A look at the Cambridge Analytica scandal case, which Meta is set to settle for $725 mln

A look at the Cambridge Analytica scandal case, which Meta is set to settle for $725 mln

Context- Facebook owner Meta Platforms Inc has agreed to pay $725 million to resolve a class-action lawsuit accusing the social media giant of allowing third parties, including Cambridge Analytica, to access users’ personal information.

The proposed settlement, which was disclosed in a court filing late on Thursday, would resolve a long-running lawsuit prompted by revelations in 2018 that Facebook had allowed the British political consulting firm Cambridge Analytica to access data of as many as 87 million users.

What is Cambridge Analytica?

Cambridge Analytica obtained that information without users’ consent from a researcher who had been allowed by Facebook to deploy an app on its social media network that harvested data from millions of its users.

The ensuing Cambridge Analytica scandal fueled government investigations into its privacy practices, lawsuits and a high-profile US congressional hearing where Meta Chief Executive Mark Zuckerberg was grilled by lawmakers.

What is India’s Privacy regime?

In 2017, Supreme Court in Justice K. S. Puttaswamy Vs Union of India unanimously held that Indians have a constitutionally protected fundamental right to privacy that is an intrinsic part of life and liberty under Article 21. Government appointed a committee of experts for Data protection under the chairmanship of Justice B N Srikrishna in August 2017, that submitted its report in July 2018 along with a draft Data Protection Bill.

(Credits- I-SCOOP)

What are the provisions in the bill ( Digital Personal Data Protection Bill, 2022) ?

• Data Principal refers to the individual whose data is being collected. In the case of children (<18 years), their parents/lawful guardians will be considered their “Data Principals”.
• Data Fiduciary is the entity (individual, company, firm, state etc), which decides the “purpose and means of the processing of an individual’s personal data”
• Data Protection Board will act as the adjudicating body to enforce the provisions of the Bill.
• Data Protection Officer and independent data auditor will be appointed by businesses of “significant” size (based on the amount of data they process), to monitor compliance with the law.
• The new Bill relaxes data localisation rules and permits data to flow to certain global destinations, based on their data security landscape.
• Users will have the right to have their personal data in the custody of enterprises corrected and erased.
• Companies will not be obligated to keep user data that no longer serves a business purpose.
• Companies should not process personal data that could harm minors (less than 18 years of age).
• For Promoting start-up ecosystem, The government may also exclude certain enterprises from Bill’s restrictions based on the volume of users and personal data handling.
• The Central government has been empowered to exempt its agencies from adhering to provisions of the Bill in the interest of –
  • Sovereignty and integrity of India,
  • Security of the state,
  • Friendly relations with foreign states,
  • Maintenance of public order or preventing incitement to any cognisable offense.
• For Penalties, The Focus is more on financial penalties than a criminal conviction i.e. between Rs 50 – 500 crore for data breaches and noncompliance.

What are the concerns regarding the bill?

• Missing Rights for Data Principals: The Bill misses out on two main rights for Data Principals:

(a) Right of data portability: It would have allowed the data principal to receive their personal data (that they had provided to the data fiduciary and the data generated by the fiduciary through processing) in a structured format.

(b) Right to be forgotten. It would have allowed the data principal to ask the data fiduciary to stop the continuing disclosure of their personal data.

• Bill is focussed on personal data and excludes non-personal data, which was a demand by the industry and civil society alike.
• Government Control- While the Data Protection Authority was earlier envisaged to be a statutory authority (under the 2019 Bill), the Data Protection Board is now a Board set-up by the Union Government. The Government will have a say in the composition of the board, terms of service, etc.
• Data Localisation-The draft law does not require local storage of data. Unlike previous versions, it does not ask businesses to store certain sensitive and critical data exclusively in India or to mirror a copy of such data on Indian servers.
• No Criminal Liability- The DPD Bill has done away with criminal liabilities, as well as penalties that are directly linked to the turn-over or revenue of an erring Data Fiduciary.
• Data of Children-The Bill requires parental consent for age less than 18 years. Requiring consent from parents would hamper autonomous development of children since parents may not want them to be exposed to viewpoints contradictory to their own.
• Government bodies can be exempted from the application of the law in the interests of India’s sovereignty and integrity, security, foreign relations, public order and others. There is no bar on how long government agencies can retain data.
• The previous versions required considerable information in terms of the rights of the data principals, grievance redressal mechanism, retention period of information, source of information collected etc. to be provided for the data principal. The current Draft reduces the scope of this information to the personal data sought to be collected and the purpose of processing the data.

Way Forward- Government can consider addressing criticisms of the bill to develop a comprehensive modern architecture governing personal data of Indians.

Syllabus- GS-2; GS-3; Privacy; Data Protection Law

Source- Indian Express