23 Jun 2018 19:52 IST

Grappling with data security, right to privacy

The Cambridge Analytica episode means countries must adopt tighter laws to protect personal information

The recent Facebook-Cambridge Analytica episode may have triggered a number of controversial issues, including placing Mark Zuckerberg, CEO of Facebook, on the defensive, but the biggest positive is the way it has changed the world’s thinking on privacy issues.

To put things in perspective, Cambridge Analytica is a United Kingdom-based data mining firm operating in the political space, primarily offering ‘data’ consulting and communication strategies to political parties around the world. The company has worked with various parties across countries; it supported Donald Trump during the 2016 presidential campaign, as it did the Brexit voting, and has provided electoral consulting to political parties in developing countries such as Ghana and India. The firm’s work during the Bihar Assembly elections in 2010 has been specifically mentioned in news reports.

The data collected by Cambridge Analytica ranges from demographics, consumer behaviour, internet activity and more focused numbers from other public and private sources. In the Indian elections, Cambridge Analytica’s data capture, research and analysis were extensive; these involve video interviews and surveys, ‘on ground’ voter demographic data collection and analysis, behavioural polling, media monitoring, target audience analysis and caste research and eventually coming up with an effective poll planning campaign that offers clients a winning strategy.

Mining personal data

Cambridge Analytica seems to be fully exploiting the power of big data and high-end analytics and psychographics in the electoral process. This is a high-end service for which it has built powerful capabilities, that fetch it good revenues. What’s the problem then? In order to provide clients with winning strategies, the basic raw material required is ‘personal’ data of individuals; and the way Cambridge Analytica has chosen to mine such data is where the problem lies!

The recent Facebook-Cambridge Analytica data breach brings to light the way some of the data were acquired. Information relating to around five crore Facebook users and their network of friends, was acquired as they shared data through specific apps; these apps also collect information from individual users on the pretext of academic research. Facebook claims that such data captured by some of these apps from the Facebook platform was delivered to Cambridge Analytica, breaching Facebook’s terms of service. In effect, personal data collected on the Facebook platform eventually found its way to Cambridge Analytica.

With thousands of data points pertaining to individuals floating around in the public domain, the competitive advantage of companies in this era seems to stem from their ability to gain access to such data and make use of the same for commercial purposes. To be realistic, companies apparently do not hesitate to tread this path!

It is very unlikely that Facebook users are unaware that their personal data is no more so ‘personal’; however, when the reality hit, and the Cambridge Analytica episode brought to front such breach issues, the reactions, across sections of public, governments and regulators, were quite strong.

Right to privacy

The Cambridge Analytica episode has opened up a number of questions that we need to answer. How far private data can be used for public purposes, which includes commercial, political and national security related purposes? To what extent this can be regulated? Does it breach the fundamental right to privacy of citizens? Especially since technology companies and data scientists, backed by large corporates, are pouring millions of man-hours and resources in developing these technologies, what could be the implications, given such uncertainties?

Private data is also being widely tracked by government and other agencies. Today images, photos, video and satellite tracking systems are quite ubiquitous. Facial recognition, finger printing and biometrics are becoming cheaper and more accurate by the day and are being deployed extensively by commercial agencies. The databases of government agencies are increasing exponentially with the size of such data ballooning.

Once one of the above agencies secures such data, the probability that the other gets hold of the same is quite high! Today, ‘data brokers’ are selling private data on marital status, income levels, phone number, email id and online purchase patterns for a ridiculously low price. The Cambridge Analytica episode conclusively proves the same!

Privacy laws across nations have not kept pace with the speed at which technologies are emerging. Regulators have always been on the back foot, playing a catch-up game. Incidents like this force the regulators to enact more stringent regulations. The Facebook-Cambridge Analytica episode and the subsequent testimony of Marc Zuckerberg has done precisely this and has given the required impetus to the latest law on privacy, the General Data Protection Regulation (GDPR).

EU’s General Data Protection Regulation

Replacing the age-old data protection directive of the mid-1990s, this new GDPR, which became enforceable effective May 2018, is a European Union law on data protection and privacy for all individuals within the European Union. The law is wide enough to cover personal data relating to private, professional or public life. It can include name, home address, e-mail address, financial and bank details, posts on social networking websites, photographs, medical information, and so on.

The new law addresses the export of personal data outside the EU. The GDPR is reported to be quite far-reaching and strong in protecting consumers’ personal data. The regulation addresses organisations that gather or process data collected from EU residents. The regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU. The EU has thus shown the path; other countries including India need to strengthen their privacy laws.

Under GDPR, organisations face fines of up to €20 million ($25 million) or 4 per cent of annual global turnover — whichever is greater — for the most serious violations. Companies like Amazon, Google and Facebook are preparing to comply with this new privacy regulation.

Facebook’s reaction to the new law is quite interesting; although Facebook has been apologetic for its actions on data breach, it has skilfully moved the location of more than 150 crore users from its international headquarters in Ireland to its corporate office in the US. This helps Facebook to minimise its exposure to the new EU privacy law as it gets effective from May 2018. In summary, regulations do help only to a certain extent; it is for companies to follow the same in spirit, rather than take recourse to loopholes available in the letter of the law.