Data Privacy: Decoding the Myth
Introduction
The International Data Privacy Day is celebrated every year on 28th January to create awareness among masses that they should protect their data from data breaches and adopt ways to secure data privacy. This awareness is important is today’s information age. However, we really need to delve upon the thought -Can data ever remain private? Can we really achieve privacy in digital space where the footprints are anonymously mapped without knowledge? These are the fundamentals which we need to deliberate upon before we talk of protecting our data from breach of data privacy.
Conceptual Development
Privacy is easy to define in theory but difficult to prove in practice. In common parlance, “privacy” means the quality or state of being apart from company or observation[1] . Broadly speaking, privacy is the right to be let alone, or freedom from interference or intrusion. Information privacy is the right to have some control over how your personal information is collected and used[2] . Data is the soul of current digital world. If that is harmed, the concept of privacy automatically gets compromised.
Privacy in digital world must not be confused with security.?Data privacy is focused on the use and governance of personal data—things like putting policies in place to ensure that consumers’ personal information is being collected, shared and used in appropriate ways. Security focuses more on protecting data from malicious attacks and the exploitation of stolen data for profit. While security is necessary for protecting data, it’s not sufficient for addressing privacy[3] .
Legal Landscape
Today, there are more than 120 countries already engaged in some form of international privacy laws for data protection to ensure that citizens and their data are offered more rigorous protections and controls. With the process, it’s clear that international privacy laws for data protection will continue to evolve and develop to ensure personal data protection across all use cases and situations, even those that have yet to present themselves[4] .
The European Data Protection regime in the form of General Data Protection Regime is the path breaking one which set the standards for others. It showed the pathway to be followed to secure the data privacy along with balancing the commercial interests. The enforcement of GDPR created a seismic global shift in how countries, organisations and individuals viewed data privacy and saw a rapid global move towards more rigorous controls and protections[5] . Many nations have followed the suit and today , we have following legal landscape spread across the globe in terms of data privacy-
1.????The U.S.A.- Though there is no comprehensive federal law at central level, various states have implemented their own data protection laws. Among all of them, California Consumer Privacy Act (CCPA)[6] provides robust privacy rights and consumer protection mechanism. The law allows for residents of the state to establish precisely how their personal data is being collected and what it is being used for. Other states with bills in place, or in the process of being passed, include Alabama, Connecticut, Florida, New York, Washington, Illinois, Texas and Virginia[7] .
2.????Brazil has the General Data Protection Law that supports and supplements the extensive list of more than 40 data privacy-related laws that have been implemented over the years. This legislation irons out the conflicts between the different laws, clearly defines the concepts of personal data and public data, outlines clear liabilities, and is applied to all sectors of the country[8] .
3.????South Africa has implemented the Protection of Personal Information Act (POPIA)[9] which has provided a stringent data protection laws in South Africa.
4.????India- After having multiple versions of the Data Protection Bill, the Indian Government has brought The Digital Personal Data Protection Bill in November 2022. This Bill has laid down data protection architecture aligning to the global standards and practices.
Schrems II, a ruling that addressed the flow of information from the European Union to the United States, has had an immense impact on global international privacy regulations and approaches. This ruling is reshaping how global organisations that operate across multiple countries and legislations approach the protection of personal information. Schrems II is set to have long-lasting impact across the US and beyond, shifting how organisation and country approaches data protection within global commerce and underscoring the importance of investing into privacy toolkits, technology and professionals to ensure absolute compliance to the letter of any local law[10] .
In spite of having such a robust and widespread stringent data protection architecture across the globe and within the nations, the instances of breach of data privacy are being revealed on weekly basis. Recently, a hacker has leaked stolen data on a prominent cybercrime and hacking forum from Uber. Another news is that The Department of Finance in California has been the target of a cyberattack now claimed by the LockBit ransomware gang[11] .
Thus, it is a myth that law can secure our data and our digital privacy. Cyber criminals are always one step ahead of legislators and they find ways out to commit the data privacy breach in one form or the other.
Right to be Forgotten
In light of above discussed scenario, in order to protect the data privacy, power to exercise the right to be forgotten is very important. The concept of the right to be forgotten, also known as the right to erasure, is that individuals have a civil right to have their personal information removed from the internet. Likewise, a traceable procedure must be in place to ensure that removed data is also erased from backup storage media[12] .
In 1998, Mario Costeja González, a Spaniard, had run into financial difficulties and was in severe need of funds. As a result, he advertised a property for auction in the newspaper, and the advertisement ended up on the internet by chance. Mr Gonzáles, unfortunately, was not forgotten by the internet. As a result, news about the sale was searchable on Google long after he had fixed his financial issue, and everyone looking him up assumed he was bankrupt. Understandably, this resulted in severe damage to his reputation, prompting him to take up the matter to the court. Ultimately, this case gave birth to the concept of the “right to be forgotten”. The European Court of Justice ruled against the search engine giant Google, declaring that under certain circumstances, European Union residents could have personal information removed or deleted from search results and public records databases. However, in 2019 the EU Court restricted the ruling only to the European Union, saying Google does not have to apply the “right to be forgotten outside Europe”[13] .
This situation which led to the evolution of “right to be forgotten” is adequate to demonstrate how the digital footprints can be detrimental to data privacy as well as reputation of human beings. In this advanced information age, this assumes more significance as data privacy can be easily breached if digital footprints are not erased for very long time.
领英推荐
In EU GDPR, right to be forgotten is clearly and visibly recognized. In India, the current data protection bill gives right to erasure to the data principals but unless it becomes a law, Indian citizens does not have any legal provision to protect their data privacy through exercise of this right. Thus, data privacy again proves to be illusionary concept.
Conclusion
To conclude, even now when you are reading the article, your digital presence is being noted on some of the server. Your digital footprints are being observed. Nothing is private in this digital space and to expect privacy is foolish thing to do ever. In spite of having diverse data protection laws across the globe, the data privacy breaches are frequent and severe. This reveals that the data privacy is myth. It seems that it is being protected; However, unless the right to be forgotten is exercised in absolute manner, the protection of data privacy can not become a reality.
?Written by- Dr. Mayura Sabne
[1] Privacy, Merriam-Webster, Available at https://www.merriam-webster.com/dictionary/privacy
[2] What does Privacy Mean? IAPP, available at https://iapp.org/about/what-is-privacy/
[3] Ibid
[4] Beyond Gdpr: Data Protection Around the World, Available at https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/magazine/beyond-gdpr-data-protection-around world#:~:text=Schrems%20II%20and%20beyond%20GDPR,more%20rigorous%20protections%20and%20controls.
[5] Ibid
[6] Available at https://oag.ca.gov/system/files/initiatives/pdfs/19-0017%20%28Consumer%20Privacy%20%29.pdf
[7] Ibid
[8] Ibid
[9] Available at https://popia.co.za/
[10] Ibid
[11] Recent Data Breaches in the News, Secure Link, available at https://www.securelink.com/resources/data-breach-news/
[12] Sanjay Vashishtha, The Evolution of Right to be Forgotten, 2022 SCC OnLine Blog Exp 7, available at https://www.scconline.com/blog/post/2022/01/27/the-evolution-of-right-to-be-forgotten-in-india/
[13] Ibid