By: Probal Bose
With the internet age in full throttle and leading to the ‘sharing economy’, the life of individuals today is hardly private. Social media, e-commerce websites and the likes have access to all user data which is processed and accumulated through data analytics and liberally used by vendors for promotional and commercial uses.
Before delving into the privacy aspect, let us take a quick look at how data analytics works. “Big data analytics” is the process of examining large data sets containing a variety of data types – i.e., big data – to uncover hidden patterns, unknown correlations, market trends, customer preferences and other useful business information. The analytical findings can lead to effective marketing, newer revenue opportunities, better customer service, improved operational efficiency, competitive advantages and other business benefits.[1] The data in its original form is the raw data, while the one derived post the analysis is the processed data. Evidently, there is a conflict for the ownership of the processed data between the user supplying the raw data and the professional creating the algorithm for data analysis. The question of who owns ‘Big Data’ assumes significance when gauged from the economic value invested in it. We have attempted to clarify the status of processed data while looking into the legal framework governing right to privacy in India and best practices in some jurisdictions in this arena.
Ownership of Processed Data
While there is no significant jurisprudence or study in India till date on the ownership of processed data, , an interesting view is provided by Mr. Joren Wachter, the noted Belgian Intellectual Property Strategist, that “the question of ‘ownership’ of data is probably not the right question to ask. It does not matter so much as to who ‘owns’ the data, but who can use them, and for what purpose, as the number of sources and the amount of data grows, it is the potential of recombining those aspects, that will lead to exponential growth in how we use and approach data.”[2] From a practical perspective, it means that “ownership” of data should be looked at from a different angle: businesses should not focus on acquiring ownership of data, but on expanding different ways of using data, regardless of their source. This, however, does not address the problems of the individual who is the source of the raw data and what constitutes unauthorized access to data.
This issue was partly addressedin Google Spain and Google Inc v Agencia Espanola de Proteccion de Datos ofMario Costeja Gonzalez[3] decided by the Court of Justice of the European Union in May 2014, when it was held that an individual has the right to request the removal of his information from an internet search engine and that the individual’s right to data protection “will override the economic interest” (i.e. the property right) “of the operator of the search engine”. While there are competing economic interests in the same piece of personal information: the internet search engine has a right “in rem” (against the rest of the world) in connection with the investment it has made in the collection, arrangement and accessibility of its Big Data. The individual, on the other hand, has a right “in personam” to require the “in rem” right-holder to modify the contents of its Big Data insofar as the information relates to him. And the in personam right will usually trump the in rem right. This is in consonance with the Data Protection Directive of the European Union of 1995.
Regulatory framework for Data Protection in India
The Information Technology Act, 2000 and rules made thereunder (“IT Act”) is the only legislation governing “data” in India. Data under the IT Act is defined as “a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored in the memory of the computer”[4].
While the IT Act provides penalties for tampering with computer source documents[5], breach of privacy[6] and improper security of sensitive personal data[7], it remains a question of interpretation if these provisions are relevant to ‘big data’..
The IT Act provides for Computer Related Offences, prohibiting the access, download, extraction etc. of data without the permission of “the person who is in charge, of a computer, computer system or computer network”[8]. A computer system has been defined as “a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files which contain computer programmes, electronic instructions, input data and output data that performs logic, arithmetic, data storage and retrieval, communication control and other functions.[9]”
While these provisions protect a user providing raw data, the grey area arises when a social media platform (such as Facebook or a LinkedIn) uses the data fed in by the user on a public forum.
Under the Act, The Personal Information Security Rules notified in April 2011 serve as the most comprehensive form of data protection legislation in India.
TRAI Consultation Paper on Cloud Computing
The Telecom Regulatory Authority of India came out with a Consultation Paper on Cloud Computing on June 10, 2016. At the outset, cloud computing may be considered a small part of the Big Data, which the user agrees to provide to the cloud provider. For example, when a user gives permission to Google to back-up his/her data, Google saves it on the Google Cloud. The ownership of data in case of cloud computing has been clarified in the paper to have been “entrusted to the cloud provider for storage”[10]. However, as big data may consist of multiple cloud networks, the ownership of the same remains unclear.
As elucidated in the paper, cloud computing models are of three types:
Software as a Service – where the infrastructure and the platform are provided by the developer such as Google Apps.
Platform as a Service – that helps to create, update and manage cloud services, such as
Infrastructure as a Service – that provides the infrastructure to develop cloud services such as Amazon web services.
With reference to data security all of these models pose certain issues[11]:
Ease of subscription causes the issues of spam and malicious codes which the user may not be aware of.
Vulnerability of the Application Programming Interface as third parties develop these interfaces, posing a threat to data security.
Multi-tenancy issues cropping up as the infrastructure is shared between various parties thereby the need to put in place a strong isolation mechanism to avoid unauthorized usage.
Account or service hijacking.
Disaster recovery issue.
Risk unawareness of distant clients: versions of software, code updates, security practices, vulnerability profiles, intrusion attempts and security design are key factors for a company’s security.
Cross-border security issues and government associated security issues.
Cloud service providers being stakeholders in the cloud should have mechanisms in place to prevent intrusions.
The paper while identifying ‘data intensiveness’ as an important attribute of Cloud Computing, also points out the following four kinds of security to be ensured to keep data private and secure:
infrastructure security;
network security;
application and process security; and
data security.
Given the similarity between data security and privacy issues for both big data and cloud computing, the Paper outlines some significant solutions as set out below to consider moving forward.
A ‘Privacy Steering Committee’ may be set up by to make decisions on data security and privacy;[12]
The data collector should be liable for any infringement in data security[13];
There should be a segregated decryption of encrypted data with layers of security to avoid data breach and firewalls have to be installed to better secure the data;[14]
Customized agreements for data to ensure data protection to suit individual requirements[15];
A set of jurisdictional rules may be made to avoid cross border issues[16];
Binding Safe Processor Rules may be implemented which are rules governing data processors meeting European Union Standards[17];
Cloud service providers may be mandated to host data only in India or restrictions on certain data being transferred cross-border may be levied[18];
Stringent penal measures may be introduced for deterrence to misuse of data.
These suggestions if implemented would go a long way in providing a platform for better data security and privacy measures in the country. It remains to be seen how the proposed regulations will be implemented.
[1]http://searchbusinessanalytics.techtarget.com/definition/big-data-analytics
[2]http://jorendewachter.com/2013/11/big-data-ip-business-strategy/
[3]http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&docid=152065
[4] Section 2(o), Information Technology Act, 2000
[5]Section 65, Information Technology Act, 2000
[6]Section 72, Information Technology Act, 2000
[7]Section 43(2), Information Technology Act, 2000
[8] Section 43 of the IT Act
[9] Section 2(l), Information Technology Act, 2000
[10]Para 4.6, TRAI Consultation Paper on Cloud Computing
[11] Para 4.2, Id.
[12]Para 4.5, supra note 11.
[13]Id.
[14]Para 4.7, supra note 11.
[15]Para 5.25, supra note 11
[16]Id.
[17]Id.
[18]Id.