Personal data privacy is not a foremost issue in the minds of ordinary Internet users. Most of them are now used to getting an immense amount of goodies — free search in milliseconds across the whole of the Internet, free publications on platforms that afford an audience in hundreds of millions or even billions of people, free video streaming for the whole world, do not come for free.
For instance, Google did 1.2 trillion searches in 2012 (and since then has not published any data). However, the number of people using the Internet has doubled since then (3.9 billion people in 2020). So a guesstimate of 3 trillion queries per year handled by Google alone (75% of the total) is a conservative estimate. The compute infrastructure to support this behemoth is modelled to be $30B-$50B in 2020. After this, think of so many other services- youtube, Whatsapp, Instagram, Facebook, ticktock etc. all rivalling in the ‘compute power size’ to just the ‘search service.’ However, the same companies are operating businesses that generate an obscene amount of profit that the world had not seen till now. In this fight, both sides — those who make use of your personal data to generate profits e.g. Google, Microsoft, Facebook and those who are monetizing the privacy protection e.g. Apple- are fast racing to have a trillion-dollar valuation or already gotten past it. Practically, all these companies are printing money under the authority of ‘we the people’ voting by our feet’ i.e. loyalty to the platforms. Some ‘oldtimers’ can still remember erstwhile darlings like AOL, Pointcast and Myspace. What we can conclude is that Data Privacy is the most important issue at hand to which the public is paying scant attention.
One would think that in this immensely complex landscape the governments would step in with regulation to control the new ‘robber barons’ and protect ‘we the people.’ Alas, the same complexity coupled with the unprecedented speed of innovation has made governments frozen like a deer looking at the proverbial headlights. The power and capacity to do harm by these platforms, in my opinion, is far greater than even the biggest nuclear weapons. Imagine- all sentient civilizations in the universe grow up to the stage they invent the Internet and then devolve into anarchy! Even the forbearers and the current stewards of these platforms only vaguely understand the implications — witness the power of changing governments in the ‘Arab Spring’ or the capture of the US presidency by Donald Trump, not too far back.
So, what are regulators doing? The EU took an early lead on this and created an early legal framework through ‘GDPR’ and California closely followed with ‘CCPA.’ These are meaningful albeit baby steps. The main goal of these two frameworks is to force online companies dealing with consumers to do:
- do ‘privacy by design’ and ‘privacy by default’
- be transparent in the data collection policy
- force companies to be liable if they collect more data than necessary to run the service
- be able to erase all data for a ‘natural person’ on request i.e. ‘right to be forgotten’
- provide adequate security against a breach
However, the US, in general, has lagged in creating a national level overarching legal framework. Since Congress has not stepped in till now, the framework has been evolving through the case laws in the US Supreme Court. In Spokeo vs Robin (2016) US Supreme Court held that liability arises only if
(1) there is an ‘injury in fact’
(2)directly traceable to the defendant
(3) Can be remedied by the courts.
This would be among the most ‘lax’ standards for privacy in any major jurisdiction. The ‘privacy harm’ to the injured party needs to be concrete and provable in a court. Frank v Gaos could have had a profound implication for the evolving standard. The plaintiffs have invoked a breach of contract under the Electronic Communications Privacy Act and Stored Communications Act. The key concept question in concept was if the combination of a search term along with the IP address can be construed as material harm to the plaintiff. The US Government was acting as a ‘friend of the court’ and Google is a respondent. The case was set to rest with a settlement and is now back in the lower courts on narrow grounds under the Spokeo ruling.
India too has been waking up to Internet privacy issues. A Joint Parliamentary Committee was formed in 2019 for a proposed Personal Data Protection (PDP) 2019. The Bill was tabled in the Lower House on Dec 11, 2020. The Bill does take inspiration from the frameworks of GDPR and CCPA and has incorporated elements from there. There are other provisions in the bill in which several citizens are concerned that they feel will turn the State into an Orwellian nightmare. Justice B.N Shrikrishna, who chaired the original committee constituted by the Ministry of Electronics and IT in 2017, is among the prominent critics. The reasonable safeguards put in place for the state to follow to get access to the personal data for ‘security purposes’ have been significantly watered down in the bill tabled in the parliament.
From a consumer perspective, the implications are dire in this evolving debate. The messy arrangement with the for-profit companies for data privacy has made governments step in. But, by the same token, several of them are also looking at it as an opportunity to devolve into an Orwellian state. It is Scylla and Charybdis- take your pick.
Co-founder and CEO @ Tantiv4 Inc. www.tantiv4.com