Introduction
In a recent ruling, the European Data Protection Board (EDPB) ruled that Meta, formerly Facebook, cannot continue targeting ads based on users’ online activity without affirmative, opt-in consent. This ruling is based on the provisions of ‘consent’ of the General Data Protection Regulation (hereinafter “GDPR”) of the European Union and has been seen as a significant step in the right direction. Voluntary opt-in consent should be the baseline requirement for any data collection, retention, or use. The ruling states that the company should not track its users unless they opt-in. With laws constantly changing the relationship between advertisers and people, this article seeks to analyze the potential impacts of India’s new Personal Data Protection Bill, 2022 on the same.
Targeted Advertisements: A Threat to Privacy?
“Surveillance is the Business Model of the Internet.” – Bruce Schneier
It has been three decades since the internet revolutionized the way we communicate, access information, and conduct business. Companies and brands that earlier relied on selling classified, print and television ads to cater to a larger audience, then shifted to digital advertisements on the internet, thereby dramatically expanding their marketing tool kit. This shift powered the growth of websites like Google, Twitter, and Facebook.
With the widening of technological horizons, a new and concerning method of marketing has developed. The internet has become a repository of its users’ information, and this information is covertly used by advertisers to target demographics more accurately. Whether it be retailers being able to accurately predict a pregnancy, or political parties support through targeted propaganda, the widespread use and effectiveness of these techniques is startling.
The primary way in which such information is collected is through cookies. Cookies are small text files that are stored on a user’s device by a website. It is pertinent to note that their intended purpose was to improve user experience by remembering preferences, login information, and browsing history. More recently, cookies have been found to serve more nefarious purposes. In 2018 it was discovered that Cambridge Analytica, a consulting firm, harvested data from millions of Facebook users without their consent, and used this information to create targeted political advertising during the 2016 U.S Presidential election.
The extent of surveillance on the internet has been extensively documented. The growing concerns regarding use of personal data by large corporations through unscrupulous means led European advocacy group “None of Your Business” (NOYB) to file complaints against Facebook, Instagram, and WhatsApp in 2018 to several relevant data protection agencies in the EU, which finally led to the decision mentioned in the introduction.
The companies complained against, which now form a part of Meta, attempted to evade the consent requirements under the General Data Protection Regulation (GDPR) passed by the European Union. The GDPR under article 6(1)(a) and 7(3) requires companies to obtain express consent of data subjects for the use of their personal data, giving them an option to withdraw their consent at any time. Meta attempted to bypass this requirement by adding their consent clause to the terms and conditions of their websites, in order to give the consent clause a contractual nature. The recent ruling is a firm stand against data mining, and targeted advertising without consent. The harms of this sort of data collection and subsequent usage are several. Not only does targeted advertising violate one’s right to choice, exploit vulnerable populations and contribute to the overall commodification of humanity, but it has also resulted in racist voter suppression and housing discrimination in the USA, where this form of data collection is more rampant.
In India, it is important to develop a framework that addresses the predatory nature of targeted advertising. Observing the way such data has been used to manufacture and amplify certain ideas and narratives, it is not a stretch to think that online user data has been and will be used to distort the social and political fabric of the country, in a clear violation of the right to privacy and autonomy under Article 21 of the Constitution. In this context, does the new Bill offer an alternative landscape within which advertisers and individuals can interact with each other?
Targeted Ads under New Draft Data Protection Bill
In India, targeted advertising is primarily governed by the Indian Contract Act 1872 (“ICA”) and the Information Technology (IT) Act 2000 with many other secondary and tertiary legislations primarily aimed at different objectives. The section 14 of ICA provides for an essential prerequisite of ‘valid consent’, which when combined with other provided conditions of valid contract give rise to a contract between users and service for the purpose of targeted advertising. The IT Act 2000 has provisions for protecting sensitive personal data and privacy of individuals. Moreover, the Advertising Standards Council of India (ASCI) is an independent body that regulates and monitors advertising content across all media, including digital, to ensure that all advertisements are legal, decent, honest, and truthful. However, these provisions are insufficient, as they exist in silos and lack intelligible harmony to deal with evolving paradigm of data and safety concerns. The further shift from conventional methods of advertisement to personalized data-based targeted ads have posed novel challenges to lawmakers which resulted in rolling out the draft bill on data protection tailored as per Indian needs.
Consent Drives the Discourse
Consent has always been one of the grounds for processing personal data across jurisdictions, and the same has been provided under section 7 of the Digital Personal Data Protection Bill, 2022 (Hereinafter referred “DPDPB”). Section 6 of the bill further imposes notice as a precondition to consent. The said notice can either be in electronic form or a document. For any fiduciary to continue to process personal data of the data principal (users), they are obligated to seek explicit consent by providing itemized notice specifying the purpose of such data processing in clear and plain language as provided in section 6(2) of the Bill. In effect, this provision would make it mandatory for any digital service provider to seek explicit permission from users for each specific purpose and therefore, a pre-ticked box that automatically opts a user in will not cut it anymore as opt-ins need to be a deliberate choice. Clause 7 of bill further provides for the withdrawal of consent through an accessible, transparent, and interoperable platform provided by a data fiduciary called Consent Manager. The bill further went a step ahead by imposing the need to seek consent retrospectively for continuous data processing. These provisions are much in line with the recent decision of European EDPB and will provide users much control over their data on SM.
The Conflict of Consent – Inconsistencies in Data Processing
While GDPR recognizes ‘contractual necessity’ as a valid basis to process personal data, it’s crucial to note that DPDPB omits this ground and provides ‘consent’ inter alia as the only tangible ground (since other grounds are circumstantial) for processing personal data which may, in practice, conflict with GDPR. For instance, travel bookings require sharing of data with airlines and hotels; shipments of products require sharing of data with carriers and customs officials. Under the GDPR regime, the above-mentioned data processing will be permitted within the ambit of contractual necessity whereas the similar situation in India would require a specific consent as discussed above. A company that has been processing data under GDPR regime and now is operating under both regimes, will face inherent conflict of law because of the different processing grounds (from contractual necessity to consent). This appears to have been restricted by GDPR data protection authorities, such as the ICO, which may leave Indian companies in abeyance.
In certain circumstances, the bill also provides for the ‘implied consent’, where a data fiduciary would be able to process every kind of personal data (including sensitive personal data) on meeting simple and undemanding conditions. This provision dilutes the protection for personal autonomy granted under clause 7 as this ‘implied consent’ is not limited to a specific purpose & cannot be withdrawn.
Children at Crossroads with Privacy Laws
In the growing consumer markets, children are the most vulnerable to targeted marketing, hence prone to data profiling, tracking and behavioral monitoring. Although clause 10 of the Bill explicitly prohibits any such surveillance-based advertisement directed towards children and in the circumstances where it’s necessary to process their data, fiduciaries should obtain the verifiable parental consent.
But here the cause of concern is that the definition clause of the bill includes parents and legal guardians of the children under 18 years of age as ‘Data Principals’ (individual to whom personal data relates). Although this provision is inserted with an intent to provide safeguards to a child who cannot intellectually consent for his own data & other possible ramifications emanating out of it, here the bill fails to consider the distinction between mental acumen of a child who is a toddler & one who is a teenager. This would be detrimental to autonomous development of a teenager who would be required to seek consent of his parent /guardian every time he wishes to access any service that requires processing of personal data.
Other Lacunae in Interpretation
Clause 13(2)(d) provides that a data principal can request for erasure of their personal data when the personal data is no longer necessary for the purposes for which it was processed unless it is not required to be retained for a legal purpose. However, clause 9(6) of the Bill permits data fiduciaries to retain personal data for “business purposes”. Here, a case of conflicting interpretation may arise where fiduciaries may refuse to erase the data citing this exception and employ the available voluntary & behavioral data to produce targeted advertising, defeating the primary purpose of this bill.
Clause 16(3) reads as “Data Principal shall, under no circumstances including while applying for any document, service, unique identifier, proof of identity or proof of address, furnish any false particulars or suppress any material information or impersonate another person.” Here the use of the word ‘including’ obliges the individual person to furnish correct data without suppressing material information under all circumstances even to private entities. This provision can have a detrimental impact if a user of such digital services wishes to exercise his/her right to stay anonymous in his/her personal interactions, hence contravening the ‘right to be left alone’ as per Justice K.S. Puttaswamy (Retd) Vs Union of India (2017) 10 SCC 1. Further the collected data (email, contact details etc.) by private entities can be misused for targeted spamming and nuisance.
Conclusion
Understandably, advertisers are apprehensive about the enactment of this draft Data Protection Bill. Consent requirements would hamper business in the digital ecosystem, and advertisers who have relied on personal data would be losing consistent access to the resource. Overall, the potential impact of the Bill on the business of advertisers could be drastic.
However, there is evidence that points towards the potential benefits that transparency in advertising can bring. A study conducted by Harvard Business Review found that while people are comfortable disclosing personal information by themselves, third party sharing (when information is passed unbeknownst to the subject) can make people feel uneasy. The feeling of being “spied on” by advertisers negatively impacts the purchase interests of the subjects. Looking through this lens, the new bill provides an opportunity for advertisers to foster better and more effective relationships with potential customers. A system that requires subjects to opt in and gives them the power to withdraw consent allows people to retain their autonomy and prevent against the predatory usage of their personal data.
Since there is no clause that provides for “contractual necessity”, data processing for the fulfillment of contractual obligations will also require the consent of the data subjects. At least in the context of advertising, it is important that companies not engage in contractual relations that might compromise the privacy of data subjects without their knowledge. While inconsistency with the GDPR may force Indian companies to develop region-specific standards, it is no question that personal data should not be transacted for the purpose of advertising without the informed consent of data subjects.
While the Bill’s inconsistencies and shortcomings may result in issues of applicability and execution, it has been well received specifically ensuring greater protections for data subjects against private entities. It will also force companies to adopt a more transparent business ethic that may ultimately be to the benefit of both the consumers and the advertisers.
This article has been authored by S. Lavanya, Junior Editor, and Murli Manohar Pandey, Digital Editor at RSRR. This blog is a part of the RSRR Editor’s Column Series.