Learning from present challenges: Time to adopt a human rights based approach to data

The recent spike in data breach cases around the world certainly makes us ponder its impact on the important aspect concerning human rights. Data being the new currency of the modern world is deeply integrated with Sustainable Development Goals (SDGs) which seek to realize the human rights of all. It is an affirmative fact that […]

data security
by Niyati Nagar Simran Bais - October 15, 2021, 7:53 am

The recent spike in data breach cases around the world certainly makes us ponder its impact on the important aspect concerning human rights. Data being the new currency of the modern world is deeply integrated with Sustainable Development Goals (SDGs) which seek to realize the human rights of all. It is an affirmative fact that humans are experiencing a phase of triple transition from the resource economy to the digital economy, from centralized governance to multi-governance, and from industrial civilization to the phase of digital civilization. This significant transformation in the journey of Human Rights essentially paves the way for the reconstruction of the system of rights and interests. 

Since 2020, high profile cyberattacks and state sponsored attempts at security breaches have been steadily increasing which puts at stake the protection of human rights because the personal data collected or sensitive personal data collected should only be handled with the express consent of the concerned individual according to Art 6 (1) (a) of GDPR. In the recent case of the United States, the Federal Communications Commission affirmed an investigation for the data breach as disclosed by T-Mobile U.S. Inc. which impacted more than 47 million customers.  This incident witnessed a breach of personal data, including social security numbers and license information of approximately more than 40 million users. This T-Mobile’s data breach is the latest high profile cyber-attack in the current times because the digital thieves took the advantage of weak security because of work-from-home policies triggered due to COVID-19 Pandemic. No sector is immune against the increasing cases of cyber theft as it has engulfed the airline industry like in the case of Indigo’s servers were hacked and the company contemplated that the stolen information can be sold by hackers on public websites. Within a span of six months, India witnessed a massive data breach in Air India. The attack compromised personal data (such as Name of the passenger, contact information, passport information) of millions of its customers. To prevent such incidents, comprehensive data protection laws are imperative for the protection of human rights predominately the right to privacy, and also many other related freedoms that depend on one’s ability to make choices about how and with whom information is to be shared. As a robust measure to this problem, there was an enactment of the EU General Data Protection Regulation is one of the comprehensive attempts globally to regulate the collection as well as the use of personal data by both the government and the private sphere. The new safeguard for the regulations is particularly focused on the importance of human rights in the digital age. Recent scandals involving Facebook and Cambridge Analytica and the incidents which were discussed in the light of data breaches have driven calls for greater control over how personal data is collected and how it should be used further. The objective of GDPR is to avert abusive intrusions in the digital age through data, it is the personal data which is intrinsically connected to people’s private lives which in turn preserves a range of other human rights. However, there are certain conundrums associated with the GDPR, one of them is the broad ambit of ‘legitimate interests’ wherein the organisations are permitted to use the data collected without the consent provided legitimate interest of the entity outweighs person’s rights and freedoms. Therefore, such ambiguous terms of GDPR can invite a stream of court cases against enforcement actions. There is essentially a need for all the countries to adopt a comprehensive data protection law that place human rights at the central point. Though the GDPR is imperfect in some places, but it is certainly one of the fundamental data protection regimes in force. The private sector’s treatment of personal data should be regulated by the Governments with transparent laws, and restricting the collection and use of people’s data to protect their rights. There should be data collection for accountability and accountability in data collection, once this particular factor is established and implemented on the part of the State then most of the cases can get reduced. To make this data for accountability more concrete in nature there was a recommendation put forward by OHCHR suggesting that a framework of structural process and outcome indicators are beneficial to progress towards Human Rights standards and this particular framework can be developed by striking a collaborative work between human rights experts and the statisticians.

The digital space should be construed differently than the physical space attributed to its borderless nature. Therefore, there should be a separate body for adjudicating all the data breach and allied matters at the international forum by constituting Experts (Human rights specialists, data professionals, statisticians) to expedite such massive data theft cases. Though it will invite some administrative expenses and inconveniences but as the saying goes no pain, no gain.