Navigating Gatekeeping Practices for Privacy Without Compromising Data Protection
Navigating Gatekeeping Practices for Privacy Without Compromising Data Protection
In a significant development, Dutch Data Protection Authority (DPA) levied a hefty fine of 10 million euros against Uber B.V. and Uber Technologies Inc, citing a lack of transparency in its handling of personal data belonging to its drivers. The DPA imposed the penalty under Article 15 of GDPR guidelines1, in response to complaints filed by 170 French drivers.
As per the DPA, uber violated user rights by2 failing to provide requested data in an accessible format and processing information exclusively in English. Drivers’ inaccessibility to their own personal data was restricted as per the complaint.
The Uber drivers in France had complained that they could not access their personal data, processed by the ride hailing company. Lack of specified data retention period or security measures for transferring information outside the European Economic Area (EEA) in its privacy terms.3
The AP chairman Aleid Wolfsen stated in his order, ‘Transparency is a fundamental part of protecting personal data. This shows that Uber put all sorts of obstacles in place that blocked drivers from exercising their right to privacy, and that is prohibited. In fact, Uber should be facilitating drivers in their rights. This is laid down by law.’
Regarding how the Digital Personal Data Protection Act (DPDPA) 2023 would address similar scenarios, it would likely involve similar principles as those applied by the DPA in this case. The DPDPA mandates transparency, accessibility, and security measures for handling personal data. Therefore, any violations similar to those identified by the DPA in the Uber case would likely result in enforcement actions, fines, or other penalties under the provisions of the DPDPA.
A parallel incident in 2023 involved Spotify under scrutiny for breaching users’ data access rights in the EU, resulting in a potential 5 million euro fine in Sweden. Swedish Authority for Privacy Protection (IMY) found that Spotify had failed in its handling of requests for access related to two out of three of the complaints examined. The decision in this part includes violation of articles 12.1, 12.3, 15.3 and 15.1 a-h and 15.2 of the GDPR.4
The complainant, Noyb conducted tests on eight platforms, including Amazon, AppleMusic, DAZN, Flimmit, Netflix, Spotify, SoundCloud, and YouTube, revealing systemic breaches of users’ GDPR data access rights.5 The study revealed that many platforms using automated systems for Subject Access Requests (SARs) failed to provide users with complete information.
Understanding Data Gatekeeping
Lack of proper data processing protocols gives rise to operational risks that arise from inaccurately processing data. This practice, where access to information is selectively restricted, disrupts rightful processing of data and can be labelled as data gatekeeping.6
The idea of Gatekeeping was first introduced by Kurt Lewin (1890-1947), a German psychologist and pioneer in social psychology.
As per an OECD report on digital gatekeepers, it was established that a firm can set up a comprehensive product ecosystem to retain customers, potentially monetizing their attention or data. This can position the firm as a gatekeeper, controlling customer access to content, products, or services. If consumers predominantly rely on the gatekeeper’s range of products and services, the gatekeeper gains market power, enabling it to dictate terms of access for third parties.7 In some cases, data gatekeeping is looked upon as a good practice. However, issues arise when data gatekeeping is implemented in a way that infringes upon individuals’ rights and meddles in the way of rightfully processing data.
Legal Frameworks and Regulatory Measures
Gatekeeping practices underscore the necessity for laws like GDPR, HIPPA, CCPA and the Digital Personal Data Protection Act (DPDPA) 2023. These laws establish data governing standards for all stakeholders, including users, fiduciaries, data processors, and others.
In January 2021, WhatsApp sought to implement its revised Privacy Policy, prompting an investigation by the Competition Commission of India (CCI) to assess potential abuse of WhatsApp’s dominant position.
Unlike the 2016 Policy which provided the users with an option to ‘opt-out’ of sharing their information with Facebook8, the 2021 Policy placed users in a ‘take-it-or-leave-it’ situation, ‘virtually forcing its users into an agreement by providing a mirage of choice, and then sharing their sensitive data with Facebook Companies envisaged in the policy.’
In March 2023, the consumer protection authority observed that searches on Google resulted in identical feeds being displayed on Facebook, implying potential data sharing between major tech companies. The regulator stated that If consent was not explicitly collected, users can file complaints under the Consumer Protection Act.
Enforcement and Compliance Mechanisms
In India, the DPDPA emerges as a framework, that focuses on regulating data fiduciaries, similar to data controllers in GDPR, as they hold data on behalf of data principals / data subjects. The Act also establishes a Data protection Board (DPB) responsible for adjudicating grievances and imposing penalties for data breaches.
The law aims to reduce the potential for data gatekeeping by fiduciaries, by outlining lawful bases for processing personal data. It includes provisions regarding data retention periods, the rights of data principals, the purpose of processing, and obligations related to breach notification and consent mechanisms in the data collection process.
The DPDPA grants the government the power to create a board charged with enforcement. The board has a preset list of penalties it may impose depending on the nature of the violation, which ranges from INR 10,000 (roughly $120 USD) to INR 250 Crores (roughly $30M USD).
Violation of a user’s rights would constitute a breach of the Act. These rights are codified in Sections 11, 12, and 13 of the DPDPA. They comprise: The right to access their information. The right to request its erasure. The right to correct their information. The right to receive notice before consent is sought. The right of grievance redressal, which is unique to the DPDPA and requires data fiduciaries to provide a tiered redressal process.
According to the DPDPA, the responsibility for ensuring compliance with user rights lies with the Data Protection Officer (DPO) of the company/data fiduciary before any grievances are escalated to the Data Protection Board (DPB).
Building Trust Through Responsible Data Handling
As the frequency of data breach incidents rise globally, conducting timely privacy reviews becomes critical. Privacy reviews involve assessing data protection policies and practices to ensure compliance with privacy regulation. Failure to conduct such reviews allows data breach practices to go unnoticed.
Although gatekeeping is not a relatively new concept it is a concerning one. Consumers rely on organizations to safeguard and responsibly use their data, and this trust can be quickly eroded by data breaches or misuse of data. Businesses are notorious for misusing unlawfully acquired data in India. Businesses must navigate the complex terrain of data governance and privacy by Incorporating ethical data gatekeeping practices and conducting privacy reviews that enable them to strike a delicate balance between operational efficiency and responsible data access.
[1] https://tdwi.org/articles/2017/03/29/data-governance-doesnt-need-to-be-gatekeeping.aspx
[2] https://dataprivacymanager.net/dutch-data-protection-authority-imposes-e10-million-fine-on-uber/
[5] https://techcrunch.com/2023/06/13/spotify-gdpr-data-access-fine/
[6] https://tdwi.org/articles/2017/03/29/data-governance-doesnt-need-to-be-gatekeeping.aspx
[7] https://one.oecd.org/document/DAF/COMP/WD(2022)57/en/pdf
[8] Vinod Kumar Gupta v. WhatsApp Inc 2016
