by Ummey Kulsum and Jasmine Khan
Introduction
With globalisation and advancement in society, the pool of personal information that an individual tends to share with others is increasing. Data is the raw facts and statistics about customers collected during the business operation.[1] It gives information about customers which is used by companies to maximise their profits and manage business activities.[2] A Committee Report reviewing 1980 OECD Privacy Guidelines has observed that global availability with the help of different platforms has increased data flow. This has further led to an increase in the volume of data and has created economic and societal value in the data.[3] At the same time, data collection has led to individual privacy at many risks by the public or private organisations including individuals risking their own privacy by using technologies.
Friedwald has introduced “Seven Types of Privacy” which includes “privacy of data and image”.[4] Data Privacy protects personally identifiable information. Personally identifiable information is defined as an information that identifies an individual.[5] In this article we will discuss why data privacy is important for an individual.
In this article, we would first discuss data as a valuable asset. Then, we would discuss threats to information disclosure and the importance of data privacy. In the next part, the authors would suggest ways forward for data privacy in current times, and in the last part, the authors would conclude with harping on the importance of a strict data privacy regime.
Data as a valuable asset
Data is valuable for companies and businesses for marketing and forming strategies. It is beneficial for increasing revenue and profits, reducing expenses, and satisfying customers.[6]
Multi sharing of data is advantageous to companies. Companies profit from insight provided by the customers whereas customers enjoy better services which are modified as per their needs. Companies by providing loyalty cards take detailed information of customers which helps them in targeted advertising.[7]
Furthermore, big data is beneficial to companies and businesses. It is produced by aggregation of small bits of data. A piece of data enables analysis of other data, thus making poor and narrow data more valuable. Big data reveals patterns of customer’s behaviour and preferences and therefore is used in targeted marketing and generating new products.[8] It has been useful in the health sector, for example, “Google Flu Trend” that aggregated search queries that disclosed information. Such helped in locating the outbreak of the flu.[9] Big data has also been advantageous to the energy sector as the “Smart Grid” provides information about the consumption of energy by an appliance to the customers who in turn reduce energy consumption by reducing the use of appliances using higher energy.[10]
Thus, we observe that data has proven to be a valuable asset for business corporations as well as individuals. The Business also benefits by selling data of customers which they possess in the market to generate profits.[11]
Significance of Data Privacy
The value of data has increased with time but at the same time competition in the market, technological innovation and complex systems have created a threat to data privacy. Data privacy lies in the principle that people should have the right to control and manage their data because data is seen as one’s property[12] and therefore one’s consent should be taken for collection, use, and disclosure of one’s information.[13] Under privacy regulations, such an approach is called Privacy Self-Management (hereinafter called “PSM”).[14] Daniel Solve in his article “Privacy Self-Management and Consent Dilemma” has noted that the principle of PSM comes with the problem of an uninformed individual regarding privacy policies and his/her skewed decision making. People are under the illusion that they are in actual control of data but in reality, it’s the companies and government which have the power over the individual’s decision.[15] Thus, adequate data privacy regulations with actual control and consent are required.
Another problem associated with data is Data Aggregation. Combining bits of innocuous data results in detailed information about a person.[16] Data mining can reveal a person’s choice, personality, activities and also predicts future actions based on the analysis of behavioural patterns from available data. It gives an insight into a person’s personal thoughts.[17] Thus, corporations use it for targeted advertising.[18] One may consent to sharing one or two pieces of information to an institution but due to different data available with different institutions, a combination of all the information about an individual leads to the Profiling of that individual.[19] Profiling is the creation of an individual’s private life like a medical condition, political and religious affiliations, interests, etc. Data aggregation and profiling may be full of errors due to wrong assumptions about data which may create a wrong identity of individual and false positives.[20]
In addition, discrimination due to racial profiling is a problem.[21] Traditional models of de-identification like anonymisation and encryption to separate an individual’s identity from the data collected has failed.[22] Corporations also sell this information for a price without an individual’s consent.[23]
Another problem is Exclusion which is caused when people are barred from accessing their information and also fail to learn about its use.[24] This also leads to exclusion from correcting any error in information regarding them. Thus, creating a power imbalance between individuals and corporations or governments having access to data.[25]
Moreover, the problem of secondary use arises where data may be used for a purpose which was not stated at the time of collection.[26] An Individual consents to disclosure because of its short term benefit but fails to analyse the long term detriment.[27] Thus, it puts an individual in a vulnerable position.
Dataveillance is a term coined by Roger Clarke. It means “systemic use of personal data systems in the investigation or monitoring of the actions or communications of persons.”[28] Thus, the corporations or governments may conduct dataveillance to monitor an individual’s day to day activities. Identity theft caused due to data breaches is also a major pitfall of data collection.[29]
Thus, looking at all the harms caused by data collection use and disclosure, it is necessary to have a proper data privacy protection mechanism to safeguard individuals from dataveillance and other harms associated with it.
Way Forward
The authors have established that data privacy is an indispensable asset because of the value attached to data and its misuse by public or private entities. We have observed that consent of an individual while agreeing to disclose their information is illusory. Therefore, consent should be more affirmative and explicit.[30] It may come with an increased cost of obtaining consent but at the same time is necessary to be weighed against the harms of illusory consent. The Opt-In model of consent is an explicit form of obtaining consent but it has also failed because the consent is made conditional for obtaining services.[31] Hence, we need to come up with a more clear and fair definition of consent.
It has been observed that the individuals cannot foresee the future of privacy implications at the time of the initial collection of data and therefore the individual should have the opportunity of providing consent for downstream uses of data. Hence, consent should be taken at every stage of the new use of data.[32]
Furthermore, Ann Cavoukian had proposed Privacy by Design which provides that privacy must be embedded into technologies or networked data systems. It must be protected by in a business operation. This is based on the proactive approach rather than reactive i.e to prevent and not remedy privacy breaches.[33]
Additionally, strong security measures are most important in data protection. Therefore, the authors propose that there should be End to end Encryption.[34] Michael Ewolshad suggested encryption everywhere and that to protect data privacy before encryption and after decryption, the entire disk should be encrypted.[35] Thus, encryption is also a part of privacy by design.
Right to erasure and Right to be forgotten which have become part of the European Union General Data Protection Regulation, are essential rights for data privacy protection.[36] It ensures that individuals have control over their data throughout and provides them the right to withdraw consent and ask for the deletion of data by entities. Data that is of no requirement for the original purpose should be deleted.[37] Thus, any data privacy protection regulations cannot be imagined without providing the right to be forgotten to the individual. It is an integral part of the data privacy protection regime.
Conclusion
The authors conclude that data is a valuable asset but it should be used in a way that an individual’s information privacy is respected. The authors have discussed how advanced technologies have threatened an individual’s privacy. Consent of an individual is generally illusory. Additionally, data aggregation has led to data profiling which has caused further discrimination and exclusion. The people have no control over the secondary use of their data. Therefore, the authors are of the opinion that data privacy is an indispensable asset. The authors opine that strict data privacy measures are necessary. Therefore, further it is suggested that explicit consent of users, privacy embedded into technologies, end to end encryption data and also the right to be forgotten must be implemented for adequate data privacy protection.
Opinion expressed by the authors are personal.
[1]The importance of Data and Information in Business, https://www.dcodegroup.com/blog/the-importance-of-data-and-information-in-business, (last visited May 8, 2020).
[2]Using Big Data to Increase Profit, https://www.techadvisory.org/2015/12/using-big-data-to-increase-profit/, (last visited May 8 2020).
[3]Organisation for Economic Co-operation and Development (OECD), Privacy Expert Group Report on the Review of the 1980 OECD Privacy Guidelines, at 5, OECD DSTI/ICCP/REG(2012)15/FINAL (2013), OECD Digital Economy Papers, No. 229, (2013).
[4] Rachel L. Finn, David Wright & Michael Friedewald, Seven Types of Privacy, in European Data Protection: Coming of Age 3, 5, (Serge Gutwirth, Ronald Leenes Paul De Hert & Yves Poullet, eds., 2013).
[5] Paul M Schwatz & Daniel J. Solove, The PII Problem: Privacy and a New Concept of Personally Identifiable Information, 86, N.Y.U, L. Rev. 1814, 1816 (2011).
[6]Is Your Customer Data Your Greatest Asset or Your Greatest Liability (or Both),Ward and Smith P.A, Attorneys at Law, https://www.wardandsmith.com/articles/customer-data-and-privacy-laws (last visited on May 8, 2020).
[7] James E. Short & Steve Todd, What’s Your Data Worth?, MIT Skogan Management Review, ( Mar. 3, 2017) https://sloanreview.mit.edu/article/whats-your-data-worth/, (last visited on May 8, 2020).
[8] Michael W. Echols, Panopticon-Surveillance and Privacy in the Internet Age, 2009 Worcester Polytechnic Institute 43.
[9] Omer Tene & Jules Polonetsky, Privacy in the Age of Big Data: A Time for Big Decisions, 64 Stan. L. Rev. Online 63, 67, (2012).
[10]Id.
[11] Asha Saxsena, What is Data Value and Should it be Viewed as a Corporate Asset?, Dataversity, (Mar. 18, 2019),https://www.dataversity.net/framework-companies-seeking-invest-artificial-intelligence/, (last visited on May 8, 2020).
[12]Atul Singh, Protecting Personal Data as a Property Right, ILI. L. Rev. 123, 126, (2016).
[13]Daniel J. Solove, Introduction: Privacy Self-Management and The Consent Dilemma, 126 Harv. L. Rev. 1880, (2012-13).
[14]Id.
[15]Daniel, supra note 13, at 1887.
[16]Daniel J. Solove, “A Taxonomy of Privacy”, 154 U. Pa. L. Rev. 477 (2006).
[17]Michael, supra note 8, at 29.
[18]Id. at41.
[19]Omer & Jules, supra note 9.
[20]Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression on 23rd Session of Human Rights Council, Frank La Rue (Special Rapporteur), U.N. Doc. A/HRC/23/40, (April 17, 2013).
[21]Jennifer Chandler, Privacy v. National Security Clarifying the Tradeoff, inOn The Identity Trail: Anonymity, Privacy and Identity in a Networked Society 121, 136, (Ian Kerr, Valerie Steeves & Carole Lucock eds., 2009).
[22]Omer & Jules, supra note 9, at 65.
[23]Michael, supra note 8, at 41.
[24]Daniel, supra note 16.
[25]Daniel J. Solove, “I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy, 44 San Diego L. Rev. 745, 764, (2007).
[26]Id. at 767.
[27]Daniel, supra note 13, at 1891.
[28]Jennifer supra note 21.
[29]Identity Theft and invasion of Privacy, https://www.britannica.com/topic/cybercrime/Identity-theft-and-invasion-of-privacy, (last visited May 8, 2020).
[30] Daniel,supra note 13, at 1894.
[31]Id. at 1901.
[32] Daniel,supra note 13, at 1902.
[33] Ann Cavoukian, Privacy By Design: The 7 Foundational Principles, https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf, (last visited May 8, 2020).
[34]Id.
[35] Michael,supra note 8, at 48.
[36]GDPR: The Right to Forgotten,Inersoft Consulting, https://gdpr-info.eu/issues/right-to-be-forgotten/(last visited on May 8, 2020).
[37]Id.
Indian Society for Legal Research 