Privacy Debate: Do We Need To Be Paid By Social Media Companies For Trading Our Data?

In a few months from now, India will have a ‘Data Protection Framework’ that will decide the contours of privacy almost along the lines of what the nine-judge bench of the Supreme Court outlined in August last year.

One of the challenges confronting the Justice Srikrishna committee drafting the framework and the legislation is to decide what kind of information entitles privacy. There have been different yardsticks adopted by national governments the world over to decide what forms ‘personal data,’ what is not so private, and what constitutes ‘sensitive data’ requiring additional levels of protection.

All of us are producing vast amounts of data every day. This unprecedented volume of data is growing exponentially too. Every 48 hours, human beings create the equivalent of all the data generated through human history up to 2003. And every bit of data is identifiable with the person who creates it or from whom it originates.

Therefore, identifiability of the owner of data is treated as a criterion for deciding the extent of sensitivity attached to personal data. During the hearing of the privacy case, the Supreme Court had also observed that identifiable information needs to be treated in three different categories as ‘intimate’, ‘private’ and ‘public’. Such a classification is critical to the foundation of privacy.

Definitions of “personal data” and “sensitive data” are basic doctrines of regulation of data management and protection of privacy rights. A glance at the definitions of “personal data” in policies and legislation around the world reveals that it is often all-inclusive and flexible.

In the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), “personal information,” another name for “personal data”, means information about an identifiable individual, and in the South African Protection of Personal Information Act (POPI), “personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.

The test of whether information is personal or not is a dynamic one, and should also consider the state-of-the-art technology at the time of processing and the possibilities for development during the period for which data will be processed.

Many countries with data protection regimes have designated a special category of data, namely “sensitive data”, that receives especially stringent protections because of the risk of inappropriate use. Countries like Singapore, Hong Kong and Canada adopt an escalating risk management approach vis-a-vis designating “sensitive data”. Sensitive data, wherever it is specifically defined in privacy legislation, have been described as data on racial/ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, health, criminal offences and sex life. In the United States, greater protection is given to information such as financial data, social security numbers, health information, children’s information, login credentials and/or full dates of birth.

However, it is pertinent to note that most of the national legislation were evolved when the data explosion was in its infancy, and, therefore, a proper classification of ‘personal data’ is lacking even in the most advanced framework enacted by the European Union, namely, General Data Protection Regulation (GDPR). In fact, to correct many of the anomalies in GDPR, Europe is currently working on an e-privacy legislation even as the GDPR is coming to force later this year.

Therefore, it is strongly recommended that the Justice Srikrishna committee seriously explore categorising ‘personal data’ in a more holistic manner, encompassing all possible data that can be attributable as personal identification information – if not in the legislation, at least in the Framework.

As technology evolves with data explosion and artificial intelligence, there are six different types of ‘personal identification information’, which would include ‘sensitive personal identification information’.

1. Demographic data, which includes date of birth, name, age, sex, address, parent’s name, phone number, email address, etc

2. Biometric data, which includes facial identity, thumb imprint, iris scan, blood group, DNA fingerprint, organ scans, etc

3. Financial data, which includes information on PAN, bank account, credit and debit cards, credit history, insurance, EPF/ESI, pension, subsidy, etc

4. Psychometric data, which includes information on education, skills, intellect, behaviour, sexual preference, political views, trade union affiliation, etc

5. Device identity data, which includes phone number, IMEI number of handsets, IP numbers of laptops, computers, servers, routers, ISP switches, etc

6. Access control data, which includes user ID and passwords to access various digital/online platforms, bar codes used to access a premise or a facility and magnetic strips used in various credit cards and ID cards.

While demographic data is collected by most ID card systems, biometric data is traditionally incorporated the world over only in the citizen document known as the passport. It may be noted that in India, it is also being collected through the Aadhaar system for a while, the legality of which is being currently discussed in the Supreme Court of India.

Across the globe, financial data is standalone and not generally linked to other forms of identification for the purpose of security. There, currently, is an effort to link all the financial information – bank accounts, loans, credit cards, term deposits, insurance policies, stock trading accounts, mutual fund investments, EPF/ESI, pension and subsidy – to Aadhaar. Most expect that the Justice Srikrishna committee would tread this territory to understand the risk involved in linking all such financial identities of citizens to basic demographic and biometric data and storing it centrally.

Global best practices provide for segregating the data and going for decentralised storage of information to mitigate risks involved. On the contrary, Aadhaar, which was originally conceived as a direct benefits transfer (DBT) tool to plug in leakages in the system, is emerging as a giant python swallowing all personal information of citizens – private, sensitive and highly sensitive – and making the absolute right of the citizen on the very information questionable.

In the segment of personal data being generated and collected through electronic devices, websites or portals and apps, one can find all of the stated six segments of data. Therefore, it is intrinsically important to define and identify each set of this data and bring in controls wherever necessary. For instance, psychometric data is very sensitive and, in most cases, it can be processed data that would reveal more information than a subject desires to disclose, such as political affiliations, sexual orientation, trade union relationships and so on. Therefore, it is important to bring in stricter controls on companies dealing not only in primary data collected from citizens, but even processed data such as psychometric data.

Given the case of processed data such as psychometric data and since the definition of “personal data” in India’s IT Act (Section 43A) is broad, it is worth noting that identifiability alone may not be a meaningful differentiator to determine what should and should not be covered by data protection rules.

Indian Supreme Court’s suggestion during the hearing of the privacy case to classify “personal data” as “intimate,” “private” and “public” and treat these accordingly while regulating data should be worth following. This three-tier approach will remove a lot of ambiguities surrounding classification of personal data and ensure deserving privacy to “intimate data” and, to some extent, “private data”.

More important is to offer added privacy to “sensitive personal information” and include ‘processed personal information’, which social media companies are trading on without consent from users and reaping in profits. This leaves us with questions like: aren’t we eligible for a share of profits being reaped by social media companies when they make use of our personal data and trade it in the market?