Digital Security : FB data leak

Are you the ONE who don't like to take chances and waste one precious year by failing in Prelims?

Do you want to test your knowledge after reading a particular topic? Then The MCQ Factory (TMF) is for you! It provides topic wise high quality MCQs for testing your knowledge in a particular topic. More details here

Context:

  • Facebook noticed an unusual spike in the number of times the platform’s ‘View As’ feature was being used. Subsequently, Facebook announced that it had identified this as a malicious activity in which the access tokens of 50 million users were appropriated by unknown hackers, and certain personal details possibly accessed.
  • Facebook was caught on the wrong foot earlier this year, when the Cambridge Analytica scandal broke.
  • The Cambridge Analytica episode revealed that data of up to 87 million users were harvested and used for political campaigning.

Action taken by Facebook:

  • Facebook has since said it has resolved the bugs.
  • Also, pursuant to these developments, Facebook is said to be working with the FBI on the issue.
  • Facebook has also informed the Irish Data Protection Commission, since the European Union’s strict new data protection law states that it has to be informed within 72 hours if anyone in the European Economic Area is affected.
  • The Commission has started a probe, and Facebook faces a fine that could go over a billion dollars.

EU’s General Data Protection Regulation (GDPR):

  • It was the European Union (EU)’s General Data Protection Regulation (GDPR), which came into force this May, 2018, that forced Facebook to go public with the breach so promptly, even before the full extent of the damage could be assessed.
  • The GDPR’s stringent guidelines require companies to make such events known within three days of their discovery.
  • Facebook faces a potential penalty of €20 million or 4% of its global revenue (whichever is higher) if the EU regulator investigating the data breach finds a GDPR violation in connection with the incident.

Way Forward:

An equitable regulatory regime such as the GDPR must become the universal norm, in force beyond the EU jurisdiction as well.

 

Tech Giants Data Localisation

Are you the ONE who don't like to take chances and waste one precious year by failing in Prelims?

Do you want to test your knowledge after reading a particular topic? Then The MCQ Factory (TMF) is for you! It provides topic wise high quality MCQs for testing your knowledge in a particular topic. More details here

Context

  • Indian government has asked Global Tach giants to set up local data centres.
  • In a fear that it will inhibit their growth aspirations in India with raising cost, the U.S. technology giants plan to intensify lobbying efforts against stringent Indian data localisation requirements.
  • Amazon, American Express and Microsoft, have opposed India’s push to store data locally.

ias4sure.com - Tech Giants Data Localisation

 

 

Issue Area

  • Data localisation is not just a business concern, it potentially makes government surveillance easier, which is a worry.
  • It could lead to increased government demands for data access.
  • Technology firms worry the mandate would hurt their planned investments by raising costs related to setting up new local data centres.
  • The issue could further undermine already strained economic relations between India and the United States.

B N Srikrishna Committee (Data Protection)

Are you the ONE who don't like to take chances and waste one precious year by failing in Prelims?

Do you want to test your knowledge after reading a particular topic? Then The MCQ Factory (TMF) is for you! It provides topic wise high quality MCQs for testing your knowledge in a particular topic. More details here

The Union Ministry of Electronics & Information Technology (MEITY) has constituted an expert Committee to study and identify key data protection issues and recommend methods for addressing them.

 

Why needed?

There is a need to ensure growth of the digital economy while keeping personal data of citizens secure and protected. Even though the Information Technology Act contains certain provisions about data protection and handling, experts are of the opinion that India needs a fresh data protection law with the increased digitisation led by Aadhaar, the Goods and Service Tax and the push towards a digital economy. IT Act may also be inadequate to deal with the current requirements since it was drafted almost 17 years ago in 2000 and was amended last in 2008.

Also, in the last 5-6 years there has been a quantum leap in the world of technology which has been driven by trends such as proliferation of social media, growth of ecommerce leading to boom in transactions over the Internet and demonetisation, which has pushed more people into the digital economy, so the IT act may have to be obviously reconsidered in the light of these developments.

The government’s decision to focus on data protection comes on the back of a wave of privacy and data breaches– from corporates such as McDonalds, Reliance Jio and Zomato to government agencies that have leaked the

personal data and Aadhaar of over 100 million citizens.

 

Draft Data Personal Data Protection Bill

  • For data processors not present in India, the Act will apply to those carrying on business in India or other activities, such as profiling, which could cause privacy harms to data principals in India.
  • The draft also provides for penalties for the data processor as well as compensation to the data principal to be imposed for violations of the data protection law.
  • It has suggested a penalty of ₹15 crore, or 4% of the total worldwide turnover of any data collection/processing entity, for violating provisions.
  • Failure to take prompt action on a data security breach can attract up to ₹5 crore or 2% of turnover in penalty.
  • Personal data, the draft law states, may be processed on the basis of the consent of the data principal, given no later than at the commencement of the processing.
  • The processing of sensitive personal data should be on the basis of explicit consent.
  • The law will not have retrospective application and will come into force in a structured and phased manner.
  • Processing that is ongoing after the coming into force of the law would be covered.
  • Other personal data may be transferred outside the territory of India with some riders. However, at least one copy of the data will need to be stored in India.
  • On right to be forgotten, the draft states that data principal will have the right to restrict or prevent continuing disclosure of personal data by a data processor.
  • The committee has not treated data as property as the relationship between the individual and entities with whom the individual shares his personal data is one that is based on a fundamental expectation of trust.
  • The draft law will go through the process of inter-ministerial discussions and the Cabinet as well as parliamentary approval.

 cna14

 

Data Protection Authority

  • The Justice Srikrishna committee has recommended the creation of a Data Protection Authority that will be in charge of ensuring that entities processing data do so in keeping with the law.
  • The DPA, a sector agnostic body, will ensure that every entity that handles data is conscious of its obligations and that it will be held to account in case of failure to comply.
  • The authority will be governed by a board consisting of six whole-time members and a chairperson appointed by the Union government on the recommendation of a selection committee.
  • The selection committee shall consist of the Chief Justice of India or her nominee (who is a judge of the Supreme Court of India), the Cabinet Secretary, Government of India, and one expert of repute who has special knowledge of, and professional experience in, areas related to data protection, information technology, data management, data science, cyber and Internet laws and related subjects.
  • The members of the DPA are to be individuals of integrity and ability with special knowledge of, and professional experience of not less than 10 years in, areas related to data protection, information technology, data management, data science, cyber and internet laws and related subjects.
  • The DPA members will have a five-year term, subject to a suitable retirement age and their salaries will be prescribed by the Central government.
  • Broadly, the DPA will have four departments and related functions: monitoring and enforcement; legal affairs, policy and standard setting; research and awareness; and inquiries, grievance handling and adjudication.
  • The DPA will be stating codes of practice, conducting inquiries, and issuing warnings and injunctions.

 

Exemptions

  • The expert committee has recommended that processing of data for certain interests such as security of the state, legal proceedings, research and journalistic purpose, may be exempt from certain obligations of the proposed data protection law.
  • For the creation of a truly free and fair digital economy, it is vital to provide certain exemptions from obligations that will facilitate the unhindered flow of personal data in certain situations.
  • These exemptions derive their necessity from either a state or societal interest.
  • It, however, added that adequate security safeguards must be incorporated in the law to guard against potential misuse.
  • The processing of personal data in the interests of the security of the state shall not be permitted unless it is authorised pursuant to a law and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved.
  • It has been recommended in the report that the Central government should expeditiously bring in a law for the oversight of intelligence gathering activities.
  • The research exemption has not been envisaged as a blanket one and only those obligations that are necessary to achieve the object of the research will be exempted by the Data Protection Authority (DPA).
  • It further added that to strike a balance between freedom of expression and right to informational privacy, the data protection law would need to signal what the term ‘journalistic purposes’ signifies, and how ethical standards for such activities would need to be set.

 

Protecting the data of children

  • The committee on data privacy has made specific mention of the need for separate and more stringent norms for protecting the data of children, recommending that companies be barred from certain types of data processing such as behavioural monitoring, tracking, targeted advertising and any other type of processing which is not in the best interest of the child.
  • It is widely accepted that processing of personal data of children ought to be subject to greater protection than regular processing of data.
  • The justification for such differential treatment arises from the recognition that children are unable to fully understand the consequences of their actions.