Non-consensual or Unauthorised Data Collection, Sharing and Usage

Data-driven businesses have unlocked convenience and personalisation of user experience and services. However, without adequate systems to manage individuals’ personal data, non-consensual and unauthorised use of data has the potential to expose users to various risks.

The past six years have witnessed a growth in data-driven businesses which have provided users with customised products and services. Using data to understand user behaviour has unlocked new opportunities for businesses. These emerging business models have also considerably added to consumer convenience. There has been a 3x growth in the funding of tech-based startups in sectors such as EdTech and FinTech, that have leveraged AI to improve their offerings.

However, with the increased access to personal data for businesses, a lot of user information is at risk of being misused for unauthorised purposes. Third party sharing of user data (including personal data) and targeted advertising hold the potential to infringe upon the privacy of an individual. This despite the enshrinement of the ‘Right to Privacy’ by the Supreme Court in 2017.

Consent means any freely given, specific, informed and explicit indication of a user’s agreement to their personal data being processed.97

Data Privacy is the idea that individuals should have the freedom to determine how their digital information is collected and used.98

Amisha is the Vice President of a leading MNC and lives in Bangalore. She is a social, outgoing person and loves to share her personal and professional experiences through social media.

Given her busy schedule, she usually prefers convenience and uses online channels for everything— from ordering groceries to planning her vacations and even managing her household activities through internet enabled devices.

Her contact details are easily available online. She has been getting a lot of spam emails and calls from agencies she never interacted with. The frequency of these calls and the fact that her data was shared without her consent is making her feel unsafe and is affecting her mental wellbeing. She is also worried by these targeted feeds and advertisements that are compounding her insecurities and making her feel isolated.

Over the past six years, the system’s response to non-consensual and unauthorised data use has evolved from the nascent to the mainstream stage. There is a growing recognition of data privacy concerns among individuals, businesses, and governments. The deliberations on the data protection bills since 2019 have brought about greater legal consensus on how to mitigate the risks as a result of which leading private-sector firms have started acting on data privacy.

2016 status: Recognition of the risk was limited to the experts. This was visible in the petitions filed during the 2016 WhatsApp privacy policy change.99

In the Puttaswamy judgement, SC upheld the ‘right to privacy’.100

2022 status: The risk is well understood by all stakeholders. While the data protection bill is in its final stages, business solutions have also increased. Increased awareness among consumers was visible during the 2021 WhatsApp privacy policy change.

Post the Snowden leaks and debates regarding individual privacy, the GDPR was passed in the EU.101

The report submitted to MeitY in 2019 was on the basis of the first draft of the PDP bill in 2020 that set out the framework for data protection regulation in India.102

Series of privacy features launched by businesses

Between 2019 and 2021, Google and Apple updated the privacy policies for their platforms. Safari and Firefox also changed their cookie settings.103

The 2019 bill was withdrawn in August 2022 and a new draft Digital Personal Data Protection Bill, 2022 was released for public feedback in November.104

Privacy and data protection measures by businesses have increased

Policy focus on data collection and sharing has increased. A new draft Digital Data Protection Bill is being actively debated.

Awareness on concerns of data collection, sharing and usage has increased.

In 2016, only few forward looking companies such as Snapdeal were talking about the risk of data privacy. By 2021, businesses such as Apple incorporated device privacy as a USP for their products. Experts have also suggested that a lot of cloud service providers are using customer encryption keys. Additionally, cookie settings have also been changed by browsers such as Firefox and Chrome. Privacy-first measures are being seen as a competitive advantage by businesses.105

The AP Shah Committee, 2012, had worked on Aadhaar related privacy concerns but no regulations emerged. In 2016, digital privacy concerns were sparsely covered under the individual clauses of the IT Act. After the Puttaswamy judgement of 2017 and the release of Srikrishna Committee report in 2018, a bill was developed and tabled in parliament in 2019. This was referred to a Joint Parliamentary Committee which submitted its report in 2021. In 2022, the 2019 bill was withdrawn and a new draft was released for public feedback.106 107 108

Reportedly, 122 mn people were using mobile browsers with built-in ad blockers in 2016. There were no visible reactions on privacy concerns then. In 2021, ad blocker usage had grown to ~50% of the population. Individuals have also been voicing their opinions against sharing of personal data, as was seen during the 2021 WhatsApp policy updates.109 110

7: Affordable and Personalised Products and Services | Non-consensual or Unauthorised Data Collection, Sharing and Usage

The increasing interest of all stakeholders in ensuring privacy has developed a vibrant ecosystem to solve this risk. However, solutions are limited and the risk is expected to grow with the use of newer technologies such as IoT and AI. Hence, to ensure the sustainable mitigation of risk, and consensual data sharing and usage, our research suggests the following pathways for philanthropic investment:

Aid implementation of solutions by building feedback loops: Large scale research, grievance redressal mechanisms.

Support implementation of scale solutions to mitigate the risks at scale.

Piloting private sector solutions that eliminate the trade-offs in diverging priorities of private, public and social sectors.

The table below presents gap areas and illustrative funding opportunities for philanthropic capital to improve data privacy:

Build a pan-India representative dataset of consumer perceptions and requirements to highlight the gaps in data privacy awareness and required solutions. This can enable increased understanding of the concept among users and improve transparency and accountability of existing solutions.

Develop certification or skilling initiatives for programmers to incorporate privacy by design in technology products.

Fund and support open-source solutions that can create technology solutions that address privacy and transparency. These technologies can be aimed towards data minimisation, better identity and access management, and data compliance for businesses (for example, masking personally identifiable information while processing customer data).

Fund and support low cost solutions that enable businesses to implement responsible data practices and ensure compliance with privacy regulations.