As the political conversation around the misuse of user data heats up in wake of the Cambridge Analytica controversy, it might come as some surprise that Indian citizens have little to no legal recourse if someone abuses their online data.
Using social media platforms such as Facebook for influencing election outcomes is nothing new. Like this piece in Fortune notes, even former US President Barack Obama’s teams bought and tracked TV viewing habits and used that information to turn fence-sitting voters to a favourable outcome for the party.
“At the time of his election and reelection, Obama’s data analytics researchers were heralded as technology heroes for the way they modernized how political campaigns wrangle data in the pursuit of votes,” the story notes.
Closer home, in India, the ruling Bharatiya Janata Party’s use of data analytics leading up to the 2014 general elections is also well documented. Like this story in The Economic Times details, the party used publicly available Electoral Rolls and voting patterns to swing votes in their favour.
“When you visit a website of BJP or its various support groups, a cookie (a tiny bit of software) is planted on your computer. This cookie will track your browsing pattern long after you have closed the website and help an algorithm to build a demographic profile based on your browsing pattern. If, for instance, you go from a BJP website to a site on motorcycles and then to a jobs portal, the algorithm will conclude that you are a young male from this particular constituency who is a job seeker,” the piece said.
However, what happens when a citizen decides to take action? In the Indian context, it turns out, not much.
“We have an IT (Information Technology) Act provision which provides limited protection,” said Prasanth Sugathan, legal director at not for profit legal services firm Software Freedom Law Centre.
Section 43(A) of the IT Act details the compensation for failure to protect data. “Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees, to the person so affected,” it says.
The catch here is that the responsibility of proving that a “wrongful loss or wrongful gain” occurred is on the person filing the complaint.
“This is very difficult to prove. You need to show that a real loss occurred, and mostly it is understood to be a financial loss,” added Sugathan.
Agreed Na Vijayashankar, cyber law expert and Founder of naavi.org. “Citizens have to prove that data which was not made public was used to invoke any legal recourse and also have to prove some kind of damage arising out of such misuse. We know that Facebook users have the "Privacy Setting" available to them and if they have not used it then there is little that the public can do. Also it is difficult to say what is the "misuse" other than trying to make a marketing call. If the profiled information is used for some kind of threatening or blackmailing, there are other laws that can be invoked,” he said.
As the political mudslinging over the use of Cambridge Analytica continues, it is important to remember that in the absence of strong data protection laws, which have been under consideration for a long time, Indian citizens stand to lose the most.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
