hidden

By Asheeta Regidi

Data broking in the era of ‘Big Data’ and smart cities leads to big privacy concerns. A recent investigation by The Economic Times revealed that the personal data of lakhs of Indians is available from data brokers for less than a rupee per person.

Indian privacy laws are, however, completely unequipped to resolve the privacy concerns that arise from this report. Issues like the legality of data broking, who owns a person’s data, and the remedies a person is entitled to, all remain unanswered.

Data broking a grey area

Data brokers get their information from a variety of sources, public and private, both legal and illegal. The data of millions of people from these sources is aggregated and then classified.

The absence of any law specifically prohibiting the purchase of an individual’s data, sensitive or otherwise, without the individual’s consent, makes data broking a grey area under the law. India’s main privacy law — Section 43A of the Information Technology Act, 2000 and the IT Sensitive Personal Data Rules, 2011, issued thereunder, applies only to private companies.

However, the application of this law is limited to companies which have obtained the information directly from individuals under a contract, i.e., the first step of providing information. The data purchased subsequently from such companies, such as by the data brokers, is not governed under this law.

Even if the IT Act was applicable to data brokers, only sensitive personal data, such as names, passwords, biometric information and financial information is protected. Most other data in the possession of data brokers, such as online purchases, chat histories, browsing histories, is unprotected.

You consent to the sharing of your data

Data may be procured by data brokers from legitimate sources, such as from a company collecting the data legally from the people. Usually, such companies have already taken consent for sharing the data. For example, when you sign up for a service with a website, you consent to sharing of your data with undefined ‘third parties’, through the websites’ T&Cs, Privacy Policies and cookies policies.

Once you have given your consent, there is no further recourse against the company or the ‘third parties’ procuring your data.

If the source is legitimate, at most, the data brokers use of the data may be governed by the contract under which they purchased it. For example, Amazon, in its privacy policy, specifies that third party service providers with whom the data is shared cannot use it for any other purpose than for which it is provided.

This, however, does not give the individual recourse against the third party.

Identifying the source

Identifying the original source of the data can give some indication of whether the data broking was legal or illegal. Once the data is aggregated however, identifying the source is very difficult.

The Economic Times report, for example, cited two pieces of data — the specific online purchases of two separate individuals — one from Ebay and one from Amazon. Assuming that the data is authentic, there is obviously a leak from somewhere. The leak maybe from anywhere — the merchant selling the product, the delivery personnel, a data breach at the Ebay/Amazon website, a data breach at the delivery company’s website, cookies installed by a third party — the list goes on.

Even if you do succeed in identifying the source, holding the person accountable may not always be possible. For example, Ebay limits its liability for data loss to the fees provided for the use of Ebay’s service. If the leak is by one of Ebay’s agents, then Ebay, not the individual whose data is disclosed, will have recourse against them under any confidentiality agreements between them. On the other hand, if the data was procured illegally through hacking, then there may be some recourse under Indian IT laws.

Other sources of data

Regardless of the source of the data, an individual does not have much of a recourse. The Economic Times’ report reveals some sources — hospital, bank and loan agents. These agents are also presumably subject to confidentiality agreements. However, only the hospital or bank can sue these agents based on such agreements.

A similar position can be seen in the newly enacted Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, which gives a list of offences against disclosure of information stored in the UIDAI system, but only the UIDAI, not the individual, has the right to file a case for it.

Other sources include official government records like court filings, marriage and property registers, etc. Another source is data you provide voluntarily, through surveys, reviews and memberships. These often don’t have any kind of privacy agreements.

Opt-Outs

No doubt, people have the option to withdraw their consent, but they can then (often) no longer use the service of the website. Even under the IT Act, the option to opt-out is to be provided. Its effect, however, is only limited to the company with which the individual has a contract, i.e., at the first step. The opt-out will not also lead to an erasure of data by third parties with whom the person’s data has already been shared.

Give people power over their data

Had Indian privacy laws granted a person ownership over his own data, then there would be a remedy against the data brokers. In the absence of this, however, there is no legal recourse to opt-out, get the data brokers to erase the data, prevent further sharing of the data or even make corrections in the data. Data breach disclosures are also not mandatory.

No progress, however, can be seen in either the Right to Privacy Bill, and even the right to privacy under the Constitution is currently in question. The inadequacy of data privacy laws, particularly in view of the huge push for Digital India, demonetisation and Aadhaar, is appalling.

To realise the dream of Digital India, the people first need to be given power over their data, who possesses it, what they can do with it and to stop the usage of it.

In the digital age, the most precious possession of an individual is his data, and this should no longer be left as a commodity to be sold at the whim of companies.

The author is a lawyer with a specialisation in cyber laws and has co-authored books on the subject.