Friday, Sep 25, 2020 | Last Update : 10:27 AM IST

185th Day Of Lockdown

Maharashtra128396397321434345 Andhra Pradesh6543855794745558 Tamil Nadu5636915082109076 Karnataka5485574446588331 Uttar Pradesh3742773076115366 Delhi2606232243755123 West Bengal2378692080424606 Odisha196888161044805 Telangana1792461481391070 Bihar174266159700878 Assam165582135141608 Kerala15445898720614 Gujarat1289491093113382 Rajasthan1227201023301352 Haryana118554984101177 Madhya Pradesh115361814752007 Punjab105220814752860 Chhatisgarh9562358833680 Jharkhand7643862945626 Jammu and Kashmir68614480791024 Uttarakhand4440432154501 Goa3055224347360 Puducherry2489519311467 Tripura2378616955245 Himachal Pradesh133869232125 Chandigarh109688342123 Manipur9537736959 Arunachal Pradesh8416607113 Nagaland5730459810 Meghalaya4733252838 Sikkim2447190529 Mizoram158510120
  Technology   In Other news  03 Apr 2020  The need for a data protection law becomes evident from the recent Zoom fiasco

The need for a data protection law becomes evident from the recent Zoom fiasco

Published : Apr 3, 2020, 4:10 pm IST
Updated : Apr 3, 2020, 4:10 pm IST

None of the protections afforded by a privacy law are in place yet, which leaves our data open to exploitation by tech companies

India must create a law on data protection, like the European Union has done with the General Data Protection Regulation 2016. (Photo | Pixabay)
 India must create a law on data protection, like the European Union has done with the General Data Protection Regulation 2016. (Photo | Pixabay)

There has been a lot going on at Zoom. The video conference app has been a major beneficiary from the lockdowns imposed due to the coronavirus, as humanity participates in its largest-ever work from home experiment. As a result, Zoom’s shares have doubled in value in less than six months. All is not well though, the company has been fraught with privacy issues recently. For instance, the Electronic Frontier Foundation (EFF) pointed out that hosts of Zoom meetings can see if the participants are paying attention based on whether or not the Zoom window is active on their screens.

Zoom would likely make the argument that the ability to be able to check whether people are active on a team call is a feature, not an instrument meant to cause harm. Which is one way to look at things. But at the same time, that is not the only slip up in terms of privacy the company has been embroiled in this past month. VICE reported that Zoom’s iOS app sends user data to Facebook even if you do not have a Facebook account. Zoom notifies Facebook when the user opens the app, shares details about the user’s device, such as the model, time zone, city, phone carrier, and the unique advertiser identifier (a unique number created by user devices which are then used to target ads).


Zoom’s privacy policy is not explicit about this data collection and there is a blame game to be played here. Facebook can make the argument that it requires developers (like Zoom) using Facebook’s SDKs and Pixels to be transparent about the data they are collecting, using and sharing. Zoom can and has argued that Facebook was collecting unnecessary device data. We need to talk about all of this because apps like Zoom and Houseparty are not going anywhere.

Instead, this incident is an excellent teacher for how policy and protections work in the data protection space. Firstly, it highlights the need and urgency for India (and other countries) to have a data protection law. These are exactly the kind of offenses a data protection law is supposed to penalise. In an ideal world, had there been a data protection law in place here, Zoom likely would have had to adhere to a standard of explicit consent. This way, the user would have been aware of what data was being shared. Had Zoom not adhered to the guidelines of consent, it would have had to pay a penalty. The data being shared with Facebook would have come under ambits of personal data, personal sensitive data and non-personal data, requiring different levels of protection and liability.


The fact that none of the protections afforded by a privacy law are in place yet means the only protections users have are those given to them by companies whose objective is to maximise shareholder value. More often than not maximising shareholder value comes at a cost of trampling on user rights. Most companies will be more than happy to make this trade-off and would ideally want to do it when there isn’t a data protection law in place.

At this point, it is hard to state whether or not a data protection regulation is going to be a definitive solution to incidents like these. Broadly because there isn’t a lot of precedence to learn from yet. Arguably the most significant existing legislation in this space is the General Data Protection Regulation (GDPR) in the EU. The law was enforced in May 2018 and an assessment of how its implementation has fared is due by the Commission sometime this year.


There is every chance that the Personal Data Protection regulation that India ends up adopting is not going to fix everything when it comes to abuses of power that come with a vacuum in the data protection space. It is going to be hard to implement clauses and penalties on every website on the internet and to track data flow at scale.  However, as any policy analyst worth their salt will tell you, change happens at the margins.

In the larger picture, Zoom sharing data with Facebook without explicit notice is a sign that is reflective of a deeper problem of accountability within the data protection space. There are no laws, and when laws do exist, they are near impossible to impose and monitor. This should serve as a high-profile warning sign of practices that currently exist and are going to continue until regulation exists.


Tags: data protection, data privacy, zoom