Introduction
1.
Data protection helps us in safeguarding our
fundamental right to privacy with appropriate legal frameworks that gives
individuals rights over their data and put in place accountability systems and
define the obligations of those who control and process this data.
The Shift to Data
2.
The drivers of economic growth once were raw
materials and resources like land, labour, and capital. The drivers have been
shifting to brainpower industries, meaning they can be located anywhere in the
world and tapped into with much-improved communication technologies.
3.
In May 2017, THE ECONOMIST said that data is a more valuable resource than oil.
The shift from price to data[1]
is accelerating. Data analytic techniques have become the oil
extraction-and-refining plants and data companies have become the new oil
giants. Data is the next “essential” facility and money maker, and this is
prompting debate on how it should be regulated. Today, big data is a big driver
of growth and for some companies, revenue.
4.
Bernard
Marr says that “Over the last two years alone 90 percent of the data in the world was generated.”[2] Klaus Schwab says “data-powered
business models create new revenue sources from their access to valuable
information on customers in a broader context and increasingly rely on
analytics and software intelligence to unlock insights.”[3]
Data Protection and Privacy
5.
Much of our everyday activity takes place in
the online domain courtesy of various apps running on smartphones accessing the
Internet on 4g technology. Many people are shopping
online because of the multiple convenience it offers. Online retailers tend to
remember your purchase history and base their recommendations on your
subsequent purchases on this history.
6.
All this is done through algorithms that
analyse one’s digital footprint extensively – every click, every like, every
second spent on a website, key words in your communication, your demographic
data, geographical location, age, gender, political orientation, etc.,- and mine a wealth of usable
information from it. How can this data be safeguarded?
7.
Tech firms have been voraciously collecting
the data of their consumers, offering free services as an enticement. The major
platforms – the “frightful five” or FAANGs[4]
- have played a key role in the process. [5] Shoshana
Zuboff, in her book, The Age of Surveillance Capitalism, details how
GOOGLE and FACEBOOK developed
their business models to collect and monetise data – “A fundamentally
illegitimate choice,” she says.[6]
8.
Can we expect tech-based companies to
protect our personal information? Not if their business model or a revenue
stream depends on sharing it. Protecting privacy requires a legal framework but
will also require a technology adaptation.
9.
There is growing worry over social media
companies’ non-social and non-economic influence over culture and information
and the implicit threat they pose to the jurisdictions of governments. For
instance, FACEBOOK
and 270,000 users’ data – those
who participated in a survey by CAMBRIDGE ANALYTICA and had consented to having their data harvested – led to a
breach of the personal information for 87 million users and could possibly have affected the 2016 U.S. elections.[7]
Similar concerns have been raised during the U.K.’s
process of Brexit.
The Legal Framework for Privacy Protection
10.
Data protection is a trending topic and many
governments have moved decisively to plug the gaps in their national laws. The
British government introduced a new draft data protection bill in 2017 to replace the 1998 law.[8] Key features include the “right to be
forgotten” on the internet and “the right to innocence” whereby citizens can
request social media sites to remove any content they posted before the age of 18. The bill proposes tougher penalties on companies for data
breaches and a requirement by businesses to inform the U.K. INFORMATION COMMISSIONER’s
office about any breach within 72 hours.
11. The
EU’s GENERAL DATA PROTECTION REGULATION (G.D.P.R.) is the most important change in data privacy regulation in 20 years[9] and considered the world’s most aggressive
set of internet privacy rules. G.D.P.R. is a common
set of rules and practices that apply across Europe and, it is hoped, the
world.[10] G.D.P.R. says that first, companies need your consent to
collect your data and second,
you should be required to share only data that is necessary to make their
services work. More than 500 million people
living in the European Union have the two important rights, i.e., the right of erasure and the right of portability.
12.
After G.D.P.R., California passed a digital privacy
law that gives consumers more control over and insight into the spread of their
personal information online. This is one of the most significant regulations
that governs the data-collection practices of technology companies in America.[11] This is quite a
step as most of the existing laws do little to limit what companies can do with
consumer information.
13.
Unfortunately, Pakistan’s ELECTRONIC DATA PROTECTION ACT, 2005,[12] and the PERSONAL DATA PROTECTION BILL, 2018[13] remain draft pieces of legislation. Pakistan’s
lack of data protection laws may make it difficult (i) for international market
platforms and other e-Commerce companies to operate locally and (ii) to protect
its citizens from data breaches.[14] This is an entry barrier as companies may
hesitate to operate in a weak regulatory regime. And in general, the feeling of
insecurity about one’s personal data can also stifle competition and
innovation.[15]
14.
It is common knowledge that data from
government repositories has been accessed without permission and can be
purchased economically.[16] Telecom
companies in Pakistan have been known to sell subscribers’ data to third
parties, something that is even stated in the privacy policies of some
companies. Hence, the talk of a national data regulator is timely.[17]
15.
Pakistanis based in Europe will see their
online transactions and activity protected under the G.D.P.R. These include banking services, e-commerce
transactions, and activity on social media. It cannot be one-sided protection
and companies in Pakistan will need to adapt to service clients and customers
in Europe (and the world). The EU plans to limit market access to the region if countries do
not rise to meet Europe’s standards. Data protection laws are becoming part of
trade deals. It’s time that Pakistan moved decisively to promulgate data
protection legislation not just for economic reasons but for personal security
and privacy!
16.
It will be a while before regulations in
protecting data become effective, leading to the question: should data be protected or should less of it be collected? Both protection and collection have their
attendant costs and risks. Even the American NATIONAL SECURITY AGENCY could not prevent an
employee from walking off with a thumb drive full of information and releasing
it to the world in 2013.
[2] How Much Data Do We Create Every Day? The
Mind-Blowing Stats Everyone Should Read,
Forbes, 21 May 2018
[3] Klaus Schwab, The Fourth Industrial
Revolution, World Economic Forum, 2016
[4] Facebook, Amazon, Apple, Netflix and Google.
Termed the Frightful Five by Farhad Manjoo, these are the largest
companies in terms of market capitalisation. In 2017, these giants added nearly
a trillion dollars to their aggregate value. The ECONOMIST
says “The five biggest American tech firms together make about a tenth of all
corporate profits. Second, the externalities they may impose on their users,
including a loss of privacy and tech addiction. And third, their probable
pollution of the public sphere with fake news, mass manipulation and lobbying.”
26 April 2018
[5] Data is a “key input and high value
product of the digital economy. Indeed, some of the most interesting, and in
some cases alarming, legal issues in the digital economy lie in the collection,
aggregation, and commercial use of consumer data.” said Makan Delrahim
of the U.S. DEPARTMENT OF JUSTICE at the Harvard Antitrust Conference 2019. Remarks
[6] Interview in The Intercept, 2 February 2019. See the book details here
and The Guardian’s book review here.
“Setting out merely to connect us, Facebook found itself in possession of our
deepest secrets. And in seeking to survive commercially beyond their initial
goals, these companies realised they were sitting on a new kind of asset: our
“behavioural surplus”, the totality of information about our every thought,
word and deed, which could be traded for profit in new markets based on
predicting our every need – or producing it.”
[7] Cambridge Analytica harvested the personal information of approximately 87 million Facebook users
not just to target would-be voters with campaign ads but, as former Cambridge
Analytica staffer Christopher Wylie put it
to the N.Y. Times, to “fight a culture
war in America.” See also Facebook and Cambridge Analytica: What You
Need to Know as Fallout Widens,
N.Y Times, 19 March 2018
[9] The EU GENERAL DATA PROTECTION REGULATION
(G.D.P.R.) became operational on 25 May 2018, replacing the Data Protection
Directive 95/46/EC. G.D.P.R. is “designed to harmonise data privacy laws across
Europe, to protect and empower all EU citizens data privacy and to reshape the
way organisations across the region approach data privacy.” Source: https://www.eugdpr.org/ The G.D.P.R. website: https://gdpr-info.eu/.
[10] What the G.D.P.R., Europe’s Tough New Data
Law, Means for You, NY Times, 6 May 2018. GDPR allows regulators
to fine any company in breach as much as four per cent of its total worldwide
sales. It promotes three legal and business principles for firms that want to
gain or retain user trust: transparency (say what you do), user control
(empower your customers), and accountability (do what you say). See also The EU’s GDPR: Lessons for U.S. Policymakers, Disruptive Competition Project, 25 May 2018
and The EU GDPR: What To Know About The EU's
General Data Protection Regulation,
Forbes, 28 November 2017, The right of erasure, an expansion of the “right to
be forgotten,” gives individuals the ability to have their personal data erased
upon request. The right of portability gives individuals the ability to access
their own data with greater ease. Upon request, individuals will be able to
transfer their personal data from one provider to another. The transfer of such
data should promote ease of access among individuals and competition among
providers.
[11] California Passes Sweeping Law to Protect Online
Privacy, N.Y. Times, 28 June 2018. “The new law grants consumers the right to
know what information companies are collecting about them, why they are
collecting that data and with whom they are sharing it. It gives consumers the
right to tell companies to delete their information as well as to not sell or
share their data. Businesses must still give consumers who opt out the same
quality of service.”
[14] On 23 April 2018, Careem, a ride-sharing
service in Pakistan, admitted that “users' personal data compromised in massive
data breach.” Dawn, “Careem users' personal data compromised in
massive data breach,” 23 April 2018. Another article said that
“The hack affected user data of over 14 million users and 558,880 Captains in
the 13 countries and 90 cities that Careem operates in.” Dawn, “There are no laws to protect your data in
Pakistan. So how can we minimise breaches like the Careem hack?”, 30 April 2018, Time Magazine said “If
you’re one of the millions of Americans feeling like it’s time to start better
protecting your personal data, you’re pretty much out of luck, according to
cybersecurity experts.” We Talked to Security Experts About How to
Protect Your Online Data. Here’s What They Said, 17 April 2018
[15] On Data Privacy, Business Recorder, 10 May 2018. Edited in
some places to delete extraneous text.
In the online space, consumers may not be the
king, but their data surely is, both for legitimate and illegitimate data
scavengers! Therefore, securing and maintaining user trust is critical to the
expansion of online economy, which has opened up quite a few avenues for
entrepreneurship, innovation and value addition at home. Pakistan’s is a
low-trust market, so online platforms will need to be vigilant with users’ data
privacy.
In that vein, episodes such as data breach at
Careem, reported over a fortnight ago, do not help. It’s already damaging that
the ride-hailing service sat, for three months, on the fact that personal data
of some 14 million of its users had been hacked. More alarming is that the
company didn’t tell which markets and users were particularly affected or where
the hacked info had ended up.
The ensuing silence over this matter by local
authorities suggests that users of online economy are pretty much on their own.
The issue of consumer protection, of which
users’ data privacy is an integral part, needs prompt attention. Users cannot
be reasonably expected to decipher the entire online fine-print of terms &
conditions and privacy policies. And due to the tech giants’ “all-or-nothing”
approach towards which personal data they can track, keep and share with third
parties, even the discerning customers have no choice but to join the
ubiquitous platforms, or else feel left out. Currently, a vacuum exists in
Pakistan as to which regulatory body should oversee online space, where
e-commerce players (like Daraz, Home shopping and Yayvo), on-demand services
(like Careem, Uber, Foodpanda, etc.), and several other intermediary platforms
(e.g., OLX, PakWheels and Rozee) operate. After all, this space cuts across
tech, finance and commerce. An E-commerce policy, which has long been in the
works, is yet to come out.
Data protection regulations need to be put in
place to safeguard online users as well as address culpability of firms that
fail to protect their users’ data. After such data breaches, in Pakistan and
elsewhere, online companies are learning that they can get over such episodes
with little to no reputational damage. This will hurt the online ecosystem
going forward.
Comments
Post a Comment