20 years of deliberations and debates to curate a data protection policy. Starting 1995, when the first directive pertaining to the processing of users’ personal data was adopted, the European Union has transformed into a body that not only encompasses political structures, but also thriving businesses and corporations.

Later this week, on 25 May, the General Data Protection Regulation (GDPR) will come into force as a law, thus warranting compliance of businesses across the world dealing with people or corporations that fall within the EU.

In its entirety, the GDPR can be summed under ‘P’s Eleven’. Applicable to ‘personal data’, it allows for control over ‘processing of data’, requires ‘permission for data of a user to be processed’, gives user the freedom to ‘procure data about them being processed’, gives user the right to have themselves ‘permanently forgotten’, warrants data to be ‘protected properly’, requires company to ‘provide information’ to users in case of a data breach, warrants ‘processing controls’ over data, ensures ‘permanent deletion of data’ after it is no longer required, warrants ‘data protection officers’, and most importantly, imposes ‘penalties’ for companies or corporations that fail to comply with the regulation.

It may have taken several years, but the EU must be credited for creating a data protection and privacy law that takes into consideration user interests. The US, however, has laws that vary according to the nature of the data processor, government or private. China, with over 800 million users, has the Great Firewall, thus obstructing any outside interference in its national network, while India, a nation of 500 million internet users, has no data policy at all!

In 2017, the European Union (including the United Kingdom) had over 433 million users. Clearly, the likes of GAFA (Google, Amazon, Facebook, and Apple) had no option but comply with the GDPR. In the last few days, Google, Twitter, Apple, and many other websites that thrive on user data updated their policies. Facebook’s Zuckerberg, still recovering from the Cambridge Analytica fiasco, found himself accountable before the EU lawmakers, given EU has more Facebook users than the United States.

India’s Law and IT Minister, Shri Ravi Shankar Prasad was quick to jump the gun, threatening Zuckerberg and other social media companies with a summon if tampering or online manipulation of the electoral process was discovered online. While his heart was at the right place, his policies weren’t. Without a data policy or law, the data of 500 million internet users in India is up for grabs.

With the growing affordability of smartphone devices, the vulnerability of Indians has increased online. Today, the urban smartphone users depend on utility apps like Uber, Zomato, Swiggy, Ola, UrbanClap, MakeMyTrip, Facebook, Twitter, Instagram, and countless other apps to ease their routine. Given the usage of these apps is inter-linked, the installation of one often prompts the requirement of the other, thus churning out more data. Employers too have added to this jungle, curating apps exclusively for their workers, which often help them track them.

Data, at an atomic level, may constitute one’s name, mobile number or email. Using these three aspects, one can sign up for almost all the utility apps there are. However, the same data leads to the creation of knowledge. For instance, my Uber account, based on these three parameters, churns out data pertaining to my travel duration, distances, and destinations. The likes of Swiggy or Zomato have an idea of my food preferences and the frequency with which I order them.

Apps that require the access of GPS have complete information about where I was yesterday, a week, or even a year ago. For instance, the Google Activity feature keeps a tab of all the cities I have been to, places I have checked into, and the duration I was there for.

With an average user spending over 150-minutes on their Smartphone daily, the amount of data being churned out cannot be quantified. While most of this time is spent on social media, the background activity of other apps in recording data cannot be negated. Alongside, the growing urban demand for smart wearables which include fitness bands and smartwatches has added to the data production.

Synchronised with their mobile phones, these wearables not only offer data about where the user was, how long did they exercise for, but also their vitals. People, eager to monitor their health better, have opted for such devices, without considering the data vulnerability that comes along.

When it comes to user data, it is the context and not the content matters. For instance, data taken from a wearable device and a food ordering app can help a health insurance company analyse the user in question. Similarly, one’s internet search queries, amalgamated with their locations in different instances, may offer a deeper perspective on their life, one they might not be willing to share.

With facial recognition option available on cheap Chinese smartphones, tracking users with data available from public or private CCTVs might become feasible, given data storage and surveillance apparatus prices continue to dip. Combining the data of any two apps or even one, one can garner more data about a user than what is contained in their Aadhaar Card, and this context then leads to a bigger problem; profiling.

In 2012, a report in the New York Times discussed how Target, an offline equivalent of Amazon (Remember the ‘Apni Dukaan’ jibe?), a retail store where one could buy anything was recording data about its customers. The idea was to reach out to users with advertisements before other retail stores could. Funnily enough, they were able to anticipate the pregnancy of one of their customers before her husband even knew about it.

Tomorrow, e-commerce players shall be able to yield the same control in the Indian market, given how the urban population has grown accustomed to these portals for their shopping requirements. What one searches for, what products one compares, and what one eventually buys can be easily used for profiling by third-party agencies, without one’s consent.

Earlier this month, Walmart bought Flipkart in one of those biggest e-commerce acquisitions of all time. With Amazon in the fray, the Indian online retail market can safely anticipate a boom. However, the winner-takes-all in this race would be the one who can efficiently mine user data. Collaborate it with the routine data garnered from apps and one can create an entire scrapbook about a user, from what they want, what they wish, what they can afford, when they can afford, and when they will buy. The Indian user is not only vulnerable but a sitting duck for corporations that are not accountable in any form to the Indian government.

The problem lies in the fact that the user is not aware of what they are consenting to when they install an app or log on to a website that requires their data. For some cents worth of cashback and discounts, people have unknowingly traded their data with corporations.

Today, 500 million Indians are products for corporations that have zero accountability to the Indian government. These products are churning out data that is not quantifiable for an average engineer, but qualifies for selective profiling and maybe, in the longer run, discrimination?

Learning from GDPR, the Indian government, at the earliest, must work towards a data policy that protects user interests. Given the smartphone boom and Prime Minister’s ambitious JAM (Jan Dhan accounts, Aadhaar Cards, mobile phone numbers) Trinity, the data production is only going to increase in the coming years.

The government can start with Aadhaar as the foundation of India’s data policy or else, risk pushing its citizens into a hole of unprecedented exploitation by Western corporations.

The onus now lies with the Indian government. Are they willing to learn from the EU, and how they have managed to get the GAFA to comply, or do they wish to wait for an episode of electoral manipulation or tampering to wake up to the contemporary digital realities?

This is the first of a three-part article on data protection and privacy laws in the context of EU's GDPR.