Behind the curve: Facebook data theft underlines India's lax privacy laws

Cambridge Analytica (CA), a British firm, is alleged to have harvested the data of over 50 million Facebook users without their permission. It used that data to micro-target voters in the 2016 US presidential election. It included pushing out fake news and skewed information to the susceptible in order to manipulate opinion. The CA scandal was broken by a whistleblower and the firm is also under investigation for using similar techniques to manipulate the Brexit referendum. Since Wednesday, India’s political parties, too, have traded accusations that CA, along with its Indian associates, worked to manipulate some of the elections in the country as well. But the odd part in this is that given the current state of Indian laws, much of this is not even illegal. Harvesting user-data may be a breach of the user-agreement with Facebook or any other social media platform from where it is garnered. But that is as far as it goes. India does not have specific data privacy laws.

Privacy was recognised as a fundamental right only in 2017 and there has been no follow-up legislation, despite recommendations for a data privacy law going back to the A P Shah committee in 2012-13. Digital biometrics, email passwords, financial information and medical records are classified as “sensitive” and “personal” data under Indian law. But even leaks of such data are common. In fact, Aadhaar, which provides a unique number for each resident of India based on his/her biometric information, is currently facing a major constitutional challenge in the Supreme Court on these very grounds. However, Facebook “likes”, location information, surfing habits, and FB friends and Twitter follower lists do not fall into the sensitive category. Nor are there legal barriers to pushing out “fake news” on social media — indeed, the practice is endemic globally.

The harvesting and analysis of big data and metadata to profile individuals is lucrative. The importance of this has grown alongside rising social media penetration. If you know somebody’s taste in ice-creams and clothes, and hobbies and interests, you can sell stuff more efficiently. If you know somebody’s socio-political inclinations, you can craft more effective political campaigns. If you know all these things about vast numbers, and can tie it to their locations, socio-economic status, age, education, caste and community, you can do a really good job of canvassing for votes. So, whatever the truth of these specific accusations, there is no doubt that political campaigns are increasingly driven by data scientists and behavioural science experts. They analyse voter-data and create “psychographic” profiles before they craft campaigns to influence voting preferences. This is a natural extension of commercial marketing, which has long been driven by big data. 

The CA revelations about the ways in which data is globally acquired and used to influence voters only underlines the need for India to legislate a comprehensive data protection and data privacy law. Social media is a channel for all sorts of things and political campaigning on social media is surely legitimate. But personal data used for that, or any other purpose, must be acquired legitimately, with due knowledge and permission of the individuals who generated it. India should not waste any time in initiating protection of such data through a comprehensive data privacy law. In any case, that is a better route than banking on Mark Zuckerberg heeding the government’s summons for questioning, or expecting the Facebook CEO to uphold the integrity of elections around the world, including India — a promise he made on Thursday.