The facebook Cambridge Analytics data breach in early 2018 is one of the most significant known data leaks in Facebook as well as in the history of Big Tech. This data breach was particularly disturbing as the personal data of millions of Facebook users was illegally obtained by Cambridge Analytica to be predominantly used for political advertising, building psychographic profiles, determining users’ personality traits based on their Facebook activity, and is said to have led Donald Trump to the White House. The term ‘Big Tech’ or ‘Tech Giants’, is widely used to refer to the most dominant companies in the information technology industry, like Amazon, Apple, Google, Facebook, and Microsoft. 

Why is big tech in the line of fire again? In the United States, the leaders of Amazon, Apple, Facebook and Google have been drawing flak for crushing competitors in the market with the power of data. 

In July this year, the United States House Judiciary Subcommittee on Ant itrust , Commercial and Administrative Law concluded what is being called the highest-profile hearing into antitrust and competition since the 1970s. The members of the subcommittee came down heavily on the CEOs of Amazon, Google, Facebook, and Apple with damning evidence of the alarming conduct by their companies, culled from explosive internal documents on record in the US (final report awaited). 

Major Allegations 

So what were the major allegations? 

• In 2009, Amazon deliberately sold diapers at a loss, to price Diapers. com out of the market and forced the company to accept a takeover. 
• Apple extended unfair treatment to third parties who depend on Apple’s App Store to reach iPhone customers. 
• Facebook acquired Instagram and WhatsApp to keep them from eating into Facebook’s business. 

Impact on the End Consumer

A situation in which a company gets so big that it is able to easily crush or absorb competition to the extent that it can neglect what the customers want without having to jeopardise its profits, spells bad news for the customers.  

In a digital economy, this predatory behaviour can have even more farreaching consequences as these companies continue to indulge in exclusionary tactics through deep discounting, preferential listings, or exclusive arrangements on their platforms.

As the privacy and antitrust worlds cross over, the problem becomes even more prominent. A classic example is the use of exploitative methods by social media networking platforms to arm-twist users into sharing data to use their services. 

Data Protection

Currently, California is the only US state with a data privacy law in place, the California Consumer Privacy Act (CCPA) with ‘opt-out’ provisions. However, in general, the US courts have collectively recognised a Right to Privacy by piecing together limited privacy protections reflected in the US Constitution. 

In contrast, the EU is governed by the General Data Protection Regulation (GDPR), which is completely ‘opt-in’. A CNN Business report of 16 July said Europe’s highest court had struck down the Privacy Shield agreement between the European Union and the US, for it did not properly protect EU citizens’ data from US surveillance practices. 

Thousands of companies, including Facebook that relied on the Privacy Shield pact for transferring information across borders, have now been left in the lurch with this decision. 

Personal Data Protection Bill

Subject matter expert Rahul Chaudhary, Partner, PSL Advocates & Solicitors says, “While the proposed Personal Data Protection Bill (PDP Bill), 2019 incorporates various elements of the GDPR, it is important to appreciate that there are significant variations and even improvements under the proposed Bill as compared to GDPR. The Justice Srikrishna Committee, in its report, has undertaken a detailed analysis of various aspects of data protection legislation across the globe, and it was only after distilling the essence of those legislations that the Committee had proposed a Bill. For example, financial data is considered sensitive personal data and is, therefore, accorded a higher degree of protection under the proposed Bill. Obligations relating to maintaining detailed processing records and notification requirements in case of a data breach appear to have been moderated, whereas the responsibilities of data protection officers (to be appointed by data processors or data fiduciaries) are more expansive as compared to GDPR. 

Therefore, simply being GDPR compliant may not automatically make one compliant with the proposed Bill if it were to be passed in its present form and vice-versa.” 

Speaking in particular about the big data and the tech giants, Sonal Kumar Singh, Managing Partner, AKS Partners says, “the current laws governing personal data privacy in India have outlived their purpose and relevance especially with the rise of Big Data, AI, Blockchain and Internet of things. Data privacy has never been more relevant and more crucial than it is right now. The existing menace of uncontrolled and largely unregulated offshore data transfer by BigTech has highlighted the shortcomings of the existing SPDI Regulations including the lackadaisical approach of the regulators in enforcing the provisions. The PDP Bill, inspired by EU’s GDPR, is the most talked-about legislation impacting digital commerce as we know it. Data localisation, privacy by design, mandatory audit requirements (by significant data fiduciaries), right to data portability, right to be forgotten, data minimisation, compulsory registration (with data protection authority by significant data fiduciaries) are just a few examples of the paradigm shift that the PDP Bill will introduce. Once fully enacted, the PDP Bill with its extensive notice requirements, should empower the data principals to make informed decisions before permitting collection and processing of personal and sensitive data. Sensitive personal data may be transferred outside India after explicit consent of data principal and pursuant to an approved intra-group scheme or after approval of the data protection authority. While the data localisation norms mandate that a copy of the transferred sensitive data be maintained locally in India, it prohibits the offshore transfer of critical personal data. It is noteworthy that the PDP Bill has also substantially increased the penalty (extending up to two per cent to four per cent of the worldwide turnover), which will compel BigTech to ensure serious compliance and may even avoid another Cambridge- Facebook scandal.” 

It remains to be seen if the Bill will indeed, translate into an effective Act and echo the sentiments of the committee.