Scroll Top

NAVIGATING RISKS-INDEMNIFICATION OF BIG DATA AND ITS DANGERS SURROUNDING DATA PRIVACY

Indemnification means when one party agrees to pay or compensate for the losses suffered by the other party. Here the former party is called an indemnifier and the latter is the indemnified party.

INTRODUCTION

Indemnification means when one party agrees to pay or compensate for the losses suffered by the other party. Here the former party is called an indemnifier and the latter is the indemnified party. Indemnification of big data means when there is something wrong with the data, one party takes the responsibility of covering all the costs and damages for the other party. There are some stakeholders in processing the data of the masses, who agree on indemnification clauses before the exchange of big data amongst themselves. Although indemnification at the face of it may seem like something done to protect the data of the masses it still has certain loopholes which pose a great danger to the privacy of individuals. In today’s era when the world is becoming more and more data-driven in every field from industries to healthcare, finance, marketing, and logistics, we need to have these loopholes fixed at the earliest before it leads to some great mishap

UNDERSTANDING DATA PRIVACY

The doctrinal foundation of the right to privacy in India rests on the trilogy of decisions in M.P. Sharma vs. Satish ChandraKharak Singh vs. State of U.P., and Govind vs State of Maharashtra.[1]But this judgment does not adjudicate the constitutional protection of privacy rights which was done in the 2017 Justice Puttaswamy case. On 24th August 2017, a 9 Judge Bench of the Supreme Court delivered a unanimous verdict in Justice K.S. Puttaswamy vs. Union of India  that the Constitution of India guarantees each individual a fundamental right to privacy[2].This was a landmark judgement for data protection which was the need of the hour with the vast amounts of sensitive information being exchanged and analyzed every second.

WHO ARE THE STAKEHOLDERS AND HOW THE DATA OF THE MASSES IS HANDLED?

When personal data is processed, there are typically four primary groups of stakeholders potentially involved in the processing: the individual whose data is being processed (referred to as the data subject), the entity or organization responsible for determining how and why the data is processed (known as the data controller), the entity tasked with actually carrying out the data processing activities (referred to as the data processor), and the regulatory body responsible for overseeing compliance with data protection laws and regulations (referred to as the data protection authority).[3]

 Data subjects- These are the people whose personal data is collected, processed, transferred, or shared by various stakeholders amongst themselves. Data subjects do have a certain set of rights and interests in how their data is handled such as the right to privacy, data protection, and informed consent. Data subjects may include citizens, consumers, employees, patients, students, and other individuals whose data is collected for various purposes.

  • Data controller – Entities such as government agencies, businesses, organizations, or individuals with legal responsibilities who determine the purpose and means of data processing and are responsible for safeguarding and managing the data are referred to as data controllers[4]
  • Data processor -Data processors that offer data processing, storage, cloud computing, analytics, and other services to manage and analyze large volumes of data efficiently. The EU Commission states that data processors are companies or organizations that process personal data only on behalfof the controller.[5]
  • Data protection authority- These are entities that are mandated to make sure that no foul play is involved regarding the privacy of individuals. These stakeholders include data protection authorities, privacy commissioners, regulatory agencies, and law enforcement agencies tasked with enforcing data protection laws and investigating data breaches or privacy violations.

Now moving on to how this big data is handled. In India, the collection and handling of data derived from surveys and government ID cards involve various government agencies, regulatory bodies, and private entities. Government surveys such as the Census of India, National Sample Survey (NSS), and various socio-economic surveys are conducted by government agencies and these agencies have to comply with confidentiality laws and data privacy rules such as those mentioned in the Census Act 1948, Aadhar Act 2016, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Similarly, The Unique Identification Authority of India (UIDAI) oversees the Aadhaar program and sets guidelines for data collection, storage, and usage to ensure data security and privacy, for voter ID cards there is the Election Commission of India, and so on. These infrastructures may include secure servers, encryption protocols, access controls, and regular security audits to safeguard sensitive information.

DATA SHARING

These big data are also shared amongst the stakeholders for various purposes

Data sharing is an essential part of the digital world. Whether willfully giving out information to create an account — or having your data sold, packaged, and resold, a lot of free services online rely on the

possibility of gathering or offloading personal data[6]. The sharing is done in the following manner – the parties agree on how data will be shared, like who can use it and for what purpose. There are certain controls set through this agreement which means only certain people can access the data and they need special permissions and these data are shared using safe methods to keep it protected.

while efforts are made to handle big data responsibly, several potential loopholes and challenges could compromise the privacy, security, and integrity of data. Some of these risks are data security breaches, data misuse and unauthorized access, data linkage and profiling, inadequate data protection laws, third-party data sharing and outsourcing, and improper data retention and disposal. To address these risks and loopholes indemnification clauses come in where one party agrees to take the responsibility or protect or compensate another party for any losses, damages, liabilities, or legal claims. The agreements having indemnification clauses include –

  • Data provider agreements- When a company or organization provides data to another party for analysis, the data provider may seek indemnification to protect themselves from any legal claims or damages resulting from inaccuracies, breaches of privacy, or other issues related to the data provided.[7]
  • Data processing agreements – Companies that process big data on behalf of clients may include indemnification clauses in their contracts to protect themselves from legal liabilities arising from data breaches, security incidents, or non-compliance with data protection regulations[8]
  • Data user agreement- Organizations that use big data for various purposes, such as marketing analytics, risk assessment, or decision-making, may seek indemnification from data providers or processors to mitigate the risks associated with using potentially flawed or unauthorized data.[9]

These clauses are designed to allocate risks between the parties involved in the collection, processing, and use of big data, ensuring that each party bears responsibility for their respective actions and liabilities.

KEY DANGERS TO DATA PRIVACY ASSOCIATED WITH INDEMNIFICATION

  • Limited accountability- When the responsibility of potential data breaches or violations is shifted from the party processing the data to the party providing the data, it leads the party with lesser control with legal and financial burdens when in reality the wrong happened due to the act of another party
  • Reduced incentive for data protection – In such cases, it also leads to the indemnified party reducing their incentive to invest in data protection measures.
  • Erosion of trust – This transfer of responsibility and liability leads to erosion of trust among the stakeholders and undermines accountability for data protection of the subjects
  • Lack of transparency – There may also be a lack of transparency for the data subjects as to who is responsible for their data protection

CONCLUSION

Indemnifying big data offers both advantages and hurdles concerning data privacy. Although indemnification terms can distribute risks and responsibilities among involved parties, they also raise concerns like decreased accountability, weakened incentives for safeguarding data, and diminished trust. To effectively address these obstacles, stakeholders should prioritize safeguarding data privacy, establish strong security protocols, and promote openness and responsibility in their data management approaches. By proactively addressing privacy concerns and adhering to data protection principles, entities can earn consumers’ trust, improve compliance with regulations, and protect the credibility of their data-driven activities.

Author(s) Name: Rashi Singh (NALSAR, Hyderabad)

Reference(s):

[1] Judgment of the court in plain english (I), (Supreme Court Observer, 24 August,2024) < https://www.scobserver.in/reports/k-s-puttaswamy-right-to-privacy-judgment-of-the-court-in-plain-english-i/> Accessed on 11 May 2024

[2] Judgment of the court in plain english (I), (Supreme Court Observer, 24 August,2024) < https://www.scobserver.in/reports/k-s-puttaswamy-right-to-privacy-judgment-of-the-court-in-plain-english-i/> Accessed on 11 May 2024

[3] Elias Arfi, ‘The basics (3/3): key stakeholders in data protection (Medium, 18 February 2021) < https://medium.com/privacy-focused/the-basics-3-3-key-stakeholders-in-data-protection-ac1a6cd59a2f#:~:text=When%20a%20personal%20data%20processing,and%20the%20data%20protection%20authority.> Accessed on 11 May 2024

[4] Elias Arfi, ‘The basics (3/3): key stakeholders in data protection (Medium, 18 February 2021) < https://medium.com/privacy-focused/the-basics-3-3-key-stakeholders-in-data-protection-ac1a6cd59a2f#:~:text=When%20a%20personal%20data%20processing,and%20the%20data%20protection%20authority.> Accessed on 11 May 2024

[5] Elias Arfi, ‘The basics (3/3): key stakeholders in data protection (Medium, 18 February 2021) < https://medium.com/privacy-focused/the-basics-3-3-key-stakeholders-in-data-protection-ac1a6cd59a2f#:~:text=When%20a%20personal%20data%20processing,and%20the%20data%20protection%20authority.> Accessed on 11 May 2024

[6] Elias Arfi, ‘The birth of a data sharing economy’ (Medium, 18 August 2023) < https://medium.com/privacy-focused/the-birth-of-a-data-sharing-economy-5108858500d4> Accessed on 11 May 2024

[7] Nathan Ross Adams, ‘Data agreements: Exploring the different types and uses’ (Michalsons, 6 May 2023) < https://www.michalsons.com/blog/data-agreements-exploring-the-different-types-uses/65527#:~:text=Data%2Das%2Da%2DService%20(DaaS)%20agreements&text=It’s%20often%20used%20in%20industries,or%20restrictions%20on%20data%20access.> Accessed on 11 May 2024

[8] Nathan Ross Adams, ‘Data agreements: Exploring the different types and uses’ (Michalsons, 6 May 2023) < https://www.michalsons.com/blog/data-agreements-exploring-the-different-types-uses/65527#:~:text=Data%2Das%2Da%2DService%20(DaaS)%20agreements&text=It’s%20often%20used%20in%20industries,or%20restrictions%20on%20data%20access.> Accessed on 11 May 2024

[9] Nathan Ross Adams, ‘Data agreements: Exploring the different types and uses’ (Michalsons, 6 May 2023) < https://www.michalsons.com/blog/data-agreements-exploring-the-different-types-uses/65527#:~:text=Data%2Das%2Da%2DService%20(DaaS)%20agreements&text=It’s%20often%20used%20in%20industries,or%20restrictions%20on%20data%20access.> Accessed on 11 May 2024