“Data is the new oil. Like oil, data is valuable, but if unrefined, it cannot be used. To create a valuable entity that drives profitable activity, it must be converted into gas, plastic, and other substances. So, must data be broken down, analyzed for it to have value.” – Clive Robert Humby OBE (British mathematician)
In recent times numerous industry experts and prominent business publications, such as The Economist, have defined that data, and not oil, has become the world’s most valuable resource. Experts in the field have coined the term “data economy” to describe the influence and economic significance of big data in modern society.
The phrase “data is the new oil” refers to the similarities between how the two resources (i.e. data & oil) gain value. Similar to crude oil, raw data is not valuable in and of itself; its value is created when it is quickly, thoroughly, and accurately gathered and connected to other pertinent data. When data is refined appropriately, it quickly becomes a decision-making tool, providing insightful information that enables businesses to respond proactively and deliberately to market forces.
Clearly, this metaphor has grown in popularity over the past decade, but there are better ways to conceptualize data that can help organisations better understand its role in the business world of the 21st century, particularly in light of advances in predictive analytics and artificial intelligence.
The “two-word sentence” is the buzz of the town & to understand it in detail, let’s break them. As per www.wikipedia.com, the word “data” was first used to mean “transmissible and storable computer information” in 1946. The expression “data processing” was first used in 1954. When “data” is used more generally as a synonym for “information”, which is like a collection of discrete values that convey information, describing the quantity, quality, fact, statistics, etc. As such, data can be seen as the smallest units of factual information that can be used as a basis for calculation, reasoning, or discussion.
As per www.iapp.org, privacy is the right to be left alone, or the absence of intrusion or interference. Information privacy is the right to exercise some control over the collection and use of one’s personal information.
“Privacy is not an option”
A citizen’s right to control the collection and use of their personal information constitutes data privacy. Information security is a subset of privacy. This is because protecting sensitive information and user data is the first step in keeping user data private. There is some overlap between the domains of privacy and security, which can include the concepts of data security or protection. The right not to be subjected to unauthorized invasions of privacy by the government, corporations, or individuals is enshrined in the constitutions and privacy laws of many countries.
“If it is private, don’t put it on social media.” – Unknown
We celebrate Data Privacy Day on January 28 which aims to raise awareness and promote data protection and privacy best practices.
Article 12 of the 1948 UDHR ( Universal Declaration of Human Rights) established for the very first time in international law the right to privacy. With the advent of such protection in the UDHR, many nations became more cognizant of the nuances of privacy and began incorporating such provisions into their national legislation.
In the 1980s, the expansion of globalisation and the emergence of the possibility of data crossing international borders necessitated the establishment of regulations for transborder data flows. The 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data are a result of this. The Organization for Economic Cooperation and Development (OECD) aims to bring about synergy and harmonize the diverse interpretations of privacy principles that are observed in multiple jurisdictions.
The fundamental privacy principles outlined below were established at that time and have evolved in response to new requirements. In 1995, the European Union (EU) passed for the very first time Directive 95/46/EC, which marked a significant change in the privacy laws. This directive established an organised framework for EU member states for inter-country personal data transfer/flow, protection against unlawful processing of personal data, regulation providing for processing of data, classification of sensitive data and its protection, but it has been superseded by the all-new EU Act — General Data Protection Regulation (GDPR), which went into effect on May 25, 2018 with many new features such as the Data Protection Office’s role.
Is “Right to Privacy” Our Fundamental Right?
In India, the debate over whether the right to privacy is protected by Part III of the Indian Constitution has existed for quite some time. The current Chief Justice of India and the then-Justice of the Supreme Court of India, Justice S.A. Bobde held that the right to privacy is an essential component of personal liberty and is protected by Article 21 of the Constitution. Many countries still didn’t recognise Privacy to be the fundamental right.
Privacy Laws Across World
More than 120 countries have already enacted some form of international privacy laws for data protection, ensuring that citizens and their data are provided with more stringent protections and controls. International privacy laws for data protection will continue to evolve and develop to ensure the protection of personal data across all use cases and situations, including those that have not yet occurred.
In general, the international privacy laws for data protection adhere to or are guided by the following five global privacy principles:
➢ Notification – informing users, visitors, readers, and users of the policies in place to safeguard their personal information.
➢ Choice and consent – providing individuals with options and consent regarding the collection, use, storage, and management of their personal information.
➢ Access and participation – ensuring that the correct individuals have access to and use the information in accordance with the appropriate security protocols.
➢ Integrity and security – ensuring that the data is secure and no unauthorized access is possible.
➢ Enforcement – ensuring that the service, website, solution, and platform are in accordance with a regulation that enforces compliance.
As more social and economic activities take place online, the significance of privacy and data protection is becoming increasingly apparent. Equally concerning is the collection, use, and disclosure of consumers’ personal information to third parties without their knowledge or consent. 137 out of 194 countries had enacted legislation to protect personal data and privacy. 61% African countries and 57% of Asian countries have adopted such laws, respectively. The proportion of the least developed nations is only 48%. Some available online stats w.r.t Data Privacy Law stands as –
- 71% COUNTRIES WITH LEGISLATION
- 9% COUNTRIES WITH DRAFT LEGISLATION
- 15% COUNTRIES WITH NO LEGISLATION
- 5% COUNTRIES WITH NO DATA
The Parliament, via the Information Technology Act of 2000 (IT Act 2000) and its 2008 amendments, attempted to create a statute for the protection of data, including the following: granting legal validity to electronic transactions.
The IT Act stipulates that any organization that possesses, deals with, or handles sensitive personal data or information, and is negligent in implementing and maintaining “reasonable security practices” resulting in wrongful loss or wrongful gain to any person, is liable to pay damages to that person.
Personal data of individuals have become a tradable commodity for brokers/dealers in the e-economy, as the digital economy is gaining momentum and individuals’ data is frequently used for business operations such as e-commerce, digipay, etc. This has created a need to regulate the flow of data and the level of trust between those whose data is at issue and those who decide what to do with it. Therefore, a robust legal framework is required to, among other things, regulate the cross-border transfer of personal data of Indian residents and provide individuals with rights and remedies for the protection of their rights. To have a comprehensive data protection statute, the legislature has enacted the Personal Data Protection Bill, 2018 and followed by the 2019 version, which has been heavily influenced by the GDPR, CCPA, and others.
The Indian government appointed a Committee of Experts for Data Protection in August 2017 under the leadership of Justice B N Krishna. The Bill 2018 drafted by this expert committee is presented to MeitY in July 2018. MeitY then commences drafting the next version of the Bill. Again, in Dec The 2019 Bill was introduced for review in Parliament. After multiple extensions and a change in leadership, then than JPC (Joint Parliamentary Committee) Chairperson PP Chaudhary presented the report of the JPC on the PDP Bill, 2019, and the draft Data Protection Bill 2021 to the parliament in December 2021. On August 3, 2022, MeitY (Ministry of Electronics and Information Technology) withdrew the Data Protection Bill 2021 from parliament, citing the imminent introduction of a more “comprehensive legal framework.”
Finally, on 18th November 2022, a draft bill by the name “Digital Personal Data Protection (DPDP) Bill, 2022” was released to the Indian citizen for review, and asked to provide feedback by 17th December 2022. It is expected that considering the citizen & learned individuals’ feedback, the bill will be tabled in the upcoming parliament session in 2023 for approval with a few modifications. The then bill is expected to be the detailed one answering the open-ended questions left in the draft bill.
Does Privacy Matters
The importance of privacy has increased in the age of data exploitation. The manner in which data and technology are currently deployed poses a threat to our privacy on a scale we could not have imagined 20 years ago, outside of science fiction – the ways in which we can be tracked and identified have exploded, along with the types and amount of information available about us.
Privacy is the right to choose who we share what with, to set boundaries, and to limit who has access to our bodies, places, and things, as well as our communications and information. It permits us to negotiate who we are and how we wish to interact with the world around us, as well as to define our relationships on our own terms. In addition to the mentioned, privacy is a right that enables the enjoyment of other rights, and interference with our privacy frequently opens the door to infringement of our other
“Privacy matters. Privacy is what allows us to determine who we are and who we want to be.” – Edward Snowden
Any lapse in the Data privacy process can lead to a data breach. A typical data breach can occur in a matter of minutes. However, detecting the attack is a different story and can take significantly longer depending on your security stack application & strategy. In the meantime, the consequences of the ensuing data brßeach can last for years.
It is crucial to safeguard this information, as its disclosure can easily result in revenue loss, reputational harm, operational disruption, and regulatory sanctions, to name a few.
- Loss of Sales and Financial Impact
- Loss of Brand Value and Reputation
- Operational Downtime
- Litigation and Legal Action Threat
- Fines & Penalties
Rights for Citizen
First of all, we need to educate ourselves on privacy. In India, ‘right to privacy’ is your fundamental right and hence being alert & educated about the topic is important. You can protect your privacy, maintain your identity, and reduce the amount of data companies collect about you online by taking a few simple steps such as avoid sharing personal information online or to anyone else, using strong, unique passwords and two-factor authentication, tightening privacy settings for online accounts, removing unused mobile apps and browser extensions, preventing search engines from tracking you, not ignoring software updates, disabling ad and data tracking, and revoking unnecessary third-party app connections.
Being vocal & reporting any such breaches to the service provider (Data Fiduciary /DataProcessor) is also your responsibility. It’s true that even the service provider has the responsibility to let the user know if there is a data breach. The current DPDP 2022 draft bill has given us (citizen) rights to the user (Data Principle) such as :
- Clause 11 – Right to Information about personal data
- Clause 12 – Right to correction and erasure of personal data
- Clause 13 – Right of Grievance Redressal
- Clause 14 – Nomination Right
Also, a clause does bind the citizen by mentioning “A Data Principal should not register a false or frivolous grievance or complaint with a Data Fiduciary, Data Processor or the Board”.
Privacy & Security
Security is concerned with the protection of data, whereas privacy is concerned with the protection of user identity. However, the specific differences are more complex, and there is certainly an overlap between the two.
Security refers to the prevention of unauthorized data access. For example – Some organizations implement security measures to restrict access to the information for their employees to keep their data secure.
Privacy is more difficult to define because user-specific information can also constitute secure data. For example – Organizations providing employee data to 3rd parties/vendors without the employee’s consent is a privacy breach. Privacy can not be implemented without security in place. Hence different ways of data security solutions (process of protecting data from unauthorized access and data corruption throughout its lifecycle whether data is rest or motion) should be implemented in an organization to fight against the privacy breach.
Security in IT is like locking your house or car – it doesn’t stop the bad guys, but if it’s good enough they may move on to an easier target. — Paul Herbka, CISSP, MBA
Privacy is not merely a commodity, as if the information about us were nothing but currency. It relates to values, culture, power, social standing, dignity, and freedom. We are citizens, not physical data masses to be harvested. Privacy extends well beyond the
consideration of individualistic, personal harms. It is fundamental to a healthy democratic society. Protecting it as technology advances is a personal and social concern.
Privacy, however it is defined, generates valuable attention because it encourages deep reflection of the past and future. For those who want to see strong privacy values reflected in the technologies spreading the human environment, it is helpful to review the values and the available methods for incorporating them into products.