Privacy Venture: The Extent of Data Retention

Introduction

You are not alone if you have clicked “I agree” to terms and conditions with hardly giving it a glance before launching an app on your mobile. 90 per cent of the people consented for the terms and conditions before even reading them and nearly 97 per cent of people are aged between eighteen to thirty-six years, says a Deloitte survey[2]. The identified reasons could be the lengthy and complex language used by the apps designed to ensure the users are completely aware and have knowledge upon the consequences.  This explains how easily app users are willing to risk their personal details through the app to third parties, about which they know nothing about. Here are few agreements that people come across more often:

General Avenues

E-commerce

Agreements online can be of two types:

1. One of which where the terms and conditions (T&C) pop up before the user makes a purchase where the app/site makes the user to read and accept.
2. Where in the second case, the T&C do not pop up but rather are written most likely at the bottom of the page where the user is assumed to have proceeded further.

However, in case a dispute arises, the courts usually consider the cases where the user clicks “I Accept” as it is a binding agreement by his conduct. These cases have better chances as there is an acceptance identified.

This is the reason why most of the apps enable clicking the accept button only after scrolling till the bottom of the terms and conditions.

Trends in Cyber Law[3]

1. Legal approach: Cyber law has become a regulatory issue with the increasing day-to-day cybercrime. Countries have been developing in bringing up their respective cyber law legislations and securities.
2. Internationally accepted principles: These common laws are to maintain internet stability, both nationally and internationally, with regards to cyber laws and security. This could bearranged with an International Convention on Cyber Law.
3. Bilateral treaties and agreements: The common laws which lead to international treaties and conventions are aimed by the countries as cyber security needs an international approach, and that information shared among countries would be secured. Although it will take time for the countries to come together on this subject.
4. Jurisdiction: Clearly, the internet jurisdiction needs to be developed as most of the criminals on the web are likely to be anonymous. Principles regarding the same are to be developed.
5. Consumer protection: With millions of people entering into the digital world everyday, cyberspace is likely to identify and work on consumer protection related issues.
6. Cyber risk insurance: This type of insurance will further become more common and this specific field requires specific coverage to the users rather than mere extensions and warranties.
7. Spam: The increasing innovation of spam in targeting users, India has become one of the hotspots for spams. Efficient legislations relating to spam are to be brought.
8. Intermediaries: The coming years would focus more on the role of intermediaries and service providers with the growing diligence requirements. The cyberspace is being watched out by the countries as the intermediaries are responsible for the data collected through apps and other mediums concerning cybersecurity and as third-party data.
9. Encryption: Privacy to be protected through encryption. Should the States have access to encrypted data? Maintaining a ground where the data is private but the State having the right to access.

Data Retention Policy in India

Preservation and Retention of Information by Intermediaries[4]

1. Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.
2. Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (1) shall be punished with an imprisonment for a term which may extend to three years and also be liable to fine.

 Data retention is normal and necessary for securing the State from any threats, but is a limited process.  Problems do occur when protection against terrorism measures is used to justify mass retention of people’s data on a daily basis. This, in fact, is mass invasion of people’s private lives. Data retention laws can unknowingly become a “legal” means of violating people’s fundamental right to privacy. Defining the kinds of data retention:

1. Mass retention of metadata: The main kind of data retention is the mass retention of metadata. Several countries today are constantly attempting to introduce and improve their respective privacy and cyber laws, which would legalise the mass retention of metadata. Metadata consists data such as time and duration of telephone calls, internet usage, IP addresses of the devices, details of senders and receivers of e-mails, credentials that are used, track of logging in and logging out, etc. Although, such retained data does not include the desired content of the e-mails or messages the Governments, however, argue that this kind of retention does not reveal personal details of the individual. It is not true that individual’s entire internet history would not be traced out using just the metadata.
2. Mass data retention: The next kind of data retention is mass data retention. This is a crucial part in order to conduct mass protection programs hosted by the NSA, USA and CMS, India.  This kind of retention involves retention of every single piece of information about a person’s internet usage. The Government can abruptly collect any of the content of the e-mails, messages, phone calls, gallery, visit to any website, without stating any reason. This practice, however, in India or the US, is unauthorised by law. In India, Section 69 of the Information Technology Act allows the interception, monitoring and decryption of information for a mere period of 2 months.
3. Limited data retention[5]: This kind of retention of data is allowed by Indian legislations which is mainly concerned with the retention for a specific reason and a specific time. This kind of retaining data is hardly considered as any violation. For instance, to check the data of a region which is suspected to have any threat from terrorist groups, the Government may insist the service provider to retain or decrypt such data.

Altercations

 Data Collection

Recent hearings in the Western States found the source by which large third-party data collectors track individuals through several renowned websites. Regulators have paid comparatively less attention to the mobile application concept, where current studies have shown the means by which these third parties collect data from mobile apps and highlighted legal complications around data controller status and user consent in this field.

A 2018 study by Oxford University surveyed 9,60,000 apps in Google app store and concluded that 40 to 90 per cent of all such apps are set in a way to share data with major third-party tracking companies, regardless of whether the user of the app had an account with any of those companies or not.

iOS and Android Liability and how the Device Stores, if it Does?

Deleting a file does not mean destroying the existence of the file. Whenever the delete button is pressed, the file becomes unavailable to access. There is a unit called a storage master table that keeps track of all the space that is available and used storage spaces. Whenever a delete action is performed, the space is set as free to reuse. When a new file requests for storage space, the space remained after deleting the old file will be reused. Until then, it is not accessible. Once a newer file is being replaced, the old one will be deleted permanently.

So when data is erased, what actually happens to those deleted files, is Avast’s report regarding the eBay phones.[6] The most immediately relevant analogy for defining the legal status of mobile platforms is probably not the webhosts that are the current focus of many discussions of intermediary liability. The immediate analogy for the legalities related to mobile platforms are not regarding the browsers or the software but rather the hardware. The hardware is the most immediately applicable point of reference. Under current rules, a hardware maker, an operating system, or a browser is not liable for the actions of any independent third-party apps that a user installs or loads into his system or access through the browser. Applying the same principles in the mobile context, it seems highly unlikely that courts would impose liability on the developer of a mobile hardware, operating system or browser for content or behaviour of an independent third-party app.

Data collection, mining has been happening for some time now. Most of it is usually harmless. It is now considered a way of life, which has made life so convenient that a user does not even appreciate or notice it. But sometimes it might seem forced or too much because of few companies and that is where law comes in. And hopefully people figure out to keep the privacy and convenience especially when they are all headquartered in a capitalist country and most users do not mind giving data.

How is Data Retention Different from Data Collection? Role of Government in Collecting Data

Government might not even get the user’s data. Before thinking of where the user’s data is going, where the user is giving is to be noted i.e. mobile applications, majorly. Users’ data stay in the company’s data repositories for the company’s use. The further selling of data depends on the company. For every app the user installs, there will be a blind scroll and accept button on “I agree” for any terms and conditions. If the user uses BSNL for WiFi or any public network, it is sure that the data is shared along with millions of others in government repositories. If the user, using a private broadband, they would just get what sites the user visits, what web pages he navigates, the frequency and the timeline of it. While using their network, if user visits sites like YouTube, they would not know what the user browse there. It will just be YouTube that will know what is being browsed. If all of this is done on a Chrome browser, Google will collect it. Every service that is used, every text field that is entered, every button that is clicked in a browser, amounts to the collection of data.

Does the terms and conditions mention the right of the company to sell the user’s data to third parties?

The enterprises and service-based companies can sell it to the third parties as they want, as the user agrees to the T&C, and this vastly varies based on region.

Example: After Cambridge Analytica[7] was proved helping Trump and other political companies in targeting political ads based on Facebook users, Europe introduced General Data Protection Regulation –(GDPR).[8] So, a euro citizen will have rights when it comes to his or her data.

In an Indian scenario, it is not usually the same. Despite the Government asking networks to bring down certain sites and insist the network providers to give them user data, it is still beyond the Government’s capacity over how the risks of appification and data collection are handled.

Example: A user’s Twitter activity is known only to Twitter. The Government cannot retrieve Twitter data. Although, they take action on the user if he tweets hate speech or anything against the State. But that is where their power is confined to.

The Government cannot impose on Twitter to give India region data. Even if they do, for the protection of the State, Twitter has their right to reject it.

If sites like Uber[9]/FB collect any data, what will be the jurisdiction to sue for breach of privacy, since they are online services?

The user initially has agreed to do whatever the company does when clicked “I agree”. Even though the user does not read, it would display that they are going to do anything with that data including even sell it so that other companies can recommend their services and products to users. Since Cambridge Analytica, Facebook, Microsoft and Google have been facing multiple lawsuits over data privacy breach. Ever since, they have done lot of revisions and updates making their applications foolproof for further lawsuits.

But, if there is a glitch identified and a user wants to sue, he should probably make a trip to San Francisco, California and sue there in the country where their headquarter is registered, as the place of the party to the suit is a competent jurisdiction.

Till what extent does Google track us?

Gmail, Maps, Chrome and many other services of Google are widely used. Uber’s map is licensed to Google. So do many other location based apps. So, it is impossible to avoid giving data to Google if a user plans on living by normally using these services. Now, the only difference with Android is, it can even track what the user does with OS. Like frequency of app visits, duration of phone usage, app usage, etc.

The user has deleted a picture. Where does it go? Does delete mean entirely deleting it or is it there somewhere?

Here is a probable pathway.

If a user has given cloud permissions, then it is hard to say if it is ever deleted. It might go to random data collection repositories the minute the user saved it and backed up to cloud. They announce to the user that it is all gone, but they have wide number of data centers to keep all this miscellaneous data, usually said for RnD or project purpose. The user will never know for sure unless he or she is an employee in the company. Not even the Government.

The user has uploaded the picture on cloud. What is cloud?

Cloud is basically a platform where a user keeps all his data instead of using his device’s memory. In simple terms, cloud is for data, what banks are for money.

A person has a closet and a pile of money, he stores it. What if he has a truck load of money? He is likely to use a bank.

Similarly, a device is given thirty-two GB of memory but usage of at least sixty to seventy GB or in cases even higher and the user does not want to delete existing data to store new ones. So, he uses Cloud. The user just connects to his public cloud over internet and the company stores it in their data centers. Cloud is a layman word for the public to understand. Simply put, instead of keeping the user’s data on the device itself, Google, Apple or Facebook will store it for him on their databases in their data centers (which are large enough to store data for their user base) for nearly two billion people[10] and the user will be able to retrieve it whenever needed.

Are Data Collectors Intermediaries? Who are Intermediaries?

If the user accesses Uber, Uber and Google will get his data. If the user is using Amazon but later on gets a similar advertisement on Instagram, then Amazon, Facebook and Instagram are in the play. Everyone except user and the end service which recommends the user is an intermediary. Although it is nearly impossible to determine as one or more of them can make the user a target and recommend.

A User Spoke about Singapore on WhatsApp and now gets Singapore Packages Ads from Makemytrip (MMT). Did WhatsApp sell it to MMT Directly or there is an Intermediary who is Collecting and Supplying? What is Happening here?

There are two scenarios identified here.

1. Consider that the user browsed on Google Chrome. Google might have identified the word frequency of the user and that would send a notification to MMT because they have a mutual system setup as Google can use this data and help MMT by suggesting ads because here, MMT is likely to pay Google.
2. The user used the MMT app and they get his activity. Assuming the user did it on an iPhone, Apple has Trivago as their client but not other competitors like MMT. So the user is likely to get ads from Trivago regarding the tickets and packages, and since the user usually gets his tickets to Gmail, Google also collects this data. If the user used Google Maps to search places in Singapore, and if Google had a local business there as a client, the user gets their ad for the respective services. Endless possibilities are identified in this scenario.

In the end, no one is targeting the users by their name. No company collects and stores data under one single individual. The user is just a device name, username, location tag and criteria-based entity with a serial number, which might have a label “x” in the databases. A user is just one in a multibillion entity based analysis and profiling so that the preset algorithms can recommend ads and services.

Indian Laws on Data Protection

India has not enacted any particular legislation on protection of data. Although, the Indian Legislature did amend the Information Technology Act, 2000, to include Sections 43-A and 72-A, which give a right to compensation for improper disclosure of personal information. The Indian Central Government subsequently issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Rules”) under Section 43-A of the Information Technology Act. A clarification to the above Rules was issued on 24-8-2011. The Rules have imposed additional requirements on commercial and business entities in India relating to the collection and disclosure of sensitive personal data or information which have any similarities with the GDPR[11] and the Data Protection Directive. However, these Rules were issued in 2011.

 Beyond Challenges

 These technicalities bring up questions regarding the distribution of responsibility and legal obligations between app developers and third-party data collectors. Third-party collectors’ terms of use typically place the sole responsibility on the app developer to ensure that it has the right to collect, use and share data before providing it to the collector. For instance, Facebook’s business tools terms of use state that: In jurisdictions that require informed consent for storing and accessing cookies or other information on an end user’s device (such as but not limited to the European Union), you must ensure, in a verifiable manner, that an end user provides the necessary consent before you use Facebook Business Tools to enable us to store and access cookies or other information on the end user’s device.

But the EU authorities have not encouraged similar practices. In 2018, the Belgian Court of First Instance upheld a decision of the Belgian Data Protection Authority that found Facebook jointly responsible with website providers for its online tracking pixels and cookies. Facebook argued that its terms of service with website providers required providers to obtain necessary user consents, particularly for website visitors who were non-users of Facebook, and that Facebook, as a separate entity, could not be considered the data controller. The Court disagreed, stating “as Facebook determines both the objective and means of processing of personal data, it remains the party responsible for processing personal data via pixels and is thus, jointly responsible with the owners of the third-party websites for meeting the legal obligations”. A similar chain of judicial reasoning could apply to app tracking.

What all are the kinds of risks involved in this? How far can the risk of sharing data amounts to crime?

The kind of risk involved here is the same kind involved in any other occupation. A worker at a power plant can conduct an error and create such an event resulting in loss of life and property. But, almost all of such workers would not. It is similar here. Everyone who has access to user’s data, who understood it will have the power to do whatever they want with it, but they would not.

A data analyst or scientist has abundance of data at his fingers. Raw data, web data, user data, DoB, likes, interests, activities and a lot of areas. But, he mostly cannot do anything with it. He can only use company devices, to access them, company bought tools and software to analyse them and leave them in the company’s Cloud. Any other activity beyond his capacity will be notified and he will have to face consequences involving his team leaders.  If he still decides to go further, he might end up in jail or pay fine as he had a security breach with his company’s contract.

Looking into the kinds of risks, the involvement here is about millions/probably billion(s) of accounts and the parameters are way too large to impact just one person. There is mostly privacy, security risks and the risk of being involuntarily targeted and influenced[12]. A user is a part of millions of target groups because of his web activity. But as a user of another group, he has force fed all sponsored content from USA Elections, Trump and other similar items, before he even knew facts or thinks he does, he has already picked sides involuntarily, subconsciously. Coming to the biggest, saddest, capitalist aspect of them all, e-commerce and advertising. For instance, Maggi noodles are unhealthy, but you kept on seeing their presence everywhere and involuntarily the next day when you go to the store, you would think “this is famous, this should not be as unhealthy”.

These are mere examples. Multiplying these with every company, party, organisation that has a lot of money, there would be endless possibilities and array of activities which has led the world to what is today. Today, where data has surpassed oil in value and most of the data mankind has, was just created in the last four to five years.

 How Far can the Risk of Sharing Amount to Crime?

Patient data, credit card data, bank data, DoB, address, balance, properties, and the other thing people are usually worried about, might not be bad for them. But, they will never be targeted individually.

If an employee of a bank hacks the accounts of his bank’s clients, there should not be much of complexities here in hacking. The hacker knows what network to log in, which access to use, what credentials to enter and that is all. So depending on the kind of data, risks are determined.[13]

If an underage user creates a Facebook account there is nothing to worry about except for the content that the child will be subjected to. But using a credit card in a fake website and the device has some important material or a mail in it, the site is likely to extract the data. Then, the user needs to be cautious. It all comes down to the trustworthy services. Like someone would trust Gmail over Yahoo or Hotmail to give them their data.

Few users would keep professional and personal life separate by having family and friends on one device used on his home network and work on company devices. This way the algorithms can never link him up and the likelihood of facing threat because of the data extracted being negligible.

There is risk because there is a lack of some sort of protection. What is missing? Why is there a risk?

Most of the users are still unaware of the possibilities. Majority of the user base just bother the needs it caters to, and ignore the concerns it brings. The reason why Facebook’s stocks are going down and the big four are battling multiple lawsuits every day. When Europeans understood this, they implemented GDPR to protect its citizens from security breaches. Sadly, many other countries do not have as many constraints on these issues.

Particularly about privacy, what is the risk involved?

It is simple. A user knows how much his bank balance is, what medical ailments he has, what questionable sites he visited and all of this is personal. What if Google suggests a woman birth control pills because she was browsing about pregnancy? Google knows what kind of services to provide before we even know.[14]

Note: it is not a question of risk, but about the extent one cares about his personal information being available to an employee in a cubicle at Google or Amazon. It might range from just a phone number, email to bank activities and passwords.

Looking into workplace risks, there are a lot of important aspects to remember. If the user is not working in an established company or somewhere where the company does not worry about its digital footprint, there is a fair chance Google, Facebook knows more about the user’s work than his company. Because he is using their major services such as Gmail[15]. But if an enterprise is secured with right certifications and tools and the infrastructure to keep everything private, there got to be nothing to worry about.

What is the status of India in all of this?

At the very top, and the bottom at the same time. Majority of data scientists, analysts, experts and working professionals are from India, work from India, live in India and even workers outside of India, are mostly Indian. At the same time, the huge number of users who are indirectly responsible for profiting Amazon, Facebook, Google, Tinder, TikTok, etc. are from India too. They do not realise the monster they have been feeding to and how it is slowly killing them.

On the other hand, the elder generation who involuntarily put all their bank info, work info, personal info involuntarily is clueless of the threats and risks. Not to mention the ignorant government heads including TRAI and IT Ministry, who hardly consider and understand what Europe’s GDPR is and will turn down any proposals brought by thoughtful employees. A number of Central Government, public sector employees might not be aware of how they are dealing with the country’s data and what company’s repositories they all end up in. Although there are some smart, thoughtful young minds who come up with good ideas to make everything better, but it all comes down to the imposing authority to take decisions.

TRAI Recommendations on Data Privacy[16]

TRAI released its recommendations on the subject titled “Privacy, Security and Ownership of Data in the Telecom Sector” which are applicable for apps, browsers, operating systems and handset makers. An official of the Ministry of Electronics and Information Technology, which is tasked with drafting the data protection law, said that the Act will “prevail” over everything else. In respect of telecom matters, there will be a role for TRAI as sectoral regulator but the basics of privacy will be governed by the Data Protection Act.

Industry bodies such as Internet and Mobile Association of India (IAMAI) and the Indian Cellular Association (ICA) have also criticised TRAI, saying the recommendations were “illegal” and akin to “jumping the gun” ahead of the release of the Srikrishna Committee Report[17]. Some of the clauses such as no use of metadata to identify individuals coupled with data minimisation will be detrimental to building the data business in the country, they said.

In its recommendations, TRAI said that individual users owned their data, or personal information, and entities such as devices were “mere custodians” and do not have primary rights over that information. It also said that the current framework for protection of personal information is “not sufficient” and suggested expanding the ambit of licence conditions governing telcos to all entities handling customer information.

Procedure to Fill the Gap

How can gap between users and big companies w.r.t data protection be filled?

More people need to be optically canvassing how it indirectly impacts the lives and decisions of users. Users need to understand how precisely their data is available to corporates and be more mature in the utilisation in lieu of “I have nothing to lose”, “I do not mind” mentality. Executives in the corporations should be bringing up standards, methods and strategies on laws where human rights and privacy of users are not infringed. This is just ideal. But, the common belief being corporations endeavour their best to have it their way. The only time people had a victory was Europe’s GDPR.

 How Does the World Combine to Become an International Body in Order to Battle the Data Policies?

Though it sounds like an ideal move, it is unlikely to be practical, because a user does not confine usage of services to just one company or one country. As the law fluidity changes from nation to nation, Facebook and Microsoft made foolproof agreements that their Governments will protect them if an alien entity requests them to follow foreign regulations. The said companies amount to nearly half of US’ economy. So the solution here could be awareness. People in charge, taking decisions for public should be made aware of what is happening with their data. Leaders like J. Trudeau, B. Obama and many others used this awareness for a positive change. As long as unprogressive leaders exist, there will be no saying what is going to happen. It can either be completely shut or entirely encouraged, depending on a nation’s political agenda.

Building Privacy-Conscious Apps[18]

Though app compliance with privacy laws is developing, problems frequently come from the lack of information or non-existence of the privacy policy and from a lack of meaningful consent. Transparency is a key aspect of data protection compliance and a clear, understandable and easily accessible privacy policy is a considerable step in the right direction. Enough disclosures in the privacy policy, particularly where available to users usually stores, prior to installation, assist in ensuring users’ consents are adequately captured. The opinion also recommends seeking enough consent for categories of data access, and updated consent when changing processing purposes[19].

It is important that all stakeholders understand their privacy obligations. Privacy should be considered at all stages of development and production. Data minimisation practices particularly with regard to location, contacts and UDID data, should be observed to avoid unnecessary collection or processing. With the growth in the app industry mirrored by a marked increase in regulatory scrutiny, considerations of privacy and data protection should be upright safe and secure.

The Supreme Court of India on Privacy

It is still ambiguous to frame rules under Section 67-C of the Information Technology Act that which kind of data retention will the Indian Government choose in their current system. These rules might have high chances of violating people’s privacy. The Supreme Court, however, will support public opinion against any such laws violating privacy.

For example, interception of telephone is allowed under Section 5(2) of the Telegraph Act, 1885. The Supreme Court, by subjecting the amount of safety lacking in the said Act, upheld the validity of interception, including limiting the time and purpose of the interception. After challenging the validity of Section 69-A of the Information Technology Act, the Supreme Court upheld it on account of the number of procedural safeguards contained in its rules. Ultimately, it is the support of the Supreme Court to scrutinise in order to maintain adequate measures like it took place in the past.

Conclusion

India plays a very vital role not because of the population and the user base, but the density has the capacity to determine these companies’ success. The developers of India are integrated into the developer base and companies that build apps enable data availability and besides, the user base because of India’s over enthusiastic youth.

TikTok, YouTube, Tinder, Google Apps, Apple, Microsoft, Facebook (Instagram, WhatsApp) are off the top. India has at majority user base percentage in all of the said apps without any control, is how Indian users perform. And it is beyond the point of control and awareness. PUBG, for example, is a platform for data collection. The Government tried to shut PUBG down, which essentially affected on the freedom of users and the older generation, sadly, do not even understand what it means to the users. The smarter employees play a vital role in building these systems and integrating them internationally and are crucial people for these companies.

On the contrary, leaders occupied in higher chairs in Indian States, where half of them do not even see how companies and their systems work or even think it is as vital to think and discuss about. Although there are few thoughtful ones, which consider the proportionality, thoughtfulness and responsibility of data sharing[20], but how many are so many? So, to predict how the people’s mindset gets established over the years, it is not possible. To get better, it all comes down to the user base or the Government to implement policies such as EU’s GDPR which voice out on seven key principles[21]:

• lawfulness, fairness and transparency;
• purpose limitation;
• data minimization;
• accuracy;
• storage limitation;
• integrity and confidentiality (security); and

---

[1] Judicial Clerk, High Court of Andhra Pradesh, Amrawati.

[2] Do You Accept the Terms & Conditions … or do they Need to Change?, Lawyer Monthly, available at <https://www.lawyer-monthly.com/2018/08/do-you-accept-the-terms-conditions-or-do-they-need-to-change/> (last visited on 20-8-2019).

[3] Dr Pavan Duggal, Important Global Cyber Law Trends, Cyberlaws.Net and Pavan Duggal Associates, available at <http://cyberlawcybercrime.com/cyber-law-trends2017/> (last visited on 22-8-2019).

[4] The Information Technology Act, 2000, S. 67-C

[5] The Indian Government Proposes New Data Retention Rules: Will Privacy be Compromised?, TECH2, available at <https://www.firstpost.com/tech/news-analysis/the-indian-government-proposes-new-data-retention-rules-will-privacy-be-compromised-3690439.html> (last visited on 25-8-2019).

[6] Avast Bought your Phone on eBay & Recovered what you Thought you “Wiped” available at <https://venturebeat.com/2014/07/08/avast-bought-your-phone-on-ebay-recovered-what-you-thought-you-wiped/> (last visited on 29-8-2019).

[7] The EU General Data Protection Regulation (GDPR) is the Most Important Change in Data Privacy Regulation in 20 Years, EU GDPR.org, available at <https://eugdpr.org> (last visited on 1-9-2019).

[8] Recognising privacy and security professionals from across Europe, PrivSec 200 available at <https://gdpr.report/news/2019/08/27/privsec200-recognising-privacy-and-security-professionals-from-across-europe/> (last visited on 6-9-2019).

[9] Privacy Policy (US Only), Uber Freight, available at <https://www.uberfreight.com/privacy-policy?_ga=2.36189993.863484050.1567883547-1525969875.1567883547> (last visited on 11-9-2019).

[10]  6 Security Risks of Enterprises Using Cloud Storage and File Sharing Apps, Digital Gaurdian, available at <https://digitalguardian.com/blog/6-security-risks-enterprises-using-cloud-storage-and-file-sharing-apps> (last visited on 4-9-2019).

[11] The Principles, ico., available at <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/> (last visited on 7-9-2019).

[12] The Risks of Data Sharing, HiRUM, available at <https://www.hirum.com.au/blog/the-risks-of-data-sharing/> (last visited on 10-9-2019).

[13] Transgender Capital One hacker threatened to ‘shoot up’ California social media company, wanted to be famous, say feds, Meaww, available at https://meaww.com/transgender-capital-one-hacker-breach-threatened-to-shoot-up-california-social-media-company-famous

[14] Data Security Challenges, Oracle9i Security Overview, available at<https://docs.oracle.com/cd/B10501_01/network.920/a96582/overview.htm> (last visited on 28-8-2019).

[15] Id., at 13.

[16] Surabhi Agarwal and Gulveen Aulakh in TRAI Recommendations on Data Privacy Raises Eyebrows, The Economic Times (18-7-2018), available at <https://economictimes.indiatimes.com/industry/telecom/telecom-policy/trai-recommendations-on-data-privacy-raises-eyebrows/articleshow/65033263.cms?from=mdr> (last visited on 6-9-2019).

[17] Ministry of Electronics & Information Technology, Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, available at <https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf> (last visited on 24-8-2019).

[18] Mobile Apps and Data Privacy: What Developers Need to Know, Silicon Republic, available at <https://www.siliconrepublic.com/enterprise/apps-development-data-privacy-protection> (last visited on 12-9-2019).

[19] Data for Public Benefit: Balancing the Risks and Benefits of Data Sharing, Understanding Patient Data, available at <https://understandingpatientdata.org.uk/news/data-public-benefit> (last visited on 1-9-2019).

[20] Id., at 18.

[21] The Principles, ico., available at <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/> (last visited on 11-9-2019).