By Vikrant Rana and Pranit Biswas
The entire world has been receptive to the marvel of technology and the rise of the Internet. While the World Wide Web has undoubtedly proven itself to be a boon to mankind, however some may argue that the curiosity of man and the evolution of the internet is inching towards becoming a cauldron about to explode. Big companies like Google and Meta, who currently are the torch-bearers of possessing huge magnitudes of sensitive personal data, are now facing the heat of significant questions being raised by various governments and authorities, including the treatment of private and sensitive information of its users.
While the world has just begun questioning and exploring these data privacy issues in the age of technology and artificial intelligence which also involves high stakes of morality, the Austrian ship of data privacy on the other hand has just unfurled their sails by recently holding the services engaged/offered by Google Analytics as unlawful, giving a very strong direction against the winds of data privacy. A few basics before we delve into further details in this respect:
What is Google Analytics?
Gone are the days when the internet was merely used as a means of basic utility including storage, communication and Minesweeper. The Internet is now about, inter alia, extremely personalised user interface. Tech companies like Facebook and Google rely on a certain type of service known as Big Data Analytics. In simpler words, big data analytics includes the analysis and treatment of the huge repositories of data, and the extraction of the most relevant data to create a much more personalised experience for any user. Data analysis may include analysis of various aspects of the Internet, ranging from the analysis of website traffic and accordingly identifying trends; to analysing personal data of users and creating a personalised user interface based on such data. Google Analytics is one of the many companies that offers such services. Hootsuite, Sprout Social, Brandwatch and Buffer are some of the other data analytic companies that are most popularly engaged by social media websites. Such companies facilitate the development of artificial intelligence and equipping it with the kind of data it needs to be trained. After all, there is a reason behind when one searches for a specific item on a search engine, and then their social media features outside links to the said product or similar products! As a fan of the hit TV show ‘Dirk Gently’ would say, everything is connected!
What are the (New) General Data Privacy Regulations?
Placing the privacy of their citizens as their top priority, the EU General Data Privacy Regulations (GDPR) came into effect on May 25, 2018, laying down one of the most stringent laws on data privacy in the world, imposing non-negotiable requisitions on organizations irrespective of their origins. In fact, one of the key features of these regulations is that it applies outside the territorial jurisdiction of the EU as well. Essentially, Article 3 of the GDPR establishes the territorial scope of the law. To micro-condense Article 3 of the GDPR into a one liner, the idea is that as long as any entity conducting ‘professional and commercial activities’, engages with a citizen of EU over the Internet, they could be subjected to the GDPR. The basis being, the moment any entity has a hold of any kind of personal information of a citizen of EU, they are under watch and are expected to comply with the GDPR.
The bottom line being that the GDPR knocked on the doors of online businesses engaging with European audiences and blew up in their faces like a bombshell, giving well-established companies a hard time keeping up with the complex set of requisitions laid down by the GDPR and complying with the same.
In 2011, a woman sued Google for scanning her emails, stating data privacy concerns and claiming damages for the same. The incident was one of the first check-points for the European Union to realise the importance of data protection and the need for comprehensive regulations set in place in the country. Cut to the year 2020, an exclusive agreement that facilitated the exchange of data across borders for ‘commercial purposes’, known as the EU-US Privacy Shield Agreement, was invalidated through a case, infamously referred to as the Schrems II decision by the EU Court of Justice (C-311/18). The Privacy Shield Agreement was a mechanism set up, and entered into by the European Union and the United States in 2016. The Agreement essentially enabled companies originating from the European Union to comply with data protection requirements of the United States. The rationale behind the invalidation was two-fold, wherein the CJEU firstly reasoned that the said agreement granted unfettered rights to the US authorities to collect personal data concerning EU data subjects, without adequate safety measures, further reasoning that the U.S. Government has failed to set up an effective redressal system for EU data subjects.
WHAT HAPPENED IN AUSTRIA?
‘My Privacy is None of Your Business’ (NOYB), an NGO working actively towards addressing issues in the area of data privacy, had filed 101 identical complaints against a number of across Europe, accusing them of the continuous transfer of sensitive data to Facebook and Google in the US. Their primary contentions were that the said transfer was in violation of requirements of Chapter V of the GDPR and the Schrems II Judgement (C-311/18), the judgment which invalidated the EU-US Privacy Shield.
Main Contention by the Complainant
- Foreign Intelligence Surveillance Act, 1978 (FISA)
One of the primary concerns in this case included the accusation that a great deal of personal data collected by Google Analytics is invariably being revealed/exposed to the US Authorities owing to the Foreign Intelligence Surveillance Act, 1978 (FISA) enacted in the United States. The problem prima facie is that the services of Google, Google Analytics and other online marketing agents of the like are heavily dependent on personal/sensitive data. It is what enables these companies to train their respective artificial intelligence soft-wares and program them into automatically promoting relevant advertisements of products a particular person is looking for. Moreover, companies like Meta (previously Facebook) and Google being headquartered and incorporated in the US are all the more obligated to comply with the FISA.
Primarily, enacted in 1978, FISA essentially authorizes electronic surveillances and physical searches to be . That is to say, that procedurally, government authorities may seek a FISA order to carry out the aforementioned searches, however, if suspicions arise on the lines of terrorism, such searches may be carried out without obtaining an order. Understandably, the root of such stringent protocols is in the wake of the tragic 9/11 disaster, thus, even the slightest doubt calls for the elaborate protocols to be mandatorily followed. In other words, FISA authorises and legalises the collection of such data, under the garb of ‘foreign intelligence information’ between ‘foreign powers’ and ‘agents of foreign powers’, under the suspicion of terrorism and striving for national security, which makes it the most controversial feature of this Act yet – one which proved non-negotiable for the DPA. Nevertheless, in order to obtain an order otherwise, an application to the United States Foreign Intelligence Surveillance Court is made, which by virtue of Titles I and III, FISA, must inter alia broadly include the following:
- the applicant’s identity;
- information regarding the target’s identity if known;
- why the target may be searched or surveilled;
- a statement establishing a sufficient relationship between the target and the search location;
- a description of what will be searched or surveilled;
- a description of the nature of the information sought or of the foreign intelligence sought;
- proposed minimization procedures;
- a discussion of how the search or surveillance will be carried out; and
- a discussion of prior applications
Summary of the Decision
The use of Google Analytics by Austrian websites was found to be in violation of the GDPR on the following grounds:
- The use of Google Analytics by Austrian websites invariably enabled the transfer of personal data of users to Google LLC in the US.
- The Standard Contractual Clauses are essentially a set of standard contractual terms and conditions that is entered into by the sender (User) and receiver (Provider Company) of personal data to uphold the rights and freedoms of a user and ensure the same. In this case, it was held that the SCC entered into by and Google LLC failed to provide sufficient levels of protection required by Article 44 of the GDPR, which prohibits the transfer of personal data beyond the borders of the European Union and the European Economic Area.
- While the complaint was , however, the CJEU rejected the complaint against Google LLC by concluding that Google LLC per se was not in breach of Article 44 of the GDPR, as they had merely engaged in receiving the data, not transferring it.
- However, the DPA reserved the preclusion of initiating an ex officio proceeding against Google LLC to ascertain inter alia the manner in which they conduct further data processing.
Bold moves of such nature by EU, which assert and dictate the active stance of their non-negotiable seriousness towards data privacy of its citizens, is making it hard for provider companies to offer their services in its full range while simultaneously ensuring compliances with regulations that prima facie prohibit the very foundation of their services.
Moreover, the most recent development, in retaliation to the stringent data privacy laws, includes Meta soliciting a kind of warning regarding the permanent suspension of their services of the social media platforms Facebook and Instagram across Europe. However, European leaders responded rather coldly by expressing their indifference towards Meta’s decision, stating that “life would be very good without it”.
Data Privacy in India
India is definitely a part of the movement towards data protection. To begin with, in the landmark case of Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors., the was declared as a fundamental right of every Indian citizen, which is protected under the Constitution of India. Moreover, in more recent news, developments regarding the Personal Data Protection Bill, 2019 have gained traction with the Joint Parliamentary Committee turning in their detailed report on the Bill in December. Chaired by P.P. Chaudhary, the Committee deliberated on the matter for two years and have turned in a consolidated report. A few major highlights of the Bill include:
- Personal data may be processed only subject to a specific and clear lawful purpose and limitation on its collection and storage.
- Transparency to be maintained by , who have been defined as an entity of individual who is responsible for processing data, and would be accountable for taking steps like introducing privacy policies, implementing safety measures such as data encryption, etc.
- The processing of personal data only upon consent given by the individual.
- Granting rights to individuals such as the right to obtain status of the processing of their personal data, right to restrict continuous use of personal data by a fiduciary, etc.
- The setting up of a dedicated Data Protection Authority to address relevant issues.
- Lays down the treatment of personal data if the same has to be transferred outside of India.
- It also grants the Central Government the power to exempt the applicability of the Act on any agency of the government provided it is in the interest of sovereignty and integrity of India or is for preventing incitement to the commission of any cognisable offence.
- Penalties for non-compliance/violation of the Act
While the passing of the Bill is still underway, the test of time is to tell the direction of how the implementation of the Personal Data Protection Bill would pave way in the interest of Data Privacy protection in India.
With each passing incident of data leaks involving information as sensitive as passport numbers and associated details being exposed at a global scale, the need for the protection of data privacy is higher than ever before. However, with the advancement of technology, the need for personalised experiences and the interference of governing authorities involves the consideration of issues ranging from ethical to legal. And formulating a consolidated legal framework that caters to all these aspects is a mammoth task in itself.
The approach adopted by the EU appears to be quite aggressive which involves the clear, undisputed prioritization of personal data and the protection has been ensured by forming stringent regulations around it. Whereas the approach adopted by India appears to be a relatively lenient approach wherein the proposed framework prioritizes the consent of an individual user. Simultaneously, the framework also eliminates unnecessary demands for revealing personal data and lists specific occasions where demanding personal data is legitimised. Moreover, Meta platforms as well as Google’s parent company, Alphabet Inc. expressed that India’s Data Privacy Bill may be a matter of concern for them and their business services. Time is to determine, the scope flexibility the Indian authorities have in store for these companies, given the heavy reliance placed by the Indian population on these platforms. While it may be interesting to see how events unfold, the need for coming up with a sweet-spot may just create a scope of a dialogue between government officials and the social media giants to achieve the best of both worlds.
Nevertheless, for now, everything boils down to the fact that data privacy is being given due importance, the time is ripe, and we’re here for it!!
Girishma Sai Chintalacheruvu, Associate at S.S. Rana & Co. has assisted in the research of this article.
 It was observed that:
“Intelligence services in the U.S. take certain online identifiers (such as the IP address or unique identification numbers) as a starting point for monitoring individuals. In particular, it cannot be ruled out that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant.”
 1(2017) 10 SCC 1.