The Road to Data Maximization
In Part 5 of the #DataProtectionTop10 series, we analyse the various issues with the Personal Data Protection Bill, 2019 with respect to social media platforms. The classification of social media intermediaries into significant data fiduciaries is based on vague and broad grounds. Additionally, the collection of identity documents for the verification of user accounts is against the principles of data protection and violates the informational privacy of the users. Thus, we recommend that the relevant clauses be removed.
We are half-way through the series! Here is a quick recap of the series so far. In Part 1 of the series we discussed the lack of clarity on the objectives of the preamble of Personal Data Protection Bill, 2019 and in Part 2 we saw how this has lead to the inclusion of certain provisions in the Bill which give preference to the private sector and commercial interests of the State over the protection of personal data of the users. In Part 3 we explained how certain exceptions to consent under the Bill violate the informational privacy of individuals. In Part 4 we delved into the issues with the rights granted to the users under the Bill. In today’s post we discuss the provisions under the Bill for the regulation of social media intermediaries.
The Issue: Voluntary Verification of Users of Social Media Intermediaries
The Bill creates a new category of data fiduciary called ‘social media intermediaries’. Clause 26 of the Bill defines a social media intermediary as an intermediary whose primary function is to enable online interaction between two or more users and allow them to create, upload, share, disseminate, modify or access information using its services. Facebook, Twitter, WhatsApp, Instagram, etc. fall under this category. These social media intermediaries may be further classified as significant data fiduciaries, if their user base surpasses the prescribed threshold, or their actions have, or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India. The provision further empowers the Central Government to notify these thresholds.
The classification of social media intermediaries into significant data fiduciaries entails increased obligations for such social media intermediaries. These obligations include conducting data impact assessments, auditing of personal data by an independent data auditor, maintenance of records, and appointing a data protection officer. While these obligations are important for the protection of personal data of the users, what is concerning is the obligation of social media intermediaries (which are notified as a significant data fiduciary) under Clause 28 that requires them to enable voluntary identification of the users. As per the provision, users who voluntarily verify their accounts have to be provided with some demonstrable and visible marks of verification.
The issue with these provisions is that they have little to do with a data protection regime. The classification of social media intermediaries into significant social media intermediaries is based on vague and broad factors, like significant impact on electoral democracy, security of the State, etc. These vague grounds confer ample discretion to the government for this classification. Furthermore, such classification is not on the basis of their data collection and processing practices, or the potential privacy risks that would ensue. More importantly, the collection of identity documents of users by social media companies for verification of user accounts will lead to further data collection by these companies, and it is in stark contrast to the principle of data minimisation. A provision for voluntary verification of users is not found in any other data protection laws in the world. As our identity documents are our sensitive personal data, we should prevent these social media giants from getting a hold of it.
The Concerns: Surveillance and Profiling of users
The new category of data fiduciaries (social media intermediaries), and the provision for voluntary verification of users of social media were absent in the 2018 draft of the Bill, as well as in the report (Free and Fair Digital Economy: Protecting Privacy, Empowering India) of the Committee of Experts on a Data Protection Framework for India (Chair: Justice B. N. Srikrishna). Therefore, the objectives behind these provisions are not clear. We believe that these provisions have been included in the Bill with the aim to counter fake news and disinformation. Even if this is the intention behind the inclusion of these provisions, it is still not clear how voluntary verification of user accounts helps in curbing fake news and disinformation. For example, several sitting legislators have tweeted out scientifically inaccurate information about alternative treatments for COVID-19, in spite of the Indian Medical Association pointing out the risks associated with such treatments.
On the contrary, voluntary verification of user accounts can lead to profiling and targeting of users by social media intermediaries. It is no secret that social media companies thrive by capitalising on our personal data. Provisions like clause 28 enable social media companies to gain greater access to our official identifiers, which can in turn be used to engage in more advanced targeting and surveillance. The more data these companies have about us, the greater is their power over us. Giving our sensitive personal data to social media giants like Facebook comes with the risks of data breaches. We all know how frequently these social media companies face data breaches, most recent being the data breach at Facebook which exposed the personal data of over 53 crore users. Now imagine if this personal data had included our official identifiers. That would have been deeply troubling indeed!
Again, verification of social media accounts, means your ability to stay anonymous online is restricted. While some may argue that anonymity fuels disinformation, online abuse, etc., we cannot ignore the fact that anonymity also creates that safe space for everyone to express and share our ideas without fear. The verification of social media accounts will stoke self-censorship and will deprive whistleblowers, dissidents, victims of sexual assaults, etc, who often resort to anonymous identities on social media websites, the opportunity to share their experiences. Anonymity is a facet of the right to informational privacy. The importance of anonymity in informational privacy, particularly in this digital age, has been recognised by the Supreme Court of Canada in its landmark decision of R v. Spencer, wherein it was held that “anonymous internet activities engage a high level of informational privacy”. Therefore, any measure that impedes online anonymity will have a negative impact on the informational privacy of users.
Clause 28 of the Bill makes it easy for social media companies to demand government issued identity documents like Aadhaar which contain sensitive personal data like biometric data etc. Though the clause states that such verification process is only voluntary, due to the immense power these social media companies wield, they can restrict some of their services to the users for want of verification of their account, and this can eventually lead to the mandatory verification of accounts. This could potentially shut out thousands of users from social media platforms, depriving citizens of a key stage for expressing their constitutionally guaranteed freedom of expression.
Solution - Special laws for social media intermediaries
The classification of social media intermediaries into significant data fiduciaries is based on vague and broad grounds. Besides the vagueness of these grounds, they are also not connected to the objectives sought to be achieved by a data protection regime. Any measures for the regulation of social media intermediaries that are not in connection with data protection have to be through special laws for regulating the same.
The concerns raised by social media intermediaries other than the protection of personal data may be addressed under the realm of electoral laws, intermediary liability and competition laws. The new Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 is a step in this direction. The Rules require the significant social media Intermediaries to enable their users to “voluntarily'' verify their accounts, using any appropriate mechanisms. However, these Rules are also fraught with the same issues that we have discussed above. Indeed, this has already taken place, as the Rules specify a threshold of fifty lakh (5 million) registered users for social media intermediaries to be considered and regulated as a “significant social media intermediary”. We have written vociferously against the Rules, asking for their withdrawal.
It is thus clear that voluntary verification of user accounts will adversely affect the informational privacy of the users, while Clause 26 is not in consonance with the objectives of a data protection regime. Hence, we recommend that these provisions be deleted from the Personal Data Protection Bill, 2019.
This is the fifth post in our series on the issues with the Personal Data Protection Bill, 2019. Read part 1 here, part 2 here, part 3 here, and part 4 here. Do join us next Friday (21st May, 2021) as we analyse the provisions of the Bill related to data localisation.
- The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
- Essential Features of a Rights Respecting Data Protection Law dated February 28, 2020 (link)
- IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
- The SaveOurPrivacy Campaign (link)
This post has been largely drafted by Fathima V N, who is a 2020 graduate of the National University of Advanced Legal Studies and is currently a Daksha Fellow interning at IFF with the supervision of our staff.