Despite Cambridge Analytica and upcoming elections, the govt is still sitting on critical data protection legislation

A year has gone by since the **Cambridge Analytica data breach came to light** . Facebook screwed up and let data of 87 million users be captured without their knowledge. While the European Union has activated the General Data Protection Regulation (GDPR), which came into force on 25 May 2018, India is still is debating the Data Protection Bill as prepared by Sri Krishna Committee. The Cambridge Analytica scandal not only affected the US and the UK but **also over 5 lakh Indian citizens,** whose data was compromised. In the US and the UK, psychographic profiles of Facebook users were created to later target them with advertisements, to influence their voting patterns. Christopher Wylie, in his tweet dated 28 March, 2018, mentioned that SCL, the parent company of Cambridge Analytica, was involved in elections of Rajasthan, Madhya Pradesh (2003); Kerala, West Bengal, Assam, Bihar, Jharkhand and UP (2007); Uttar Pradesh (2007); General Elections (2009); Bihar (2010); Uttar Pradesh (2011 & 2012).

I've been getting a lot of requests from Indian journalists, so here are some of SCL's past projects in India. To the most frequently asked question - yes SCL/CA works in India and has offices there. This is what modern colonialism looks like. pic.twitter.com/v8tOmcmy3z

— Christopher Wylie 🏳️‍🌈 (@chrisinsilico) March 28, 2018

The government admitted that there were media reports about leakage of personal data for political use. These reports were taken note of and notices were sent to Cambridge Analytica and Facebook to come clean on these matters. While Facebook and Cambridge Analytica claimed that there was no misuse of data, the government wasn’t adequately convinced. Eventually, in July 2018,  **CBI was asked to investigate this matter** with regard to possible misuse of user data by Cambridge Analytica. The CBI, as of 12 March, 2019, has not carried any conclusive investigation in the matter. It has merely written to the companies (Facebook and Cambridge Analytica) seeking more information on the subject and its data collection methodology. It is still carrying the preliminary investigations and has not registered the FIR on the subject. [caption id=“attachment_6297081” align=“alignnone” width=“1024”] File photo of voters at a polling booth in Madhya Pradesh. PTI[/caption] The government claims that it already has provisions for the protection of user data. Section 43A and Section 72A of the Information Technology Act, 2000, provides for privacy and security of data in digital form. Section 43A provides for compensation to be paid to the victim in case of unauthorised access of information and leakage of sensitive personal information respectively. It mandates ‘body corporates’ to implement ‘reasonable security practices’ for protecting ‘sensitive personal information’ of individuals. Section 72A of the Act provides for punishment for disclosure of information in breach of the lawful contract. Further, Information Technology (Intermediary Guidelines) Rules 2011 notified under Section 79 of the IT Act, 2000, require that the intermediaries shall observe due diligence while discharging their duties and shall publish the rules and regulations, privacy policy and user agreement for access or usage of its computer resource by any person. So, it needs to be investigated that Facebook had implemented the provision of IT Act 2000 and IT Rules 2011 and done its due diligence that the data has not been misused by Cambridge Analytica. In case Facebook as an intermediary has not done the due diligence, then the financial penalties as per IT Act can be imposed on it. To further strengthen personal data protection of user, the government had set up a Committee of Experts under the Chairmanship of Justice (Retd.) Shri B N Sri Krishna to prepare a data protection framework and work out the Data Protection Bill. The Sri Krishna Committee deliberated on various issues and brought out a White Paper on Data Protection that laid down the principles. Thereafter, the Committee submitted its report along with draft Bill to MeitY. The report and the draft Bill were placed in the public domain and comments were sought, feedback has been received. Steps are afoot to bring about data protection legislation. The Supreme Court delivered its judgment in on 26 September, 2018, **in case of Aadhaar Act 2016** wherein the apex court impressed upon the government to bring out a robust data protection regime in the form of enactment of the Act based on Justice BN Sri Krishna Committee Report with necessary modifications wherever deemed appropriate. [caption id=“attachment_4339161” align=“alignnone” width=“1280”] Representational Image. Reuters[/caption] The need for protecting privacy of individuals is important in the online world. It is up to the individuals to what extent they share their information on the digital platforms, but the same may have dangerous repercussions for which one must be prepared. Having said that, the **Right to Privacy is an intrinsic part of the right to life and personal liberty** under Article 21 and it is the government’s responsibility to protect it. The Parliamentary Committee on Information Technology under the chairmanship of Member of Parliament, Anurag Thakur, sought the personal appearance of senior officials of Twitter, Facebook, WhatsApp and Instagram before it and suggested that they should adhere to guidelines and directives of Election Commission  during the ongoing general election, in real time. But with elections less than a month away, fake news and reaching out to voters based on some kind of profiling is a possibility in India, just like it happened in the US.

Model Code of Conduct enforcement in the absence of data protection law

With the general elections in India set to begin in less than a month and the **Model Code of Conduct being**   **enforced** since 10 March, 2019, the use or misuse of the lack of a dedicated data protection law in the country can be exploited by political parties in the country. The Election Commission of India (ECI) has mentioned that **there will be a social media expert in district and state level monitoring committees** apart from radio and electronics media experts. Only approved political social media advertisements will be used as part of the campaigning and there will be no social media advertisement before 48 hours of the elections in a constituency. In nutshell, all the provisions of Model Code of Conduct will apply to social media site just as they are for traditional media. A meeting of ECI was held with Internet and Mobile Association of India (IAMAI) and representatives from social media organisations such as Facebook, WhatsApp, Twitter, Google, ShareChat, TikTok and BigoTV on 19 March, 2019. In the meeting the Chief Election Commissioner (CEC), Sunil Arora exhorted that social media organisations, who are formidable force-multipliers, should come up with a code for the ongoing election process in the immediate context and a lasting document in the long run. [caption id=“attachment_5588451” align=“alignnone” width=“1280”] Representational Image.[/caption] Election Commissioner, Ashok Lavasa, pointed out that voluntary restraint is a hallmark of civilised society and works as effectively as any regulation. He suggested that a clear clause on users’ voluntarily agreeing not to misuse social media platforms for election or political purposes should be considered by the management. Election Commissioner, Sushil Chandra, reminded the representatives that ECI is committed to ethical, free and fair elections. He reiterated that role of social media in helping spread information as well as curbing misinformation cannot be underestimated. IAMAI and social media intermediaries have agreed with the ECI to come up with a ‘Code of Ethics’ for the industry laying down operational details of the use of social media in the elections. It needs to be seen that political parties which time and again violate the Model Code of Conduct will actually adhere to a Code of Ethics on social media.