LEGAL BASIS FOR ENACTING DATA

PROTECTION LEGISLATIONS
 WHAT WE WILL LEARN TODAY?
The objective of topic is to help you understand:

1. Why data is a valuable commodity- vis-a-vis businesses and individuals?

2. Why data requires legal protection?
3. What category of data is to be protected?
4. An overview of various data protection regimes and statutes across the world?
 WHY IS DATA SO VALUABLE?!

How many of you have heard about the

cambridge analytica scandal?
Facebook shared the data of 87 million
user profiles that were used to predict
and influence the choices of US voters.
 Information is money!

Data is a valuable asset to whoever has access to it-

a. to companies for monetization;
b. to individuals, as it is personal in nature and thus needs to be protected.

Facebook, Amazon & Google have basically built multi-billion dollar businesses
by leveraging information collected from their users.

Can you think of other business houses that heavily operates on data?
 LET’S UNDERSTAND THROUGH SCENARIOS

Imagine that you have built an online store for t-shirts. As an early-stage company you will be still
experimenting on how to serve your customers. The Internet is huge. How will you understand
your audience? You cannot market your product blindly without knowing the audience.

That is where the use of data analytic services such as Google Analytics comes into play. Google
Analytics collects data of your visitors and offers massive amount of metrics that your startup can
track. Just by installing Google Analytics you can track the number of users on your website, IP
address, browser, location, demographics, session duration, bounce rate etc.

Using data, now you can get all the necessary information regarding your website statistics. Now you
know who’s visiting your site, who is converting and who’s not interested in your product.
Take the case of Netflix.

You binge on 6 hours of anime, and the next thing you see is a series of suggested
shows- based on your last binge.

How do you think Netflix does this?

Does this help Netflix in revenue generation?

 Data monetization by Big Tech-
Microtargeting
Back in 2007, Facebook had normal display ads that were put on its website. All users who use the
website sees the ad.

What about in 2021?

An ad for an iphone cover is seen by a person who recently bought iphone. Not all the mobile users
in the world. Similarly, an ad of the new burger shop is seen by a meat eater and not a vegan.

So what has changed?

Facebook takes all your submitted data and combine it with data of other users and outside
information. Then they micro target your profile by considering hundreds of data points.

Based on your likes, Facebook can even know if you are having a breakup- what do you think you
will be suggested next?
 HOW CAN IT BE MISUSED

A health care agency posted a job ad on Facebook looking for personal care workers. When
the agency purchased the ad, it asked Facebook to not show it to anyone over 54 years of
age. They asked Facebook to show it specifically to people who have “African American
multicultural affinity.”

Using data to target ads is not only profitable but may also lead to discrimination prohitbited
by law.

Can you think of other possible misuses?

 LET’S BRAINSTORM!
Activity for Group 1 (The Social Media Marketers) & Group 4 (Privacy Lawyers)

Group 1: How does social media use data to advertise? How can the data be monetized?

Group 4: What can be the consequences of using data of individuals?

Activity for Group 2 (Product Managers) & Group 3 (DPOs)

Group 2: How do Google & Facebook monetize data other than advertising?

Group 3: Opine on whether such data needs protection & why?

 WHY IS DATA SOUGHT TO BE LEGALLY PROTECTED?
Growth of digital economy & remote working has made all businesses dependent on data

➢ This has increased the chances of data leaks

➢ The data can also be misused/over retained by companies against the will of data
subject

Data protection is required to

➢ Protect the fundamental right of privacy of individuals

➢ Protect individuals’ financial security

➢ Safeguard them against criminal activity

➢ Rise of Big Tech and competition issues

 WHAT CATEGORY OF DATA REQUIRES
PROTECTION?
Is every form of data required to be protected, or are there certain categories of
data that deserve more protection than others?

Do you know any classifications of data?

(i) Personal information - data that identify an individual

(ii) Sensitive information - data that is more private/intimate to a person

(iii) Non-personal information - data that does not contain any information that can be used to
identify a person
 POLL
A matrimonial website allows users to create free profiles. Upon creation of the profile, the
platform asks for certain information such as:

➢ Name
➢ Contact number
➢ Address
➢ Caste, Tribe, Religion,
➢ Photograph
➢ Job details
➢ Annual income
➢ Languages spoken
➢ Drinking and eating habits
➢ Hobbies
➢ Favourite music genre

Which among the above data sets should not be asked mandatorily by the matrimonial
platform?
 GENERAL THEME OF DATA PROTECTION REGULATIONS
a) Categorisation of data - Not all data requires protection and similarly not all
data requires similar level of protection. Hence data that requires protection is
often classified into personal data, sensitive personal data, non personal data.
(The definition and categorization is similar under GDPR and Indian PDP Bill
2019)

b) Extraterritorial Applicability - Some data protection laws decide

extra-territorial scope considering the activities of a business while others might
consider the size of a business. (GDPR for example applies to any business entity
dealing with data of an EU resident, while the CCPA considers the annual revenue
of a business or the number of customers)
c) Individual Rights - Most data protection laws provide users with certain rights
in connection with their personal data such as the right to access, correct or delete
data. (Individual rights are available under most of the data protection laws such
as GDPR, CCPA, PIPEDA etc.)

d) Legal Basis for Processing Personal Data - Every data protection legislation
has some basis under which processing activity can be carried out. (Some
legislations like GDPR may provide a detailed list of legal bases for the
processing of personal data. (eg consent, public interest). Others like the Canadian
law (PIPEDA) may not have a list but some reasonable requirements for data
collection/processing.
e) Provisions for Cross border transfer of Data - This is an important section in
most data protection laws. Countries may have stringent rules for transfer of
data beyond its borders. (For example cross border transfer of data requires
additional safeguards such as Adequacy decisions, Binding Corporate Rules
etc.)

f) Accountability Provisions - You have certain obligations under data

protection laws as to how you are processing data & if you are compliant with
provisions like appointing DPO, keeping a record of your data processing. (Both
the GDPR and PIPEDA have set our various principles relating to
accountability)
g) Data Protection Authorities - There are independent authorities established
under data protection legislations who monitor and supervise the application of
data protection laws. (For UK its the Information Commissioner’s Office (ICO).
For Canada it is Office of the Privacy Commissioner (ICO))

h) Fines and Penalties - Across all data protection legislations, fines and penalties
are prescribed for violation of data protection laws. (Under GDPR fines can be as
high as 4% of annual global turnover. The CCPA considers a penalty per violation
which can go as high as USD 7500 for each violation.)
 WHAT DID WE LEARN TODAY?

1. Why data is a valuable commodity- vis-a-vis businesses and individuals?

2. Why data requires legal protection?
3. What category of data is to be protected?
4. An overview of various data protection regimes across the world