by Ritika Sharma, University Institute of Legal Studies, Panjab University
Technological advancements result in breach of privacy rights of the consumers. European Union’s General Data Protection Regulation or GDPR plays an important role in maintaining privacy rights. India has Personal Data Protection Bill which aims at ensuring consumer privacy. Similarly, UK GDPR codifies privacy regulations by incorporating all the EU GDPR provisions. This blog attempts at discussing the privacy rights of consumers and the relevant statutes and bills in India, US and UK.
A woman who was expecting a child wanted to surprise her husband with the news but before she herself told her husband, her husband had got a fair idea that she was pregnant. This was due to the advertisements of pregnancy or child products that suddenly emerged in the devices of their home. Consumers getting advertisements or recommendations of the products which they wish to buy and the products or service they have recently searched on Google, reflects the sheer breach of the Right to Privacy. It has become very common to share one’s personal information online in a process of getting some service or information about some product. Web cookies tracking every step of the consumers, is the prime example of encroachment of one’s privacy. This master technique of marketing products which undoubtedly results in more sales by attaining unprecedented insights into consumers’ lives may be acceptable to some extent but nobody can tolerate a constant online surveillance over them. Now, the consumers’ frustration over this interference in their privacy has exceeded the benefit which the relevant recommendations and advertisements provide.
According to Canadian Psychologist and Professor, Sydney M. Jourard, privacy implies allowing a person to choose time and place for disclosures of their experience, as well as the company before whom such disclosures are made. Privacy is an outcome of a person’s wish to withhold from others certain knowledge as to his past and present experience and action and his intentions for the future. A man may seek to elude others’ direct experience of his action, and he may seek to distort or misrepresent his experience to others in order that their view of him will not coincide with his direct view and knowledge of himself.
Technological Advancements versus Consumer Privacy
Growth in technology is the principal threat to the Right to Privacy of consumers. The foremost motive of marketing through social media is to grab more and more users and gather their personal information. A term called “Internet of things” plays a pivotal role in this process. Internet of Things (IoT) shares information with other members of the network or with any other stakeholder which recognises events and changes in their surroundings. It reflects how research and development have made the world smarter – A world where the real, digital and the virtual are converging to create smart environments that make energy, transport, cities and many other areas more intelligent. Particulars related to the habits, location, surroundings, etc. are tracked by IoT which acts as a platform connecting several people and computers. This raises genuine concerns about the consumer privacy.
Evaluating Privacy Rights of consumers in India
According to the report of an International Research conducted by OpenText, an Information Management Solutions Company, 84% of Indian consumers prefer organisations that are committed to protecting their data privacy. This Report gives an idea that majority of the Indians do not want to compromise with their privacy rights.
After the Privacy Judgment in 2017, Indians have become more aware of their privacy rights and many have already tasted the freedom that privacy right brings along with it. The debate around the Right to Privacy has sparked after the 2017 Judgment and the recent Personal Data Protection Bill [PDPB] is a great hope for the consumers as it would meet the “standard of fair and reasonable” that no previous legislation had. In addition to the provisions in compliance with the EU GDPR, PDPB contains various supplemental regulations. This legislation aims at obtaining consent by promoting justice in personal data processing. It is also pertinent to note that this legislation imposes certain limits on the processing of data even when the consent of the consumer has been taken, thereby providing another layer of protection to the privacy of internet users. This is, however, being criticised by many scholars by calling it “controls beyond consent”. It has been contended that if the consumers are informed of the potential risks that might arise after providing their information then they are entitled to assume the risks. Other important characteristics of the bill include – (i) explaining the purpose of data collection; (ii) specifying the extent of using the collected information; (iii) changing the status of companies from mere “data collectors” to “data fiduciaries”; (iv) granting consumers of information providers the status of “owner” so that their personal information could be returned to them whenever they want i.e., giving the “right of deletion”; (v) classifying data under three heads namely – sensitive, critical, general; (vi) giving the consumers “right to justification”; and, (vii) making exceptions with respect to privacy rights by allowing governmental bodies to access their personal information in certain circumstances of national interests, etc. In this era where information could be shared on online platforms with just a click, PDBP will introduce multifarious safeguards in the lives of Indian consumers but unfettered power in the hands of government to invade one’s privacy can lead to “discriminatory censorship” which leads to the solution of addressing and remedying these shortcomings.
Evaluating Privacy Rights of consumers in US
Even though there is a lot of hue and cry for privacy rights, there is no standard privacy law in the States. An Internet Service Regulation which aimed at providing certain privacy rights to the consumers was overturned in 2017. The basic regulations in the favour of Privacy of the American consumers were deleted. This reflected the US government’s reluctance in supporting the Right of Privacy of consumers.
One more attempt with the bill named Consumer Online Privacy Rights Act [COPRA] was proposed in the year 2019 which has not yet been approved. In the absence of any standard privacy law, it has been maintained by the State and Federal Laws like “Federal Trade Commission”, “the Consumer Financial Protection Bureau”, etc. Another regulation is “The Financial Modernisation Act of 1999” which protects the customers against the usage of their personal information by the companies under “false pretences”. Some other consumer privacy regulations applicable in the US include “the Health Insurance Portability and Accounting Act of 1996”, “The Children’s Online Privacy Protection Act, 1998” and “the Family Educational Rights and Privacy Act of 1974”.
Given the low overall levels of trust, it is not surprising that consumers often want to restrict the types of data that they share with businesses. Consumers have greater control over their personal information as a result of the many privacy tools are now available, including web browsers with built-in cookie blockers, ad-blocking software and incognito browsers. However, if the product or service is of healthcare or money management, it is critically important to consumers, many are willing to set aside their privacy concerns. The situation is more or less similar to that of India as there is not any specific legislation which makes rules regarding privacy of the consumers. There have been severe violations of consumers’ Right to Privacy in the US, consequently, the States follows GDPR and California Consumer Protection Act [CCPA] to tackle with the privacy issues that American consumers are facing today.
Evaluating Privacy Rights of consumers in UK
49% per cent of UK consumers prefer organisations that are committed to protecting their data privacy. The citizens of UK are comparably less interested in their privacy rights when it comes to sharing their personal information online as a consumer. Notwithstanding several violations and intrusions in their online privacy by the companies, they do not pay heed to the privacy concerns. One of the possible reasons could be a lack of understanding as to how and what all their information is being shared with the third parties.
GDPR was applicable in the UK till the nation left European Union on January 31, 2020. Now, UK follows the new UK GDPR with the existing Data Protection Act of 2018 to tackle their privacy concerns. The provisions of UK GDPR mostly mirrors the EU GDPR with some changes highlighted in an unofficial document called “A Keeling Schedule”. One such change is the exception to the protection of personal information on the grounds of “national security” or “immigration matters”.
Privacy is one of the pivotal rights of the consumers. If one does not want any intrusion in this right then there needs to be a clear line of distinction between the public and private life of a consumer. Consumer’s privacy is like a “room to grow in” where they should be having the liberty to search, purchase and give their private details with the guarantee that their information will not be recorded or shared with any third party.
The liberalisation of electronic communications networks and services markets and rapid technological development have combined to boost competition and economic growth and resulted in a rich diversity of end-user services accessible via public electronic communication networks. It is necessary to ensure that consumers and users are afforded the same level of protection of privacy and personal data, regardless of the technology used to deliver a particular service. Although there are several guidelines framed by the companies like Google and Facebook which do not allow targeting their customers based on factors such as sexual orientation, race, medical conditions, etc., it is still significant to limit this unbounded interference with the adoption of some statutes which will promote transparency. As the internet is still evolving, there should be sufficient legal tools that could ensure consumers’ privacy. Answers to the questions such as “why this particular information is necessary”, “In what way this information will be used?” should be succinctly answered by the companies in their data usage policies. More importance should be given to the creation of value for the customers by balancing their acceptability and comfort concerning the ad targeting strategy with the privacy norms than just targeting their profit motives.
Disclaimer – All views and opinions expressed in this article are personal and belong solely to the author(s) and do not necessarily represent those of the LAABh Foundation or the individuals and institutions associated with LAABh Foundation.
 Sydney M. Jourard, Some Psychological Aspects of Privacy, DUKE LAW, https://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=3110&context=lcp
 SMITH IAN G (ED.), INTERNET OF THINGS 22 (New Horizons 2012).
 BUSINESSLINE, https://www.thehindubusinessline.com/info-tech/84-indian-consumers-willing-to-pay-more-to-do-business-with-organisations-committed-to-protecting-data-privacy-report/article34066225.ece, (Last visited: July 28, 2021)
 K.S. Puttaswamy v. Union of India; (2017) 10 SCC 1.
 MCKINSEY & COMPANY, https://www.mckinsey.com/business-functions/risk/our-insights/the-consumer-data-opportunity-and-the-privacy-imperative# (Last visited July 29, 2021).
 BUSINESSLINE, Supra note 3.
 DELOITTE https://www2.deloitte.com/uk/en/pages/technology-media-and-telecommunications/articles/digital-consumer-trends-data-privacy.html (Last visited August 17, 2021)
 OFFICIAL JOURNAL OF THE EUROPEAN UNION, https://www.etsi.org/images/files/ECDirectives/2009_136.pdf (Last visited July 29, 2021).