INTERNET

India needs to adopt a data protection regime for free and fair election

Citizens have no recourse against unauthorised use of data under current Indian laws

Data Protection Indian organisations have often displayed a lax attitude in handling data of users | File

A 2013 study by IRIS Knowledge Foundation and the Internet and Mobile Association of India claimed that Facebook users could swing results in around 160 constituencies in the 2014 general election. Although when this study was published, it was often cited to show the positive impact of social media, the controversy surrounding the Trump victory has shown the other, darker side—how social media could be used to manipulate the electorate and win elections.

The Cambridge Analytica expose and the resulting investigations and testimonies have revealed the transfer of data of millions of Facebook users to third parties; data that was then used for profiling and targeted campaigns. Indian political parties have also been documented to have contracted firms involved in this data breach to manage their social media campaigns

Indian citizens have practically no recourse against the unauthorised use of their data and profiling under the current laws in the country. The Information Technology Act, 2000 gives very limited protection to users from misuse of their data. 

The Cambridge Analytica saga has shown that manipulation of electorate on social media is a reality and there should be sufficient protection in place to prevent this. With the general election only a year away, there is an urgent need to enact a data protection law to give sufficient protection for citizens against misuse of their data. A committee of experts headed by Justice B.N. Srikrishna has been formed to suggest a draft data protection bill for the country. The committee had published a white paper which has received good response from diverse stakeholders. 

In European Union, the existing Data Protection Directive of 1995 and the new General Data Protection Regulation (GDPR) which rolls out on May 25, 2018 provide Europeans sufficient protection from the unauthorised collection, transfer and misuse of their data. This data breach scandal would give sufficient impetus for the committee of experts to propose a robust law modelled on the principles in the GDPR to provide a rights-based framework to protect the right to privacy of Indian citizens in the digital space. GDPR proposes a privacy by design principle where enterprises have to build systems that are designed to protect privacy rights of the users, rather than it being implemented as an after thought. 

GDPR makes it mandatory for organisations collecting data to have clear and affirmative consent from the user to process that data. Thus, vague and unclear privacy policies permitting transfer of data to third parties will be a thing of the past. GDPR also allows users to access their data that an organisation has and provides for the data to be deleted when desired by the user. Both of these are necessary for people to be able to take control of their data.

Indian organisations have often displayed a lax attitude in handling data of users. Security researchers have shown the apps of major political parties to be insecure and sharing data with third parties. If the Indian data protection law is based on the principles found in GDPR, it would provide a robust framework which would require a major rethink by organisations handling data, including the political parties.

If the data protection law becomes operational before the next general elections, it will be a steep learning curve for the political parties who take the data of users for granted and do not think twice before bombarding them with messages and calls. The Cambridge Analytica episode has helped in igniting a debate on the misuse of personal data and it being used for profiling and electoral manipulation.

With organisations including political parties collecting vast amount of data from users, either directly or through data brokers, there needs to be a strict control on its use. With data being a differentiator, the law should also ensure that such data is not transferred to third parties and used for purposes beyond the consent given by users. The new data protection regime in India could be a game changer for internet companies as well as political parties. 

(The author is a technology lawyer and Volunteer Legal Director at SFLC.in)