Site icon Legal Vidhiya

LEGAL CHALLENGES OF DATA OWNERSHIP AND CONTROL IN THE AGE OF BIG DATA

Admin
Advertisements
Spread the love

This article is written by Ganesh Vajrapu of 3rd semester of Alliance University, Bengaluru.

Abstract

In the digital age, the rise of big data in India has created new opportunities and challenges. One of the most significant challenges is the legal challenge of data ownership and control. With businesses and government agencies generating and continuously collecting large amounts of data, users’ privacy is frequently at risk. The Indian legal system does not have a clear definition of data ownership. This has led to uncertainty about who owns data collected in India, and who has the right to control how it is used, and Constitution guarantees the right to privacy, but this right is not absolute. There are a number of cases where the government or businesses may be allowed to collect and use personal data without the individual’s consent. Ensuring conformance to privacy terms and regulations is constrained in current big data analytics and mining practices. This research paper aims to explore the legal challenges of data ownership and control in the age of big data and provide recommendations for adapting legal frameworks to address these challenges. The paper will review recent developments in the field, including the growth of digital constitutionalism, the proposed Digital India Bill, and the need for data protection and digital rights. The paper will also examine successful examples of legal adaptation in the digital context and discuss the potential benefits of implementing digital constitutionalism in India.

Keywords:

I.  Introduction

 Big data is a term used to describe the vast and diverse volume of structured and unstructured data produced at an unprecedented velocity from various sources, these massive amounts of data are being generated and collected every day. This data can come from a variety of sources, including social media, online transactions, and sensor networks. Big data is characterized by its volume, velocity, variety, and veracity. The three defining attributes of Big Data, often referred to as the “3Vs” – Volume, Velocity, and Variety – represent the sheer scale, rapid generation, and diverse nature of the data.

 Data ownership and control are becoming more and more crucial in the age of big data. This is due to the fact that data is growing to be a valuable asset leading to economic growth and innovation, that can be used to better understand consumer behaviour, develop new products and services, and make better business decisions[1]. as data is continuously collected and shared across borders, ensuring ownership and control over this asset have become paramount to safeguard privacy, prevent misuse, and maintain ethical data practices.

 The legal aspects of data ownership and control are complex and evolving. In India, there is no comprehensive data protection law. However, there are a number of laws that deal with specific aspects of data protection, such as the Information Technology Act, of 2000 and the Personal Data Protection Bill, of 2019. The draft Personal Data Protection Bill, 2019, proposes comprehensive regulations for data processing, consent, and cross-border data transfers. Additionally, the General Data Protection Regulation (GDPR) in the European Union has implications for Indian entities handling EU citizens’ data. As India experiences a digital transformation and emerges as a significant player in the global data landscape, understanding the legal aspects surrounding data ownership and control becomes crucial to ensure responsible data governance and the protection of individual rights.

II.  Definition and concept of data ownership

Data ownership refers to the legal right and control that individuals, organizations, or entities have over the data they create, collect, or possess. It implies having the power to control how the data is accessed, shared, and used. Data ownership includes the need to protect the data’s integrity, security, and privacy while ensuring that all applicable laws and regulations are followed. In the context of Big Data in India, understanding data ownership is crucial as it establishes the foundation for data governance and protection.

III.  Types of data ownership

In the age of Big Data, data can be classified into various ownership categories, including:

  1. Personal Data Ownership: This type of ownership pertains to individuals’ data, such as their personal information, online activities, and preferences. Individuals have the right to control how their data is used, and they often grant consent for its collection and processing.
  2. Corporate Data Ownership: Organizations and businesses own data generated within their operations, including customer data, transaction records, and operational data. Corporate data ownership involves protecting sensitive information and complying with data protection laws.
  3. Public Data Ownership: Publicly available data, such as government datasets, open data initiatives, and publicly shared information, is considered under public data ownership. Governments may impose specific terms of use for public data to balance accessibility and privacy concerns.

IV.  Regulations and legal frameworks that deal with data ownership

In India, data ownership is influenced by a combination of existing and proposed legal frameworks. The main legislation controlling data protection, including elements of data ownership, is the Information Technology Act of 2000 and its amendments. The world is changing though, and India is getting ready to enact the Personal Data Protection Bill, 2019, a demand for stringent laws protecting and ensuring the privacy of personal data. The Personal Data Protection Bill, 2019 is a proposed law that would provide a comprehensive framework for the protection of personal data in India[2]. The Bill would establish a number of new rights for individuals, including the right to access, correct, and delete their personal data. Once passed, the Personal Data Protection Bill will set out authorization guidelines for data collection and processing, establish individuals’ rights over their data, and introduce data fiduciaries.

The General Data Protection Regulation’s (GDPR) extraterritorial scope affects Indian organizations that handle data of European Union individuals in addition to national rules and regulations. Processing the personal data of EU citizens requires appropriate safeguards and consent methods in order to comply with GDPR. As data transcends borders in the digital age, data transfer regulations, and international agreements also play a role in data ownership. Data ownership and control are further influenced by India’s stance on the localization of data, data transfer procedures, and cross-border data flows.

V.  Data Transfer and Cross-Border Flows

1. International Data Transfers and Legal Challenges

 When data is transferred across borders, it is subject to the laws of both the sending and receiving countries. This can create challenges for businesses that want to transfer data internationally, as they need to ensure that they are compliant with the laws of both countries. With the rise of global data exchanges and cloud-based services, data transfer is a common practice for businesses and organizations.  In India, international data transfers are subject to the proposed Personal Data Protection Bill, 2019, once it becomes law. The bill outlines provisions related to the transfer of personal data outside India, including mechanisms to ensure that data is adequately protected in foreign jurisdictions. Data exporters are required to comply with certain conditions or obtain the data subject’s explicit consent before transferring data internationally. In some countries, businesses need to obtain the consent of individuals before transferring their personal data to another country. This can be a challenge, as it can be difficult to obtain consent from individuals in other countries. Businesses need to ensure that the data they transfer is secure[3]. This means that they need to take steps to protect the data from unauthorized access, use, or disclosure and Legal considerations arise concerning data breaches, data subject rights, and government access to data when it resides in a foreign jurisdiction.

2. Data Localization Laws and Their Impact on Data Control

 Data localization laws are laws that require businesses to store data within a particular country. These laws are often implemented for security or privacy reasons. Data localization laws can have a significant impact on data control. For example, if a business is required to store data in India, it will not be able to transfer that data to another country without violating the law. This can make it difficult for businesses to operate internationally. In India, the Reserve Bank of India (RBI) has mandated data localization for payment system data, requiring the financial data of Indian customers to be stored only in India. Additionally, the Personal Data Protection Bill, of 2019, includes provisions on data localization, empowering the Indian government to mandate localization of certain types of sensitive personal data for national security or strategic purposes. especially multinational corporations that handle vast amounts of data. They may face increased compliance costs, operational complexities, and challenges in managing data across various jurisdictions while adhering to localization requirements.

3. Cross-Border Data Flow Agreements

 Cross-border data flow agreements (CDFAs) are agreements between two countries that govern the transfer of data between those countries. CDFAs can help to address some of the legal challenges that businesses face when transferring data internationally. Some of the benefits of using CDFAs include[4]:

 Cross-border data flow agreements require careful consideration of data protection principles, legal harmonization, and adherence to international standards to ensure that data is transferred securely and with respect to data subjects’ rights. Compliance with relevant laws and agreements helps foster trust and strengthens India’s position in the global data economy.

VI.  Legal challenges in data ownership and control in India

Privacy concerns and data protection laws

 Data ownership and control in India are closely linked to privacy concerns and data protection laws. With the increasing volume of data being generated and processed, ensuring the privacy and security of personal and sensitive data has become a paramount challenge. The proposed Personal Data Protection Bill, 2019, seeks to address these concerns by providing a comprehensive framework for the protection of personal data. Data processors and controllers have a duty to abide by strict data protection rules, which include developing informed consent, guaranteeing data accuracy, and putting in place strong security measures. Failure to comply with data protection laws can result in legal repercussions, including hefty fines and damage to an entity’s reputation.

Intellectual property rights and data ownership

 Intellectual property rights (IPRs) can play a role in data ownership. For example, a company may own the copyright in a database of customer data. This means that the company has the exclusive right to reproduce, distribute, and perform the database[5]. However, it is important to note that IPRs do not necessarily give company ownership of the underlying data. For example, a company may own the copyright in a database of customer data, but the customers still own the underlying data.

Jurisdictional issues in cross-border data ownership and control

 When data is transferred across borders, it can be subject to the laws of both the sending and receiving countries. This can create challenges for businesses that want to control their data across borders. For example, if a company in India collects data from users in the United States, the company may be subject to both the Indian and US data protection laws. This can make it difficult for the company to determine which law applies, and how to comply with both laws. The jurisdictional issues in cross-border data ownership and control are complex and evolving. There is no one-size-fits-all solution, and businesses need to carefully consider the specific circumstances of their business before making decisions about data ownership and control.

VII. Landmark data ownership cases and their outcomes

 The Aadhaar case is a landmark case in India that dealt with the issue of data ownership. In this case, the Supreme Court of India ruled that the government’s Aadhaar program was unconstitutional. India’s biometric-based identification system has been the subject of legal challenges concerning data ownership and privacy. The Supreme Court of India, in the landmark case of Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors. (2017)[6], recognized the right to privacy as a fundamental right. This case questioned the Indian government’s data ownership and control over the vast biometric data of citizens collected through the Aadhaar system. The Court held that the government had not adequately protected the privacy of individuals’ Aadhaar data.

 The Airtel case is another landmark case in India that dealt with the issue of data ownership. In this case, the Delhi High Court ruled that Airtel could not sell its customers’ data without their consent. The Court held that customers have a right to control their personal data[7].

The Cambridge Analytica scandal raised concerns about data ownership and control as it related to Indian political parties. An investigation into whether Cambridge Analytica inappropriately obtained and utilized Indian citizens’ personal data during the election process was authorized by the Indian government[8]. This incident brought to light the ambiguity around data ownership and permission in India and raised talks for stricter data protection regulations.

VIII.  Comparison of data ownership regulations across industries

Policymakers and stakeholders need to consider the unique challenges and opportunities presented by each industry and develop effective legal frameworks that promote digital constitutionalism[9].

  1. Financial services: The financial services industry is subject to a number of data protection regulations, such as the Gramm-Leach-Bliley Act and the Payment Card Industry Data Security Standard. These regulations are designed to protect the privacy of individuals’ financial data.
  2. Healthcare: The healthcare industry is also subject to a number of data protection regulations, such as the Health Insurance Portability and Accountability Act. These regulations are designed to protect the privacy of individuals’ healthcare data.
  3. Personal data: India does not have a comprehensive legislative framework for data protection. The collection, usage, interpretation, and transfer of personal data and sensitive personal data in India is governed by the Information Technology Act of 2000 (the IT Act) and the Information Technology Rules 2011 created under the IT Act.
  4. Non-Personal Data:A legal foundation for creating rights over non-personal data is outlined in the Kris Gopalakrishnan Committee Report on Non-Personal Data Governance Framework.
  5. Intellectual Property: Nearly all forms of intellectual property rights including the methods for enforcing them are covered under Indian law. But the legislative process is sometimes drawn out and unclear, and the same problems could not be resolved for many years. For industries, this may lead to ambiguity and make their long-term IP enforcement decisions more difficult.
  6. Transportation Sector: transportation sector also highlights the need for clear legal, statutory, and social rules that govern data owners’ control.

IX.  Future Trends and Challenges

 The growing reliance on Artificial Intelligence (AI) and Machine Learning (ML) systems will significantly change the way data is collected, stored, and used. The anonymization and aggregation of data for AI training purposes may challenge the traditional notion of individual data ownership. Balancing the need for data privacy and protection with the advancement of AI applications will be a key challenge for policymakers and data regulators in India. This is creating new challenges for data ownership and control. In India, there is a growing awareness of the importance of data ownership and control. However, the legal framework for data protection is still evolving. There is a need for more transparency and accountability from organizations that collect and use data.

 Individuals should also be empowered to control their own data. the ethical implications of AI and ML algorithms, such as algorithmic bias and potential discrimination, will raise concerns about data ownership’s ethical aspects. Ensuring responsible and unbiased use of data in AI models will require a careful examination of data ownership rights and AI ethics guidelines. The Indian government is developing a new data protection law that is expected to be more stringent than the current law[10]. Several Indian companies are using blockchain to track and share data. For example, the Indian Railways is using blockchain to track the movement of goods and passengers. There is a growing number of startups in India that are focused on data privacy and security. These are just a few examples of how the future of data ownership and control is evolving in India. It will be interesting to see how these trends play out in the coming years.

Implications for future data ownership and control in India:

X.  policy recommendations for data ownership and control in India

To address the legal challenges surrounding data ownership and control in the era of Big Data in India, it is crucial to strengthen data protection laws and enforcement mechanisms. The proposed Personal Data Protection Bill, 2019, should be expedited for passage and implementation, providing comprehensive regulations for data processing, consent, and cross-border data transfers. Policy actions should concentrate on providing the data protection authority with sufficient funding and enforcement ability so that it may monitor data governance and guarantee conformity to data protection rules. To evaluate the adherence to data protection requirements by data controllers and processors, routine audits and inspections should be performed regularly. The laws should be clear and comprehensive, and they should be enforced effectively. The government should also create a data protection authority to oversee the implementation of the laws.

Transparency in data collection and use is essential for building trust between data owners and data controllers. Policymakers should encourage organizations to adopt transparent data practices, where data subjects are informed about the purpose of data collection, the types of data being collected, and how the data will be used[11]. Policy measures could mandate clear and easily understandable privacy policies and consent mechanisms, enabling individuals to make informed decisions about their data. They should disclose what data they collect, how they use it, and who they share it with. Individuals should have the right to access their data and request that it be deleted.

Policymakers ought to prompt businesses to embrace moral standards and frameworks for data collecting, usage, and sharing in order to advance ethical data practices. Data-driven technologies and AI systems should be designed and developed with ethical issues in mind. To ensure that individuals involved in data processing understand the ramifications of data ownership and privacy, policy measures should encourage organizations to undertake data ethics training programs. This includes using data in a responsible way, protecting the privacy of individuals, and avoiding discrimination. The government should provide guidance and support to organizations that are developing ethical data practices. these recommendations provide a good starting point for developing a more comprehensive and effective data protection framework in India.

XI. Key Findings

Conclusion

The legal challenges of data ownership and control in India are complex and evolving. The current legal framework is not adequate to address the challenges posed by big data. There is a need for stronger data protection laws and enforcement mechanisms. There is also a need for more transparency and accountability from organizations that collect and use data. Individuals should have more control over their own data. India can make use of the advantages offered by Big Data while respecting individual rights and privacy in the digital age by proactively forming data governance frameworks. To create a fair and equitable data ecosystem that benefits society as a whole, collaboration between stakeholders and ongoing monitoring of the data landscape will be crucial.

[1] Omer Tene and Jules Polonetsky, Big Data for All: Privacy and User Control in the Age of Analytics, 11 Nw. J. Tech. & Intell. Prop. 239 (2013). https://scholarlycommons.law.northwestern.edu/njtip/vol11/iss5/1 (last seen on 23/07/2023)

[2] FP Explainers, Explained: Will the Digital Personal Data Protection Bill 2022 bring more privacy to India?, Firstpost, 21/11/2023, https://www.firstpost.com/explainers/explained-will-the-digital-personal-data-protection-bill-2022-bring-more-privacy-to-india-11666061.html (last seen on 23/07/2023)

[3] A 101 Guide to GDPR Consent, cookieyes, https://www.cookieyes.com/blog/guide-to-gdpr-consent/#:~:text=When%20a%20business%20is%20transferring%20personal%20data%20to,possible%20if%20the%20data%20subject%20gives%20explicit%20consent. (last seen on 23/07/2023)

[4] C Jana Subramanian, Challenges in Cross Border Data Flows and Data Localization amidst new Regulations, SAP Community, https://blogs.sap.com/2022/01/19/challenges-in-cross-border-data-flows-and-data-localization-amidst-new-regulations/ (last seen on 23/07/2023)

[5] Big Data & Issues & Opportunities: Intellectual Property Rights, Bird&Bird, https://www.twobirds.com/en/insights/2019/global/big-data-and-issues-and-opportunities-ip-rights (last seen on 23/07/2023)

[6] Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors. (2017)

[7] Charanya Lakshmiumaran and Kunal Kapoor, The Economic Times, Supreme Court’s GST ruling against Airtel: Key implications for businesses, https://cfo.economictimes.indiatimes.com/news/supreme-courts-gst-ruling-against-airtel-key-implications-for-businesses/87537055 (last seen on 24/07/2023)

[8] The Cambridge Analytica scandal changed the world – but it didn’t change Facebook, the guardian, https://www.theguardian.com/technology/2019/mar/17/the-cambridge-analytica-scandal-changed-the-world-but-it-didnt-change-facebook (last seen on 24/07/2023)

[9] Supratim Chakraborty, Khaitan & Co LLP, with Practical Law Data Privacy Advisor, Data Protection in India: Overview, https://www.khaitanco.com/sites/default/files/2021-04/Data%20Protection%20in%20India%20Overview.pdf (last seen on 23/07/2023)

[10] AI governance: Ensuring your AI is transparent, compliant, and trustworthy, IBM, AI governance: Ensuring your AI is transparent, compliant, and trustworthy – IBM (last seen on 25/07/2023)

[11] Policy Brief: Principles for Responsible Data Handling, Internet Society, https://www.internetsociety.org/policybriefs/responsible-data-handling/

PDF 📄
Exit mobile version