Home | Corporate World | Personal data security: A long way to go?
 

Personal data security: A long way to go?

  In the light of Facebook’s data breach by Cambridge Analytica, a host of thorny issues have arisen. In a world where user data has become the basis of company profitability and strategy, the world needs to move towards a more secure structure that regulates data security.  

Dr Suresh Srinivasan

The recent Facebook-Cambridge Analytica episode has triggered a number of controversial issues, including placing Mark Zuckerberg, CEO of Facebook in a defensive position, but the biggest takeaway is that this issue has changed the world’s perspective on privacy matters. To that extent, the Facebook Cambridge Analytica issue is a positive development!

Cambridge Analytica: A little background
To put things in perspective, Cambridge Analytica is a United Kingdom-based data mining firm that primarily operates in the political space. The company mainly provides data consulting and communication strategies to political parties around the world, and is known to work with various political parties across countries. In 2016, the company supported Donald Trump during his presidential campaign, as well as providing data consulting and strategic insights for the Brexit voting, and providing electoral consulting to political parties in developing countries like Ghana and India. It is important to note that their work in the Bihar Assembly elections in 2010 has also been reported.
The data collected by Cambridge Analytica ranges from demographics, consumer behaviour, internet activity and more focused data for other public and private purposes. In the Indian elections, Cambridge Analytica’s data capture, research and analysis has been extensive; these involve video interviews and surveys, ‘on ground’ voter demographic data collection and analysis, behavioural polling, media monitoring, target audience analysis and caste research. All of this eventually culminates in an effective poll planning campaign that purportedly gives their clients a winning strategy.
Cambridge Analytica seems to be fully exploiting the power of big data and high end analytics and psychographics in the electoral process. This is a high end service, for which they have built powerful capabilities, and this is the service the company is paid for.

So what’s the problem?
In order to provide winning strategies to their clients, the basic raw material required is the personal data of individuals. And the problem lies in the way Cambridge Analytica has chosen to secure this data!
The recent Facebook Cambridge Analytica data breach brings to light how some of this data was acquired. Approximately five crore Facebook users and their network of friends were tracked, and their data was acquired when they performed some activity on specific apps. These apps also collected information from individual users on the pretext of academic research. The key problem lies in the fact that not a single user among these was aware that their data was being collected without their consent.
Facebook claims that the data captured by some of these apps from the Facebook platform was delivered to Cambridge Analytica, thereby breaching Facebook’s terms of service. In effect, personal data collected on the Facebook platform, without the knowledge of the users, eventually has found its way to Cambridge Analytica.

Data is public
In this age of information and data analytics, thousands of data points of individuals are floating around in the public domain. And the competitive advantage of companies in this era seems to be stemming from the companies’ ability to gain access to such data and use it for commercial purpose; in Cambridge Analytica’s case, irrespective of the final outcome of such data. To be realistic, given the potential profitability, companies will not hesitate to tread this path!
To be fair, it is highly unlikely that Facebook users today are unaware that their personal data is no more ‘personal’. However, when the reality hit and the Cambridge Analytica episode brought to the fore such breach of trust issues, the reactions, across sections of public, governments and regulators, have been quite profound and essentially similar.

The Pandora’s box
The Cambridge Analytica episode has opened up a number of questions that we need to answer. How far can private personal data be used for public purposes, which includes commercial, political and national security related purposes? To what extent can this be regulated? Do the uses the data is put to breach the fundamental right of citizens as far as their right to privacy is concerned? Especially since technology companies and data scientists, backed by large corporates, are pouring millions of man hours and resources into developing these technologies, what are the possible implications, given such uncertainties?
Private data is also being widely tracked by the government and other agencies. Today images, photos, videos and satellite tracking systems are quite ubiquitous. Facial recognition, fingerprint matches and biometrics are becoming cheaper and more accurate with every passing day, and these methods are being deployed extensively by commercial entities. The database of government agencies too is exponentially increasing, even as the size of such data balloons.
An unfortunate truth also is that once one of the above agencies secure such data, the probability that another gets hold of the same data is quite high! Today, ‘data brokers’ are selling private data like marital status, income levels, phone number, email id, online purchases, etc for ridiculously low prices. And the Cambridge Analytica episode serves to conclusively prove the same!

Privacy laws & data regulation
Another cause for concern is that privacy laws across nations have not kept pace with the speed at which technologies are emerging. Regulators have always been on the backfoot, playing a game of catch up. Events such as these spur the regulators into action and enact more stringent regulations. The Facebook Cambridge Analytica episode and the subsequent testimony of Marc Zuckerberg that followed has done precisely this, and have given the required impetus to the latest law on privacy, the General Data Protection Regulation (GDPR).
Replacing the age old data protection directive of mid 1990s, this new regulation GDPR, which becomes enforceable effective May 2018, is a European Union law on data protection and privacy for all individuals within the European Union. The law is wide enough to cover personal data relating to private, professional or public life. It can range from a name, a home address and e-mail address, to financial and bank details, posts on social networking websites including photographs, medical information, etc.
The new law addresses the export of personal data outside the EU. The GDPR is reported to be quite far reaching and severe when it comes to protecting consumers on their personal data. The regulation addresses organisations that collect or process data captured from EU residents. The regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU. Effectively, the EU has shown the path, and other countries, including India, need to strengthen their privacy laws. Hopefully, it will be only a matter of time before other countries catch up!

Effect of the GDPR
Under the GDPR, companies can be fined up to 4% of annual global revenue, and to that extent the penalties can be severe. Companies like Amazon, Google and Facebook are already preparing themselves to comply or mitigate their exposure to this new privacy regulation.
Facebook’s reaction to the new law is quite interesting. Although Facebook has been apologetic for its actions on data breach, including a personal apology from Zuckerberg carried in newspapers, the company has skilfully moved the location of more than one hundred and fifty crore users from its international headquarters in Ireland to its corporate office in the US. This helps Facebook minimise its exposure to the new EU privacy law as it takes effect from May 2018. In summary, regulations do help only to a certain extent. It is for companies to follow these in spirit, more than what is there in the print. 

Dr Suresh Srinivasan is a Chartered Accountant, has an MBA (Bradford UK) and a Doctorate in Strategy. He is the Director of the 2-year PGDM at Great Lakes Institute of Management, as well as a Sr. Associate Professor. He is also a management consultant.