Skip to content

The Need for India to Regulate Personal Data Protection on Social Media

There is an imminent requirement for data protection that safeguards personal information from corruption, compromise, and lo

The modernization and innovation in the Information Society determine the new necessities for current information and communication technologies to find different globalization problems and solutions. It also includes remote access to information sources, cloud computing, virtual environments, distributed information services, and determining adequate information security policy in enterprises.

Social media and networks should also be added to the group since users passively participate in social media and information consumers. Moreover, they could even realize diverse sorts of direct communications with other users and companies. Social computing is connected with websites like Facebook, Twitter, LinkedIn, YouTube, Pinterest, among others.

These platforms allow users to create their profile with personal data, publish their information, and make it available to other users via the global network. On the one hand, it offers an opportunity to extend social contacts, but on the other hand, it could also cause undesirable effects on user privacy.

“Privacy is one of the biggest problems in this new electronic age”

Andy Grove.

In this respect, laws for data protection are crucial for any nation. Therefore, India must apply special technological and organizational measures for the personal data protection of its citizens. These rules must protect every user’s profile with personal information, against illegal access, distribution, and using them for other goals instead of the defined. India needs a new point of view to formulate the rules to authorize and authenticate social media environments.

Personal Data Protection and Human Rights: A Never Ending Debate

The requirement of personal data protection is asserted by the fact that privacy is an essential human right. It also combines a complex of several separate individual rights. It includes the correct and fair processing of personal data, a different form of communication, secure maintenance of unique profiles on the social platforms, and the list goes on.

If we talk about the term ‘privacy,’ its traditional meaning would be ‘the right to be alone.’ India should preserve the sense in all social media via a global network. It could realize the same based on a firm security policy defined for each form of personal communications and support of individuals’ profiles.

The government policy should increase personal data privacy in the new internet society, especially in social media and networks.

The Personal Data Protection Bill (1) presented in the Lok Sabha in December 2019 set rules for processing and storing personal data and lists people’s rights. It also proposes to make an independent new regulatory authority in the country, the Data Protection Authority (DPA), to sustain the law.

However, the main problem with India’s bill is the lack of safeguards to tight the regulations. Hence, it gives the central government the power to access individual data over and above existing laws such as the Information Technology Act, 2000, that deals with cybercrime and e-commerce.

” We are rapidly entering the age of no privacy, where everyone is open to surveillance at all times, where there are no secrets from government.”

William O. Douglas.

Privacy Rights, Ethics, and its Importance

Privacy rights are connected with the personal information gathered while using social media. It is possible to collect any personal information without the knowledge of the user. Moreover, the organizations could disseminate the private data legally or illegally to any third party.

More companies are now preferring social media to promote their services, and products and employees could post their data. For that reason, there should be a firm policy by employers for using social media sites and networks by employees to protect personal data. It would also draw a line between professional and personal life.

Employers also use social media profiles and networks to select a promising employee, which raises different ethical questions.

Social networks are popular and offer useful contacts and information exchanges between users via a global network and web environment. It is valid for individuals and also for business organizations, managers, traders, among others.

It is a fact that more dealers search for their potential clients using social media. Online traders working on B2C and B2B models prefer social networks with widespread such as YouTube, Facebook, Twitter, and LinkedIn.

On the contrary, individuals upload their profiles on different social media sites, and traders, managers, and employers use it to select potential clients or job candidates.

In this respect, the communication and information created and stored in social media could jeopardize individuals’ privacy. Moreover, the popularity of social networks makes it easier to access personal data.

For instance, Facebook is one of the most popular social media platforms preferred by traditional college-aged students to communicate with friends, family, and colleagues. They upload different personal information, such as photos, videos, and other—consequently, more employers are now using social networking sites to assess job candidates.

It raises the ethical side of the relations since employers use the global network, a public forum to assess their private problem without individuals’ knowledge.

Confidentiality is a fundamental problem for social networking, and there should be adequate technical and organizational measures.

Personal Data Processing and Laws

The basic definition of the term ‘personal data’ is the information that allows identifying a person directly or indirectly. It can include anything from an identification number to one or more factors, including physical, psychological, economic, mental, social, or cultural identity.

The ‘processing of personal data’ is any operation or set of personal data operations via automatic or non-automatic means. The main principles for the process require firm rules for personal data protection.

It includes:

  • The collection of personal information must be based on legitimate reasons only with the consent of individuals.
  • The users must realize the storage of collected data based on defined criteria and goals.
  • Only an authorized person can use personal information based on information security like authentication, authorization, and accountability.
  • The personal data need to be full, correct, and actual.
  • The data transfer to another country, and sharing with other individuals must only be made on the firm rules.
  • Archiving to be made if required by law, but only for a limited period.
  • Personal data must be destroyed after the goal realization.

Why India Needs Privacy Protection Law?

Once the largest unconnected country globally, India is now on its path to becoming the world’s biggest internet-enabled nation with more than 800 million users. Looking beyond COVID-19, India also has the potential to emerge as a leading economic power. Here, technology would play a big part in the economy. Hence, there is a need to harness the remarkable aspect and regulate the bad. It is also necessary for the growth strategy of our nation.

The security policy is a collection of rules to control access to information resources. Hence, the data protection law is an essential component for any country in the internet era.

“Historically, privacy was almost implicit because it was hard to find and gather information. But in the digital world, whether it’s digital cameras or satellites or just what you click on, we need to have more explicit rules – not just for governments but for private companies.”

Bill Gates.

In the world, several different models of Personal Data Protection law exist. However, there seem to be going several arguments with the new data protection bill in our nation.

India needs to increase its regulators’ capacity to narrowly focus and design a framework for individuals and society’s data privacy. They would be able to achieve better results with this mindset.

Compliance with India’s Privacy Bill

The Personal Data Protection Bill of India imposes hefty new compliance requirements on most businesses in the country.

It includes everyone from e-commerce, social media, IT firms, brick-and-mortar shops, real estate companies, pharmaceutical firms, and hospitals. Only small entities like small retailers who manually collect information and meet other DPA conditions are exempted from the compliance.

These rules would be new to all businesses except for some financial and telecommunication firms. Notably, they already follow several privacy and confidentiality requirements and practices by their sectoral regulators.

The Impact on Businesses

According to the Personal Data Protection Bill, organizations would have to tell users about their data collection practices and seek their consent. Furthermore, companies also need to collect and store evidence that they have given such notice and have received the approval.

The bill also gives consumers the right to withdraw their consent. Hence, the companies now also have to make a system that would allow users to do so.

Users would also have the rights to access, correct, and remove their data, and companies need to make ways to do so.

Second, the bill also allows users to transfer their data and inferences of business based on such data to other companies. It means that organizations also have to develop methods for users to do it.

All entities would also need to make organizational changes for better data protection. It includes privacy-by-design principles, an approach where privacy is a crucial consideration for business organization, security safeguards, and more.

“Privacy means people know what they’re signing up for, in plain language, and repeatedly. I believe that people are smart. Some people want to share more than other people do. Ask them.”

Steve Jobs.

It also stipulates that all sensitive personal data are to be store in Indian, and critical personal data can’t be transferred out of the country. It would twist businesses’ market-driven decisions to access the best data storage services and force them to keep their data locally in India.

Significant data fiduciaries, a group of people in charge of checking the fair and responsible data storage, will have extra duties. It includes conducting data audits and appointing data protection officers.

At last, the bill also lines rules about non-personal data. The government can ask any business to share valuable non-personal information like aggregate mobility data collected by apps like Uber or Google maps with the government.

However, the bill is silent on the compensation to business for their loss. It could have a long-term negative impact on innovation and economic growth in India.

Penalties to Business for Non-compliance

DPA will have the power to charge any business that does not comply with the bill. It also includes fines for not following the regulations made by the DPA or the government.

The maximum amount of penalties includes 150 million INR or about 2.1 million USD or 4% of the firm’s global turnover in the preceding fiscal year.

Differences Between India’s New Bill and Data Protection Law of EU, the GDPR

First, the bill gives the central government of India the power to exempt any government agency from the bill’s requirements. Such exemptions can be provided on grounds related to national security, sovereignty, and public order.

While the GDPR offers similar escape clauses to EU members, they are tightly regulated by other EU directives. Without these safeguards, the bill gives the central government of India the power to access individual information over and above existing Indian laws such as the Information Technology Act of 2020 that deals with cybercrime and e-commerce.

Second, India’s bill allows the government to order the firm to share non-personal data they collect with the government, unlike the GDPR.

The bill states that it would improve the services of the government. However, there are no explanations about the data usage. The statement is also silent about the data sharing with other private businesses or any compensation for using the data.

Next, the GDPR does not need businesses to store data within the EU. They can transfer it outside the EU as long as they meet conditions like standard contractual clauses on data protection, codes of conduct, or certification systems approved before the transfer.

On the contrary, India’s bill allows the transfer of some personal data, but the transfer of sensitive personal data is only possible if the meets the requirements similar to those of the GDPR. Moreover, the data can only be sent to process it and cannot be stored outside India.

It would create several technical issues in outlining data categories to meet the requirements, which would add to businesses’ compliance costs.

Data Protection Bill of India Promotes Preventive Framework while Strengthening the State Government

The compliance norms on the bill increase the costs for businesses across the economy significantly. What India’s bill lacks is that it fails to address a more precise understanding of the role of privacy in our society and the harms that could come from violations of individuals.

“Importantly, companies are using social media to do things that go way beyond just chatting up existing customers on Facebook. Sales departments use social to nurture leads and close sales. HR posts job openings and vets applicants. Community and support squads mine networks, blogs, and forums with deep listening tools.”

Ryan Holmes.

Instead of protecting informational privacy with a view to the consequent harms due to privacy violations, it aims to protect individuals’ informational privacy by a preventive framework that regulates how businesses collect and use personal information. It means that it is focusing mainly on regulating practices related to the use of data.

It is very problematic since the proposed bill is not capable of adequately protecting privacy. Moreover, it also strengthens the role of state government in the data economy. It would further dilute data property rights and increases state power to surveil without enough checks and balances.

Hence, the bill is likely to create deleterious effects for innovation in the economy while leaving the stated objective of information privacy protection unfulfilled.

Where the Data Protection Bill Failed India?

Even though the bill aims to reduce the gap in the use of personal data between consumers and data fiduciaries, it is doing so by limiting data processing purposes and giving users the right to access their data and know how it will be used. The bill requires companies to provide notice of these rights for customer’s consent before collecting their data.

It means that the bill is built on the premise that a more vital consent mechanism can improve outcomes. However, the statement also acknowledges that users are not capable of providing meaningful consent.

It is a fact that companies obtain such consent via complicated agreements that people do not read. Even if they read them, they can not understand them. Even if they are comprehensible, they cannot negotiate these agreements.

Rather than moving away from a consent-based framework, the bill incorporates the preventive principle of consent and regulation since individuals cannot give meaningful support.

There are high chances that the proposed notice-and-consent framework may be counterproductive. It may not prevent online activity harms but instead, intensify moral hazard.

“With Social Media so prevalent, we are all extremely visible. Your prospective clients, your peers, and your competition can drill as deep as they wish, searching, reading, and gathering information online about you and posted by you without you ever knowing who’s searching. Depending on what they find, your prospects may choose to do business with you or not.”

Mari Smith.

Users could also place more reliance on regulations and become more careless with their online behavior. Moreover, users would also get cognitive loads. In turn, it would make consent requirements futile for personal data protection.

The cots will outweigh India’s benefits if the proposed notice and consent framework do not achieve its objective to implement a preventive privacy framework.

The limitation with Data Processing in the Bill Odds with Evolving Nature of the Digital Economy

India’s bill proposes several limitations on data processing. The proposal’s rationale is to have better individual control over personal information and lower scope for emotional harm.

Instead of narrowing it to reducing specific harms, the bill is imposing significant preventive obligations on data processing.

Some of its requirements are also not complying with the evolving nature of the digital economy. Hence, these could lead to productivity losses for India. They are out of tune with the machine-learning technologies that rely on massive databases to offer services.

“Social media is changing the way we communicate and the way we are perceived, both positively and negatively. Every time you post a photo or update your status, you are contributing to your digital footprint and personal brand.”

Amy Jo Martin.

The bill seeks to regulate technology usage without tailoring the harms that could arise from its use. Hence, it is, in a way circumscribing many benefits of emerging technologies that could benefit social media users.

Conclusion: India Needs More Privacy Oriented Approach for Data Protection on Social Media

Internet privacy is an emerging and essential field in Indian society today. India’s government needs to seek effective measures to prioritize users’ privacy as companies collect more significant amounts of information from and about online users.

Still, there is no denying that a few of the data protection bill requirements for social media are disastrous. There are also several concerns around the government’s access to non-personal data with companies and lack of clarity over data localization requirements.

The data protection bill is the first step towards privacy legislation and recognizing it as a fundamental right. Even though the bill is an excellent measure for user data protection and privacy over social media networks, it doesn’t have requisite procedural safeguards or judicial oversight for the government and its data handling.