If the 21st century has been defined by the information age, data then is the new global currency. Clive Humbly, who built Clubcard, the world's first supermarket loyalty scheme a decade ago, used the metaphor 'Data is the new Oil', to explain how data is worthless, when left 'unrefined'. Much like diamonds, only once it is mined and analysed does it create either extraordinary value, or can be manipulated into a dangerous tool.
With our palms tethered to our smart-phones, privacy in the Insta age seems like a luxury. That if it's on the internet, it isn't private, is everyone's concern. Or better still, privacy is dead, and social media holds the smoking gun. The side effect of the digital economy is the concept of data privacy. World over, Governments have been trying to introduce stricter data privacy laws and provide citizens the right to keep their personal information private and safe from being misused. Implemented on May 2018, the European Union's General Data Protection Regulation (GDPR) has been hailed as the gold standard for data privacy and the toughest-ever privacy regime.
The Facebook-Cambridge Analytica data scandal was one of the first few data privacy scandals that grabbed the world's attention. Millions of Facebook profiles were harvested for Cambridge Analytica in a major data breach and devastating revelations of data misuse came to light. But since then, there have been various other incursions/slip ups by several other internet giants.
Earlier this week (December 2020), France's data privacy watchdog – CNIL fined Google 100 million Euros ($121 million) and Amazon 35 million Euros ($42 million) for breaching the country's rules on advertising cookies. A cookie is a small piece of data stored on a user's computer browser that allows websites to identify users and remember their previous activity. Google and Amazon in France tracked visitors without permission to personalize ads, a violation of French law. CNIL stated that Google and Amazon also failed to provide clear information to users about the purposes of these cookies and how they might refuse them. CNIL added that while both companies made changes to their websites as recently as September, 2020 the efforts were not sufficient to be in line with French rules. In the case of Google, it noted it had derived significant profits from the advertising income indirectly generated from data collected by the cookies and said that the practices affected almost fifty million users.
Earlier investigations into both Amazon and Google by the CNIL had revealed that the companies were allegedly storing advertising-related identifiers; i.e. cookies, on millions of users' computers before asking for individuals' consent. Both internet giants were this time penalised for improperly collecting information about website visitors and for not explaining sufficiently to its users how the cookies, were used. Google's disclaimer text read "Privacy reminder from Google," while Amazon's said "By using this website, you accept our use of cookies allowing to offer and improve our services. Read more." CNIL pointed that neither text gave visitors a clear way to stop the sites from tracking them.
CNIL justified the size of the fines by the seriousness of the breaches. CNIL also gave Google and Amazon three months to change the way they inform consumers about how data is used and ways in which cookies can be managed and rejected. The companies were warned that if they don't update their cookie settings within three months they could face additional fines of 100,000 Euros ($121,095) for each day's delay.
Amazon and Google both defended their practices, saying they aim to give visitors all the information needed to change how they're tracked online. Google said "We stand by our record of providing upfront information and clear controls, strong internal data governance, secure infrastructure, and above all, helpful products." Amazon similarly said "We disagree with the CNIL's decision. Protecting the privacy of our customers has always been a top priority for Amazon."
Digitalization is fast yielding vast quantities of data, which offer opportunities for business, human well-being and the environment, if used effectively. However, in the aftermath of Cambridge Analytica,
Governments must take action to limit big tech's power to collect and monetize personal data. The European Union is attempting to curb the misuse of data with GDPR and its big bad wolf provisions but instances like this make one wonder about the effectiveness of the GDPR if an older EU directive (under which CNIL fined Amazon and Google) is shown to be delivering speedier enforcement. GDPR has been riddled with administrative complexity attached to cross-border cases — which involves some joint working and ultimate agreement between multiple DPAs across the EU. Forum shopping, via the GDPR's one-stop-shop mechanism, is looking like the biggest blocker to EU citizens being able to uphold their much-trumpeted fundamental rights1.
Closer to home, India's Personal Data Protection Bill, 2019 (PDP Bill) has been stuck in limbo for close to two years now. In 2018, a draft of the PDP Bill to monitor data privacy in India was introduced in the Parliament. The bill underwent a few changes, and the 2019 version was passed by the cabinet in December 2019, after which it was referred to a joint committee (comprising of members of the Lok Sabha and Rajya Sabha), which is to present a final report before the next budget session for final deliberation before it becomes a law. The PDP Bill primarily focuses on the people of India and protecting their privacy. It seeks to provide more control to Indians over their personal information while balancing the importance of personal privacy and new technological innovation.
Footnote
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
