Unveiling The Privacy Paradox: Personalized Marketing And Article 21 In India
Are personalized advertisements leading towards the potential breach of the
right to privacy? Is tailored marketing paramount to personalized content or
personalized contempt of privacy? Are the current Data Protection laws
sufficient enough to secure the personal data of the individuals? How to prevent
the breach of the new age asset namely the data in the current era whereby
there's a close eye on your web activities in the name of distinctive content
driven algorithms provided to the individuals?
The issue of personal data protection remains an unresolved quandary, particularly concerning tailored marketing practices on the internet. Despite advancements in legislation and regulatory frameworks, the efficacy of safeguarding individuals' personal data in the realm of online personalized marketing persists as a paramount concern. Henceforth, this article endeavors to elucidate how a seemingly inconspicuous lacuna within extant data protection legislation may precipitate a transgression of Article 21, as enshrined within the Indian Constitution.
Data and Digital Data:
Information is the oil of the 21st century, and analytics is the combustion engine", this phrase by Peter Sondergaard got a lot of attention when humans realized the importance of Data. No sooner after this when people perceived the eminence of data, Clive Humby coined another phrase, "Data is the new oil". In the beginning of the 21st century, as technological progressions in the digital sphere transpired, data became the most valuable asset, replacing oil.
The centrality of oil during the Industrial Revolution of the 20th century is now yielding to the ascendancy of data in the contemporary landscape of the Fourth Industrial Revolution. Data and oil are both found in the crude form and need to be refined in order to use them in the desired manner. Thus, these points of similarities led the scholars to conclude that, "Data is the new oil". To understand the concept of digital data it is important to begin with several basic terminologies revolving around the concept of Digital Personal Security.
According to the Section 2(h) and Section 2(n) of the Digital Personal Data Protection Act, 2023;
"Data" means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.
"Digital personal data" means personal data in digital form.
Furthermore, digital data can be classified into 3 major distinctive categories, i.e. Digital Personal Data, Digital Non-Personal Data and lastly Digital Critical Data.
Personalized or Tailored Marketing:
Personalized or Tailored Marketing constitutes a digital marketing modality that involves the customization of content and advertisements for specific products and services, contingent upon an individual's internet activities. This marketing practice leverages sophisticated algorithms to deliver content or advertisements tailored to the discerned tastes and preferences of consumers.
The accelerated pace of contemporary human existence manifests as a rapid cadence in the lives of individuals, where time is a precious commodity perpetually in demand, henceforth, this process of marketing namely digital marketing play a prominent role in furnishing substance-driven personalized advertisements and content that are not only personalized but also highly pertinent and beneficial to the target audience. In order to provide such customized content or advertisement to the target audience, the browsing activities of a user are being stored as data within the database of a company. Such data is being collected from the cookies that are generated or accepted while surfing on the internet.
Cookies are data files generated by a web server and transmitted to a web browser, which subsequently stores them for a specified duration or the entirety of a user's session on a website. These stored cookies later enable websites to discern and analyze the browsing preferences of the individual, thereby facilitating the delivery of algorithmically driven, personalized content.
These cookies serve to retain and manage data pertaining to website activity, including visited pages, items within a shopping cart, login credentials, search history, and language preferences. Additionally, they may gather personally identifiable information such as names, email addresses, phone numbers, and other user-related data. The discretion to accept or reject such cookies, i.e. to allow such web servers to store the personal information or any such information depends upon the user.
Therefore, this is how the tailored or personalized marketing process works with the help of the web cookies in order to generate the algorithms that are content driven as per the taste and preference of an individual.
Right to Privacy- An Overview:
Privacy, though lacking a singular legal definition, privacy has been expounded upon by legal scholars as a fundamental human entitlement inherent to all individuals by virtue of their existence, not contingent upon any instrument or charter. This encompassing concept extends beyond mere seclusion to encompass facets such as bodily integrity, personal autonomy, informational self-determination, safeguarding against state surveillance, preservation of dignity, confidentiality, protection from compelled speech, and the liberty to dissent, move, or contemplate.
In essence, the entitlement to privacy necessitates adjudication on a case-specific basis. The evolution in the field of technology and the digitalization of the biometric and the demographic information of the individuals made the legal scholars argue whether the right to privacy was a fundamental right under the Constitution of India or not.
The Right to Privacy in India is a fundamental right granted to the citizens of India to safeguard their personal information and to limit the collection and storage of data by governmental and private entities, thereby protecting individuals from threats to their privacy. The judgment passed by the nine Judge Bench in the case of K.S. Puttaswamy (Retd.) & Anr. Vs. Union of India & Ors. is regarded as the landmark judgment which gave the Right to Privacy constitutional validity and brought the Right to Privacy under the ambit of Right to Life and Personal Liberty under article 21 the Constitution of India.
This landmark judgment unanimously held that "the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution". Though this judgment became the reason for the existence of the Right to Privacy and its confinement into the Constitution of India as a fundamental right, the concept of privacy and the right to privacy has been a subject of extensive deliberation in the Indian apex court for a considerable period, with numerous cases thoroughly examining the issue.
Henceforth, the result of this thorough discussion and the need of an individual's safety of privacy resulted into declaring the Right to Privacy as the fundamental right as enshrined in the Constitution of India.
Digital Personal Data Protection Act, 2023:
The Digital Personal Data Protection Act (DPDP Act), 2023 is significant piece of legislation in India that governs the use of personal data of the individuals in the digital space. This act was enacted to prevent the breach of privacy of the users in this era of digitalization. The Act outlines the rights of individuals (data principals) and the obligations of the entities handling their data (data fiduciaries). It mandates informed consent for data collection and imposes strict penalties for non-compliance, aiming to ensure responsible data management while balancing the interests of both individuals and organizations.
The Shah Committee, which was chaired by Hon'ble Justice A.P. Shah is considered to be one of the first steps in the construction and the formation of the aforementioned legislation. The Shah Committee was an expert committee formed and established by the Government of India in order study and review the international laws and regulations about the digital privacy and to recommend the most suitable legal framework to legislate such privacy laws in India. This committee issued a report which became a blueprint for the legislation of the privacy laws in India. The key elements of this report are the nine basic privacy principles mentioned therein which were an adaptation of the best international policies and provided a basic guideline for framing the Indian privacy laws.
The most prominent role in the codification of the privacy laws in India was held by the B.N. Srikrishna Committee which was establish by the Government of India led and chaired by Hon'ble Justice B.N. Srikrishna in the year of 2017. This committee was assigned a task to review and analyze the current situation of the data protection and privacy laws in India while taking a reference from certain international policies and regulations governing the same in their respective country or region.
The said committee submitted a report in the year of 2018 which not only became a guideline for the new privacy laws in India but also served to be an informational asset regarding data, consent, data regulations, data protection and provided certain exceptions regarding the implementation of aforementioned privacy laws with the reasonable explanation thereon. The B.N. Srikrishna Committee also submitted a draft bill called the Data Protection Bill, 2018. This draft bill proposed stringent regulations on data processing activities, data localization, and the establishment of a Data Protection Authority (DPA).
The draft Bill was later introduced in the parliament as the Personal Data Protection Bill, 2019, the parliament suggested several modifications and was also discussed in a Joint Parliamentary Committee (JPC) for further scrutiny and public consultation. Furthermore, the committee conducted a thorough survey and took extensive consultations from the different sections of civil society and the legal experts.
The committee even considered the data protection laws around the globe in order to adapt the most suitable legal framework for the said laws and its implementation in India. Moreover, in the year 2021, the said committee issued and submitted a report wherein all the changes regarding the draft bill were suggested. This amended bill was named the Data Protection Bill, 2021. This bill suggested notable changes and various amendments to address the concerns about government exemptions, data localization, and cross-border data transfers.
In the year 2022, by the recommendations of the JPC Committee and the public feedback the government of India took a decision to withdraw the Data Protection Bill, 2019 and announced that a new bill will be introduced after considering the JPC's suggestion and recommendations. Furthermore, The Ministry of Electronics Information Technology issued a draft bill for the data protection laws, the bill was named as the Digital Personal Data Protection Bill, 2022.
This new draft simplified several provisions and focused on core principles of data protection. The bill was later introduced in Parliament as the Digital Personal Data Protection Bill, 2023. The said bill was able to build a consensus and therefore was passed by both houses and received the presidential assent thereon on, becoming the Digital Personal Data Protection Act, 2023.
The main purpose of Digital Personal Data Protection Act, 2023 was to ensure the safety of the personal data of the internet users, it was also legislated for the prevention of data misuse and ensuring the data security, it also provided the rights for the data principals with the outlines of the conditions for the cross-border data transfers.
These service providers at times not only consist of the developers of the application/websites but also the partners and the vendors of the application/website. The claimed use of such cookies is to keep track of the data to analyze how the user uses the application, to provide personalized content recommendations and to provide more relevant services.
The issue of whether a user's fundamental rights are violated with regards to consent for the collection and use of cookies hinges on a broader question: At the moment of consenting to or rejecting cookies, was the user fully informed about the scope and purpose of data usage? Furthermore, was the user adequately apprised of the application's or website's third-party partners or vendors with whom their data would be shared?
Why isn't the user allowed to access the application/website after rejecting such cookies (only applicable to certain applications and websites)? and lastly when the user deletes or exits the application or website are these cookies deleted and if yes, where does the proof lie? This raises serious concerns about the adequacy of disclosure and the validity of consent in the context of data protection and privacy rights.
Furthermore, it is patently evident that cookies that are the collected by the websites or the application often collect certain non-personal and personal information in order to provide the personalized or the tailored content but the question arises that up to what extent the collection of the data does not lead to the potential breach of the Right to Privacy as enshrined in the Indian Constitution? In order to answer it, we need to first understand whether personalized content is a potential breach of privacy or not, the answer is it does.
There have been instances when unauthorized data collection has been witnessed by the users that led to the violation of privacy. Companies and applications like Truecaller, Google, TikTok, Zoom and Facebook were accused of collecting personal data from the users without their explicit consent. Truecaller allegedly enrolled some users into its Unified Payments Interface (UPI) payment system without their knowledge and even collected their personal data without their consent. Moreover, Google in 2018 faced criticism after it was revealed that it traced the location of the users even after the location tracking feature was turned off.
Application called TikTok in 2020, a popular video-sharing app, was fined for illegally collecting personal information from children under the age of 13 in the U.S. without obtaining parental consent, which violated the Children's Online Privacy Protection Act (COPPA) in the United States of America. Zoom, often regarded as a virtual meeting platform, was found to be sending data to Facebook without informing its users, even those who didn't have a Facebook account.
This practice was discovered in the early stages of the COVID-19 pandemic when Zoom usage surged globally. Lastly, the most famous scandal, namely The Facebook- Cambridge Analytica Scandal, a political malice, was the biggest privacy breach of all time. Nearly, the political consultancy firm (Cambridge Analytica) accessed the personal data of 87 million Facebook users without proper consent.
Moreover, in order to provide personalized content, there have been instances when websites or applications impose excessive surveillance and monitoring of the user's behavior over the digital platforms. This surveillance and monitoring are often done without the explicit consent of the user and therefore it is an invasion of privacy. Users often face the problems of lack of transparency wherein they are not made aware of the extent and the procedure of the data usage by the service provider, therefore a distinct violation of the informational autonomy, a key element of privacy.
Certain underdeveloped or developing websites or applications often have vague terms and conditions that users might not fully comprehend. In cases where consent for data collection is not explicitly informed or is obtained through ambiguous or coercive means, it fails the test of free consent. In such situations, personalization may be deemed unconstitutional as it does not respect the dignity and autonomy guaranteed under Article 21.
The biggest threat to the user's digital asset, namely the data, is the inadequate data protection on the part of the digital service provider. There have been cases in India where the large-scale data breaches exposing personal information of users were witnessed, the reason behind this was merely the weak encryption or inadequate data protection by service providers. The Aadhar Card Data Breach (2020), The Justdial Data Breach (2020), The Domino's India Data Breach (2021), The Mobiwik and the Air India Data Breach (2021) are the evidence to the above-mentioned claim.
Therefore, it is evident enough to assert that the personalized content may lead to a potential breach of privacy wherein in certain cases the users are under huge threat of their personal data being exposed to the digital forum even without their explicit consent or with the partial consent.
The answer is paradoxical, as the name of the act Digital Personal Data Protection Act, 2023 suggests that these laws are legislated for the protection of the digital personal data of the users, the definition of the term "personal data" under section 2 (t), "personal data" means any data about an individual who is identifiable by or in relation to such data; is very vague and abstract. The question of law arises in the interpretation of the definition, what comes under the ambit of personal data?
Furthermore, the explicit ability of the government to exempt itself from the provisions of the act under section 17 (2)(a) when the government demand any data which is necessary for the sovereignty and integrity of India. Moreover, as mentioned section 18-20 and 24, despite of the members of the Data Protection Board functioning independently, the central government will have an unmediated control over the appointment of the board chairperson along with its members along with their tenure and salaries and removal of the chairperson and the members.
Lastly, as mentioned under section 17(3), the central government can notify several data fiduciaries which will be exempted from this law. This gives the central government the explicit power to list down the companies or organizations including startups exempting them from the application of the provisions as mentioned under the Digital Personal Data Protection Act, 2023. Moreover, as mentioned under the section 27(3), the central government has the power to withdraw, cancel and suspend, any direction that the board has given to a person or a company for violating the provisions of Digital Personal Data Protection Act, 2023.
Therefore, these provisions have given undue powers and exemptions to the government which is paradoxical to the "independence" of the board as mentioned under the act. Hence, the aim to protect the right to privacy of the individuals or the group of individuals by the express provisions of the act is itself giving exemptions and powers to the central government that may infringe the rights.
In addition to the abovementioned powers and exceptions of the central government to be under the purview of the provisions of the act, the act clearly lacks a data security auditing mandate which is an essential test to check whether the company or the organization has control over the sensitive digital data of the users. As per the current data protection laws it is left up to the discretion of the company or the organization to have a data security audit mandate or not. The implementation of a data security auditing mandate will significantly enhance user privacy, whereas the absence of such mandates may result in a deficiency of robust data protection measures.
Not only the fundamental right of privacy but even the right to freedom of speech is under a threat, wherein it is mentioned under section 37(1)(b) and 37(2) that:- 37(1)(b) advises, in the interests of the general public, the blocking for access by the public to any information generated, transmitted, received, stored or hosted, in any computer resource that enables such Data Fiduciary to carry on any activity relating to offering of goods or services to Data Principals within the territory of India, after giving an opportunity of being heard to that Data Fiduciary, on being satisfied that it is necessary or expedient so to do, in the interests of the general public, for reasons to be recorded in writing, by order, direct any agency of the Central Government or any intermediary to block for access by the public or cause to be blocked for access by the public any such information.
(2) Every intermediary who receives a direction issued under sub-section (1) shall be bound to comply with the same. This implies that the central government holds comprehensive authority to restrict certain statements or information under the guise of serving the public interest.
Furthermore, one of the major shortcomings of the Digital Personal Data Protection Act, 2023 lies in the provisions of the cross-border transfer of the digital data wherein the issue of the countries having weaker data protection laws, weaker data security or data management will surely make the data more vulnerable and the threat to the breach of the sensitive data of the user was overlooked by the legislation. This can lead to a potential threat to privacy of the users in India using or operating any application or websites which are developed overseas.
In conclusion, the act was enforced to protect the digital personal data of the users, but it has not explicitly mentioned the measures and the remedies to protect the data breaches or has not given robust guidelines to the organizations or the companies collecting or storing the personal data to have a basic security mandate in order to protect the privacy rights of the users. Henceforth, when the user is getting the personalized content the question of privacy will defiantly arise due to these major shortcomings of the act.
Suggested Amendments to the Act:
The legislation should provide explicit guidelines in order to obtain the consent from the user regarding the access of the personal sensitive data of the user. Therefore, the government should enhance the framework for obtaining the consent from the users. The consent should be clear and easy to understand, it should have all the information about where and how the data will be used, it should also provide the guarantee to the users that once the application or the website is deleted or not in use the developers and vendors of the same will delete the data thereon.
Lastly, the consent should mention this privacy policy not only in English language but in the regional languages also for the better understanding of the individuals. The verbal dictator with help of the AI assistance to read out the policy for the user will be the most effective way to bring attention to the privacy policy of the application or the website.
In the case of a privacy breach the users should be made aware of the same as soon as the breach has occurred. This should be mandatory provision in the act and a duty of the digital service providers to draw the attention of the users towards the breach so that they can take several required actions to avoid further exploitation.
The international transfers, also called the cross-border transfers in the act has overlooked a major concern of transferring the data to the countries which might have weaker data protection laws. Therefore, the legislation should formulate a common set of rules for the international transfer of data. Moreover, it should also provide a set of requisites in terms of the data protection laws of that respective country to be fulfilled with an aim to protect the potential breach of privacy of the users in India. If those requisites are not being satisfied, then the government should not allow such companies or the organizations of that respective country to collect and save any kind of data from India.
The government should also impose a set of requisites for even the local companies and organizations in order to collect and save the data of the users. These requisites should give the utmost importance to an effective data security mandate.
Lastly, as mentioned earlier data is now a new age asset therefore, stricter punishments should be imposed to whoever commits the breach of data with an unlawful intention and fine shall also be imposed on the company or the organization from where such data is been hacked or breached. This will create a fear in the minds of the hackers and the companies, or the organizations will strengthen their data security in their servers. Moreover, the government should educate the users regarding their rights and duties pertaining to the activities on digital forums. It should also spread awareness regarding the legal remedies for the data breaches.
In conclusion, these are certain changes rather suggestions to be made in the current data protection act to safeguard the privacy rights of the users. These suggestions not only aim to address breaches of privacy arising from personalized content but also adopt a comprehensive perspective on safeguarding the rights and safety of each individual within the digital landscape.
Generic Suggestions:
To safeguard their right to privacy, every individual should undertake specific measures to remain vigilant regarding the malpractices perpetrated by service providers under the pretext of personalized content. Individuals should endeavor to educate themselves about various aspects related to consenting to access their sensitive data; the following are those critical considerations:
It is imperative to promote social awareness regarding the critical importance of data security. A user is merely one click away from potential digital exploitation under the guise of personalized content. It is essential to recognize that once sensitive data is collected and utilized to curate an individual's online experience, such as controlling their menu or internet feed, such data can influence their choices. When individual choices are manipulated, it becomes feasible to exert control over their behavior. Ultimately, if one gains control over an individual's behavior, they can compel that individual to act in accordance with their desires. This phenomenon was exemplified in the Facebook-Cambridge Analytica scandal, which underscores the profound implications of data misuse.
Ultimately, an individual must be acutely aware of the safety and security of their personal data. This awareness entails understanding the significance of safeguarding one's information against unauthorized access, misuse, or exploitation. Users should familiarize themselves with the data protection rights afforded to them under applicable legislation, as well as the potential risks associated with sharing personal information online.
Moreover, individuals ought to adopt proactive measures to enhance their data security, such as employing strong, unique passwords, enabling two-factor authentication, and regularly reviewing privacy settings across digital platforms. Engaging in critical evaluation of the terms of service and privacy policies of applications and websites is essential to ascertain how personal data will be utilized and shared.
By cultivating a comprehensive understanding of these elements, individuals can better navigate the digital landscape, mitigate the risks of data breaches, and empower themselves to make informed decisions regarding their personal information. Awareness of one's own data security is not merely advisable; it is a fundamental aspect of maintaining autonomy and safeguarding one's privacy in an increasingly interconnected world.
Conclusion
In conclusion, the intersection of personalized marketing and data privacy presents a profound challenge in the digital age, where the value of personal data has escalated to unprecedented levels. The Digital Personal Data Protection Act 2023, while a commendable step toward addressing privacy concerns, leaves critical lacunae that could undermine its efficacy. The Act's vague definition of "personal data" and the broad exemptions granted to the government pose significant risks to the integrity of the right to privacy. This is further compounded by the government's power to exempt entities from compliance, raising concerns about the transparency and accountability of data handling practices.
Moreover, the Act's failure to mandate data security audits and the provision allowing cross-border data transfers to countries with weaker data protection standards increase the vulnerability of personal data. Such legislative gaps create a privacy paradox, where the right to privacy, enshrined under Article 21 of the Indian Constitution, is potentially compromised by inadequate regulatory safeguards.
To effectively safeguard individuals' privacy, the Act must be strengthened through amendments that provide more explicit and stringent data protection measures. These should include clear guidelines for obtaining user consent, robust data security mandates, and stricter regulations on cross-border data transfers. Additionally, companies must be held accountable for data breaches, with substantial penalties imposed for non-compliance, to deter misuse and negligence in data management.
Ultimately, personalized content while offering benefits should not come at the expense of fundamental rights. The potential for misuse of personal data through excessive surveillance or unauthorized collection raises critical ethical and legal questions about the balance between technological innovation and privacy. The infamous Facebook-Cambridge Analytica scandal is a testament to the far-reaching consequences of data exploitation, where manipulation of personal data resulted in interference with democratic processes.
Thus, the Digital Personal Data Protection Act 2023 must evolve to meet these challenges, ensuring that privacy remains an inviolable right in an era dominated by digital interactions. The convergence of legislative reform, corporate responsibility, and individual awareness is essential to mitigating the risks associated with personalized marketing and protecting the personal autonomy of every digital user in India. The future of data privacy hinges on this balance, requiring both proactive legal safeguards and a vigilant, informed public. Written By: Bhavya Kotadia
The issue of personal data protection remains an unresolved quandary, particularly concerning tailored marketing practices on the internet. Despite advancements in legislation and regulatory frameworks, the efficacy of safeguarding individuals' personal data in the realm of online personalized marketing persists as a paramount concern. Henceforth, this article endeavors to elucidate how a seemingly inconspicuous lacuna within extant data protection legislation may precipitate a transgression of Article 21, as enshrined within the Indian Constitution.
Data and Digital Data:
Information is the oil of the 21st century, and analytics is the combustion engine", this phrase by Peter Sondergaard got a lot of attention when humans realized the importance of Data. No sooner after this when people perceived the eminence of data, Clive Humby coined another phrase, "Data is the new oil". In the beginning of the 21st century, as technological progressions in the digital sphere transpired, data became the most valuable asset, replacing oil.
The centrality of oil during the Industrial Revolution of the 20th century is now yielding to the ascendancy of data in the contemporary landscape of the Fourth Industrial Revolution. Data and oil are both found in the crude form and need to be refined in order to use them in the desired manner. Thus, these points of similarities led the scholars to conclude that, "Data is the new oil". To understand the concept of digital data it is important to begin with several basic terminologies revolving around the concept of Digital Personal Security.
According to the Section 2(h) and Section 2(n) of the Digital Personal Data Protection Act, 2023;
"Data" means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.
"Digital personal data" means personal data in digital form.
Furthermore, digital data can be classified into 3 major distinctive categories, i.e. Digital Personal Data, Digital Non-Personal Data and lastly Digital Critical Data.
- Digital Personal Data: Digital Personal Data means a type of data which stores your personal information like name, address, mobile number, e-mail address, bio-metric information, browsing activities, device location, etc. This data can be used to reveal your personal information.
- Digital Non-Personal Data: Digital Non-Personal Data means the type of data that is generated by an individual, but the identity of that individual is not disclosed or not generated into the means of data. The most common example of such data is the detection of the density of traffic when an individual generates a route via global positioning system on Google Maps. Herein, the identity of the user is not stored in the form of data.
- Digital Critical Data: Digital Critical Data is a type of data which creates a database for the information of the government's infrastructure, for example, Defense related data or Nuclear Power related data. Such data cannot be accessed by the general public and thus it does not fall under the ambit of Right to Information.
Personalized or Tailored Marketing:
Personalized or Tailored Marketing constitutes a digital marketing modality that involves the customization of content and advertisements for specific products and services, contingent upon an individual's internet activities. This marketing practice leverages sophisticated algorithms to deliver content or advertisements tailored to the discerned tastes and preferences of consumers.
The accelerated pace of contemporary human existence manifests as a rapid cadence in the lives of individuals, where time is a precious commodity perpetually in demand, henceforth, this process of marketing namely digital marketing play a prominent role in furnishing substance-driven personalized advertisements and content that are not only personalized but also highly pertinent and beneficial to the target audience. In order to provide such customized content or advertisement to the target audience, the browsing activities of a user are being stored as data within the database of a company. Such data is being collected from the cookies that are generated or accepted while surfing on the internet.
Cookies are data files generated by a web server and transmitted to a web browser, which subsequently stores them for a specified duration or the entirety of a user's session on a website. These stored cookies later enable websites to discern and analyze the browsing preferences of the individual, thereby facilitating the delivery of algorithmically driven, personalized content.
These cookies serve to retain and manage data pertaining to website activity, including visited pages, items within a shopping cart, login credentials, search history, and language preferences. Additionally, they may gather personally identifiable information such as names, email addresses, phone numbers, and other user-related data. The discretion to accept or reject such cookies, i.e. to allow such web servers to store the personal information or any such information depends upon the user.
Therefore, this is how the tailored or personalized marketing process works with the help of the web cookies in order to generate the algorithms that are content driven as per the taste and preference of an individual.
Right to Privacy- An Overview:
Privacy, though lacking a singular legal definition, privacy has been expounded upon by legal scholars as a fundamental human entitlement inherent to all individuals by virtue of their existence, not contingent upon any instrument or charter. This encompassing concept extends beyond mere seclusion to encompass facets such as bodily integrity, personal autonomy, informational self-determination, safeguarding against state surveillance, preservation of dignity, confidentiality, protection from compelled speech, and the liberty to dissent, move, or contemplate.
In essence, the entitlement to privacy necessitates adjudication on a case-specific basis. The evolution in the field of technology and the digitalization of the biometric and the demographic information of the individuals made the legal scholars argue whether the right to privacy was a fundamental right under the Constitution of India or not.
The Right to Privacy in India is a fundamental right granted to the citizens of India to safeguard their personal information and to limit the collection and storage of data by governmental and private entities, thereby protecting individuals from threats to their privacy. The judgment passed by the nine Judge Bench in the case of K.S. Puttaswamy (Retd.) & Anr. Vs. Union of India & Ors. is regarded as the landmark judgment which gave the Right to Privacy constitutional validity and brought the Right to Privacy under the ambit of Right to Life and Personal Liberty under article 21 the Constitution of India.
This landmark judgment unanimously held that "the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution". Though this judgment became the reason for the existence of the Right to Privacy and its confinement into the Constitution of India as a fundamental right, the concept of privacy and the right to privacy has been a subject of extensive deliberation in the Indian apex court for a considerable period, with numerous cases thoroughly examining the issue.
Henceforth, the result of this thorough discussion and the need of an individual's safety of privacy resulted into declaring the Right to Privacy as the fundamental right as enshrined in the Constitution of India.
Digital Personal Data Protection Act, 2023:
The Digital Personal Data Protection Act (DPDP Act), 2023 is significant piece of legislation in India that governs the use of personal data of the individuals in the digital space. This act was enacted to prevent the breach of privacy of the users in this era of digitalization. The Act outlines the rights of individuals (data principals) and the obligations of the entities handling their data (data fiduciaries). It mandates informed consent for data collection and imposes strict penalties for non-compliance, aiming to ensure responsible data management while balancing the interests of both individuals and organizations.
The Shah Committee, which was chaired by Hon'ble Justice A.P. Shah is considered to be one of the first steps in the construction and the formation of the aforementioned legislation. The Shah Committee was an expert committee formed and established by the Government of India in order study and review the international laws and regulations about the digital privacy and to recommend the most suitable legal framework to legislate such privacy laws in India. This committee issued a report which became a blueprint for the legislation of the privacy laws in India. The key elements of this report are the nine basic privacy principles mentioned therein which were an adaptation of the best international policies and provided a basic guideline for framing the Indian privacy laws.
The most prominent role in the codification of the privacy laws in India was held by the B.N. Srikrishna Committee which was establish by the Government of India led and chaired by Hon'ble Justice B.N. Srikrishna in the year of 2017. This committee was assigned a task to review and analyze the current situation of the data protection and privacy laws in India while taking a reference from certain international policies and regulations governing the same in their respective country or region.
The said committee submitted a report in the year of 2018 which not only became a guideline for the new privacy laws in India but also served to be an informational asset regarding data, consent, data regulations, data protection and provided certain exceptions regarding the implementation of aforementioned privacy laws with the reasonable explanation thereon. The B.N. Srikrishna Committee also submitted a draft bill called the Data Protection Bill, 2018. This draft bill proposed stringent regulations on data processing activities, data localization, and the establishment of a Data Protection Authority (DPA).
The draft Bill was later introduced in the parliament as the Personal Data Protection Bill, 2019, the parliament suggested several modifications and was also discussed in a Joint Parliamentary Committee (JPC) for further scrutiny and public consultation. Furthermore, the committee conducted a thorough survey and took extensive consultations from the different sections of civil society and the legal experts.
The committee even considered the data protection laws around the globe in order to adapt the most suitable legal framework for the said laws and its implementation in India. Moreover, in the year 2021, the said committee issued and submitted a report wherein all the changes regarding the draft bill were suggested. This amended bill was named the Data Protection Bill, 2021. This bill suggested notable changes and various amendments to address the concerns about government exemptions, data localization, and cross-border data transfers.
In the year 2022, by the recommendations of the JPC Committee and the public feedback the government of India took a decision to withdraw the Data Protection Bill, 2019 and announced that a new bill will be introduced after considering the JPC's suggestion and recommendations. Furthermore, The Ministry of Electronics Information Technology issued a draft bill for the data protection laws, the bill was named as the Digital Personal Data Protection Bill, 2022.
This new draft simplified several provisions and focused on core principles of data protection. The bill was later introduced in Parliament as the Digital Personal Data Protection Bill, 2023. The said bill was able to build a consensus and therefore was passed by both houses and received the presidential assent thereon on, becoming the Digital Personal Data Protection Act, 2023.
The main purpose of Digital Personal Data Protection Act, 2023 was to ensure the safety of the personal data of the internet users, it was also legislated for the prevention of data misuse and ensuring the data security, it also provided the rights for the data principals with the outlines of the conditions for the cross-border data transfers.
Personalized Content Or Potential Breach Of Privacy?
In order to provide personalized content to the user, the service providers of any website, application or any such digital source often try to collect your private data in the form of cookies. At the initial stage wherein the service providers will have to ask the consent in order to access to the personal digital data of the users in the form of cookies, the cookies which collect and save the personal data are usually brought up by a pop-up interface which appears while using an application or a website, the main objective of these cookies is to provide a better user experience, as claimed by the service provider.These service providers at times not only consist of the developers of the application/websites but also the partners and the vendors of the application/website. The claimed use of such cookies is to keep track of the data to analyze how the user uses the application, to provide personalized content recommendations and to provide more relevant services.
The issue of whether a user's fundamental rights are violated with regards to consent for the collection and use of cookies hinges on a broader question: At the moment of consenting to or rejecting cookies, was the user fully informed about the scope and purpose of data usage? Furthermore, was the user adequately apprised of the application's or website's third-party partners or vendors with whom their data would be shared?
Why isn't the user allowed to access the application/website after rejecting such cookies (only applicable to certain applications and websites)? and lastly when the user deletes or exits the application or website are these cookies deleted and if yes, where does the proof lie? This raises serious concerns about the adequacy of disclosure and the validity of consent in the context of data protection and privacy rights.
Furthermore, it is patently evident that cookies that are the collected by the websites or the application often collect certain non-personal and personal information in order to provide the personalized or the tailored content but the question arises that up to what extent the collection of the data does not lead to the potential breach of the Right to Privacy as enshrined in the Indian Constitution? In order to answer it, we need to first understand whether personalized content is a potential breach of privacy or not, the answer is it does.
There have been instances when unauthorized data collection has been witnessed by the users that led to the violation of privacy. Companies and applications like Truecaller, Google, TikTok, Zoom and Facebook were accused of collecting personal data from the users without their explicit consent. Truecaller allegedly enrolled some users into its Unified Payments Interface (UPI) payment system without their knowledge and even collected their personal data without their consent. Moreover, Google in 2018 faced criticism after it was revealed that it traced the location of the users even after the location tracking feature was turned off.
Application called TikTok in 2020, a popular video-sharing app, was fined for illegally collecting personal information from children under the age of 13 in the U.S. without obtaining parental consent, which violated the Children's Online Privacy Protection Act (COPPA) in the United States of America. Zoom, often regarded as a virtual meeting platform, was found to be sending data to Facebook without informing its users, even those who didn't have a Facebook account.
This practice was discovered in the early stages of the COVID-19 pandemic when Zoom usage surged globally. Lastly, the most famous scandal, namely The Facebook- Cambridge Analytica Scandal, a political malice, was the biggest privacy breach of all time. Nearly, the political consultancy firm (Cambridge Analytica) accessed the personal data of 87 million Facebook users without proper consent.
Moreover, in order to provide personalized content, there have been instances when websites or applications impose excessive surveillance and monitoring of the user's behavior over the digital platforms. This surveillance and monitoring are often done without the explicit consent of the user and therefore it is an invasion of privacy. Users often face the problems of lack of transparency wherein they are not made aware of the extent and the procedure of the data usage by the service provider, therefore a distinct violation of the informational autonomy, a key element of privacy.
Certain underdeveloped or developing websites or applications often have vague terms and conditions that users might not fully comprehend. In cases where consent for data collection is not explicitly informed or is obtained through ambiguous or coercive means, it fails the test of free consent. In such situations, personalization may be deemed unconstitutional as it does not respect the dignity and autonomy guaranteed under Article 21.
The biggest threat to the user's digital asset, namely the data, is the inadequate data protection on the part of the digital service provider. There have been cases in India where the large-scale data breaches exposing personal information of users were witnessed, the reason behind this was merely the weak encryption or inadequate data protection by service providers. The Aadhar Card Data Breach (2020), The Justdial Data Breach (2020), The Domino's India Data Breach (2021), The Mobiwik and the Air India Data Breach (2021) are the evidence to the above-mentioned claim.
Therefore, it is evident enough to assert that the personalized content may lead to a potential breach of privacy wherein in certain cases the users are under huge threat of their personal data being exposed to the digital forum even without their explicit consent or with the partial consent.
Are The Current Data Protection Laws Sufficient Enough To Safeguard The User's Right To Privacy?
The government's initiative to introduce the new data protection laws is commendable but the question arises that are these new data protection laws namely the Digital Personal Data Protection Act, 2023 sufficient enough to safeguard the user's right to privacy?The answer is paradoxical, as the name of the act Digital Personal Data Protection Act, 2023 suggests that these laws are legislated for the protection of the digital personal data of the users, the definition of the term "personal data" under section 2 (t), "personal data" means any data about an individual who is identifiable by or in relation to such data; is very vague and abstract. The question of law arises in the interpretation of the definition, what comes under the ambit of personal data?
Furthermore, the explicit ability of the government to exempt itself from the provisions of the act under section 17 (2)(a) when the government demand any data which is necessary for the sovereignty and integrity of India. Moreover, as mentioned section 18-20 and 24, despite of the members of the Data Protection Board functioning independently, the central government will have an unmediated control over the appointment of the board chairperson along with its members along with their tenure and salaries and removal of the chairperson and the members.
Lastly, as mentioned under section 17(3), the central government can notify several data fiduciaries which will be exempted from this law. This gives the central government the explicit power to list down the companies or organizations including startups exempting them from the application of the provisions as mentioned under the Digital Personal Data Protection Act, 2023. Moreover, as mentioned under the section 27(3), the central government has the power to withdraw, cancel and suspend, any direction that the board has given to a person or a company for violating the provisions of Digital Personal Data Protection Act, 2023.
Therefore, these provisions have given undue powers and exemptions to the government which is paradoxical to the "independence" of the board as mentioned under the act. Hence, the aim to protect the right to privacy of the individuals or the group of individuals by the express provisions of the act is itself giving exemptions and powers to the central government that may infringe the rights.
In addition to the abovementioned powers and exceptions of the central government to be under the purview of the provisions of the act, the act clearly lacks a data security auditing mandate which is an essential test to check whether the company or the organization has control over the sensitive digital data of the users. As per the current data protection laws it is left up to the discretion of the company or the organization to have a data security audit mandate or not. The implementation of a data security auditing mandate will significantly enhance user privacy, whereas the absence of such mandates may result in a deficiency of robust data protection measures.
Not only the fundamental right of privacy but even the right to freedom of speech is under a threat, wherein it is mentioned under section 37(1)(b) and 37(2) that:- 37(1)(b) advises, in the interests of the general public, the blocking for access by the public to any information generated, transmitted, received, stored or hosted, in any computer resource that enables such Data Fiduciary to carry on any activity relating to offering of goods or services to Data Principals within the territory of India, after giving an opportunity of being heard to that Data Fiduciary, on being satisfied that it is necessary or expedient so to do, in the interests of the general public, for reasons to be recorded in writing, by order, direct any agency of the Central Government or any intermediary to block for access by the public or cause to be blocked for access by the public any such information.
(2) Every intermediary who receives a direction issued under sub-section (1) shall be bound to comply with the same. This implies that the central government holds comprehensive authority to restrict certain statements or information under the guise of serving the public interest.
Furthermore, one of the major shortcomings of the Digital Personal Data Protection Act, 2023 lies in the provisions of the cross-border transfer of the digital data wherein the issue of the countries having weaker data protection laws, weaker data security or data management will surely make the data more vulnerable and the threat to the breach of the sensitive data of the user was overlooked by the legislation. This can lead to a potential threat to privacy of the users in India using or operating any application or websites which are developed overseas.
In conclusion, the act was enforced to protect the digital personal data of the users, but it has not explicitly mentioned the measures and the remedies to protect the data breaches or has not given robust guidelines to the organizations or the companies collecting or storing the personal data to have a basic security mandate in order to protect the privacy rights of the users. Henceforth, when the user is getting the personalized content the question of privacy will defiantly arise due to these major shortcomings of the act.
How To Prevent The Breach Of The New Age Asset?
It is now patently evident that there is a close eye on the user's web activities in the purview of distinctive content offered to the users, therefore, the concern over the protection of the sensitive personal data is the need of the hour. This article not only aims to draw the readers' attention towards the current issues but will also provide suggestions and remedies to the individuals and the legislation to protect the right to privacy of the users.Suggested Amendments to the Act:
The legislation should provide explicit guidelines in order to obtain the consent from the user regarding the access of the personal sensitive data of the user. Therefore, the government should enhance the framework for obtaining the consent from the users. The consent should be clear and easy to understand, it should have all the information about where and how the data will be used, it should also provide the guarantee to the users that once the application or the website is deleted or not in use the developers and vendors of the same will delete the data thereon.
Lastly, the consent should mention this privacy policy not only in English language but in the regional languages also for the better understanding of the individuals. The verbal dictator with help of the AI assistance to read out the policy for the user will be the most effective way to bring attention to the privacy policy of the application or the website.
In the case of a privacy breach the users should be made aware of the same as soon as the breach has occurred. This should be mandatory provision in the act and a duty of the digital service providers to draw the attention of the users towards the breach so that they can take several required actions to avoid further exploitation.
The international transfers, also called the cross-border transfers in the act has overlooked a major concern of transferring the data to the countries which might have weaker data protection laws. Therefore, the legislation should formulate a common set of rules for the international transfer of data. Moreover, it should also provide a set of requisites in terms of the data protection laws of that respective country to be fulfilled with an aim to protect the potential breach of privacy of the users in India. If those requisites are not being satisfied, then the government should not allow such companies or the organizations of that respective country to collect and save any kind of data from India.
The government should also impose a set of requisites for even the local companies and organizations in order to collect and save the data of the users. These requisites should give the utmost importance to an effective data security mandate.
Lastly, as mentioned earlier data is now a new age asset therefore, stricter punishments should be imposed to whoever commits the breach of data with an unlawful intention and fine shall also be imposed on the company or the organization from where such data is been hacked or breached. This will create a fear in the minds of the hackers and the companies, or the organizations will strengthen their data security in their servers. Moreover, the government should educate the users regarding their rights and duties pertaining to the activities on digital forums. It should also spread awareness regarding the legal remedies for the data breaches.
In conclusion, these are certain changes rather suggestions to be made in the current data protection act to safeguard the privacy rights of the users. These suggestions not only aim to address breaches of privacy arising from personalized content but also adopt a comprehensive perspective on safeguarding the rights and safety of each individual within the digital landscape.
Generic Suggestions:
To safeguard their right to privacy, every individual should undertake specific measures to remain vigilant regarding the malpractices perpetrated by service providers under the pretext of personalized content. Individuals should endeavor to educate themselves about various aspects related to consenting to access their sensitive data; the following are those critical considerations:
- Read and understand the privacy policy of the website or the application before accepting the cookies thoroughly.
- Check whether the privacy policy explicitly mentions the extent to which the website or application will collect, use, and transfer the data. If the information regarding the same is absent, either do not approve the access or delete the application.
- Only give consent to access the data while using the application or website and not otherwise.
- Before deleting the application or exiting the website, check whether the data will be deleted as soon as the application or website is deleted/exited or not. If that information is not deleted immediately, decline all the access given to the application from your device settings, and for declining the access to the website, decline all the access given to the website from the browser settings.
- Lastly, to check whether the data is completely deleted or not, either consult the regulatory authorities or use any third-party data deletion tool.
It is imperative to promote social awareness regarding the critical importance of data security. A user is merely one click away from potential digital exploitation under the guise of personalized content. It is essential to recognize that once sensitive data is collected and utilized to curate an individual's online experience, such as controlling their menu or internet feed, such data can influence their choices. When individual choices are manipulated, it becomes feasible to exert control over their behavior. Ultimately, if one gains control over an individual's behavior, they can compel that individual to act in accordance with their desires. This phenomenon was exemplified in the Facebook-Cambridge Analytica scandal, which underscores the profound implications of data misuse.
Ultimately, an individual must be acutely aware of the safety and security of their personal data. This awareness entails understanding the significance of safeguarding one's information against unauthorized access, misuse, or exploitation. Users should familiarize themselves with the data protection rights afforded to them under applicable legislation, as well as the potential risks associated with sharing personal information online.
Moreover, individuals ought to adopt proactive measures to enhance their data security, such as employing strong, unique passwords, enabling two-factor authentication, and regularly reviewing privacy settings across digital platforms. Engaging in critical evaluation of the terms of service and privacy policies of applications and websites is essential to ascertain how personal data will be utilized and shared.
By cultivating a comprehensive understanding of these elements, individuals can better navigate the digital landscape, mitigate the risks of data breaches, and empower themselves to make informed decisions regarding their personal information. Awareness of one's own data security is not merely advisable; it is a fundamental aspect of maintaining autonomy and safeguarding one's privacy in an increasingly interconnected world.
Conclusion
In conclusion, the intersection of personalized marketing and data privacy presents a profound challenge in the digital age, where the value of personal data has escalated to unprecedented levels. The Digital Personal Data Protection Act 2023, while a commendable step toward addressing privacy concerns, leaves critical lacunae that could undermine its efficacy. The Act's vague definition of "personal data" and the broad exemptions granted to the government pose significant risks to the integrity of the right to privacy. This is further compounded by the government's power to exempt entities from compliance, raising concerns about the transparency and accountability of data handling practices.
Moreover, the Act's failure to mandate data security audits and the provision allowing cross-border data transfers to countries with weaker data protection standards increase the vulnerability of personal data. Such legislative gaps create a privacy paradox, where the right to privacy, enshrined under Article 21 of the Indian Constitution, is potentially compromised by inadequate regulatory safeguards.
To effectively safeguard individuals' privacy, the Act must be strengthened through amendments that provide more explicit and stringent data protection measures. These should include clear guidelines for obtaining user consent, robust data security mandates, and stricter regulations on cross-border data transfers. Additionally, companies must be held accountable for data breaches, with substantial penalties imposed for non-compliance, to deter misuse and negligence in data management.
Ultimately, personalized content while offering benefits should not come at the expense of fundamental rights. The potential for misuse of personal data through excessive surveillance or unauthorized collection raises critical ethical and legal questions about the balance between technological innovation and privacy. The infamous Facebook-Cambridge Analytica scandal is a testament to the far-reaching consequences of data exploitation, where manipulation of personal data resulted in interference with democratic processes.
Thus, the Digital Personal Data Protection Act 2023 must evolve to meet these challenges, ensuring that privacy remains an inviolable right in an era dominated by digital interactions. The convergence of legislative reform, corporate responsibility, and individual awareness is essential to mitigating the risks associated with personalized marketing and protecting the personal autonomy of every digital user in India. The future of data privacy hinges on this balance, requiring both proactive legal safeguards and a vigilant, informed public. Written By: Bhavya Kotadia
Law Article in India
Legal Question & Answers
Lawyers in India - Search By City
LawArticles
How To File For Mutual Divorce In Delhi
How To File For Mutual Divorce In Delhi Mutual Consent Divorce is the Simplest Way to Obtain a D...
Increased Age For Girls Marriage
It is hoped that the Prohibition of Child Marriage (Amendment) Bill, 2021, which intends to inc...
Facade of Social Media
One may very easily get absorbed in the lives of others as one scrolls through a Facebook news ...
Section 482 CrPc - Quashing Of FIR: Guid...
The Inherent power under Section 482 in The Code Of Criminal Procedure, 1973 (37th Chapter of t...
The Uniform Civil Code (UCC) in India: A...
The Uniform Civil Code (UCC) is a concept that proposes the unification of personal laws across...
Role Of Artificial Intelligence In Legal...
Artificial intelligence (AI) is revolutionizing various sectors of the economy, and the legal i...
Please Drop Your Comments