Insights

Introduction
Have you noticed that anytime you want to open a new social media account, let it be Instagram, Snapchat, or Facebook, they ask you for a few personal details that include access to your location, Google account, and sometimes even phone number! More often than not, we give applications access to a lot of our personal information without paying much attention to the terms and conditions. The application thus collects all this information and uses it to tailor your experience on the app to your preferences, age group, and many other such parameters. This is called Social Media Data Mining.

This new age technology uses machine learning, Artificial Intelligence, and Statistical analysis to run an interference on your application usage habits and design the experience according to your usage habits. This has revolutionized how companies identify hidden patterns of customer usage to gain a competitive edge in a highly saturated market.

Concerns to be addressed:

1. Data privacy: one of the major concerns that many users of social media platforms hold is the privacy of the information shared with the application and the privacy of the communication that takes place on the platform. It is for this purpose that the DPDP Act (Digital Personal Data Protection Act, 2023) was enforced to ensure that all the concerns over privacy and security are addressed. This being said, the Act still needs a lot of amendments as the Act is not clear on a lot of aspects, such as it doesn’t address biases or harms resulting from AI trained on mined social media data.
2.   Security: think of this instance, where you are talking with a friend on a call and have a conversation on buying a new bag for school, and when you open a social media application, advertisements of bags just keep popping up, that is because the application would have picked up your conversation and tailored the advertisements to your needs. This being said would raise a lot of security concerns for the users of these Apps. This is where the DPDP Act and/or the GDPR ensure that all information collected is accounted for and does not result in any infringement.

DPDP ACT
The Digital Personal Data Protection (DPDP) Act, 2023, is India’s first comprehensive legislation on Data Security and privacy in the increasingly digitalized world, aiming to protect personal data. The act is on the same lines as the EU’s GDPR, while addressing challenges that are unique to Indian users. 

Key features include:

1. Consent mechanism: where a social media platform is only allowed to collect information from its users after receiving informed consent, free from false information and bias
2. Penalties: The Act has enhanced the penalty for non-compliance with the provisions of the Act, so that the platforms take security and data protection seriously, which is similar to the case of Google being fined 50 million pounds for non-compliance with the GDPR guidelines.

Problems of the Act:

1. Ambiguity: the act does not clearly define various terms such as “legitimate users” and “public interest,” which leaves a lot of room for interpretation that can be used to skirt liability.
2. Cross-border complexity: due to data localisation rules, cross-border transactions may become a problem and could lead to potential fragmentation of global digital trade. 

Challenges faced in maintaining Data privacy:

1. Data Breaches: Acknowledging that most of the users of various social media platforms are teenagers or young adults within the age groups of 16 to 35years, many users dont realise that they share too much information with these platforms, such as geotagging photos for a post on Instagram, sharing birthday dates with the platform when it can be completely avoided. This information can be easily picked up by any third-party application when the user gives away crucial information like this.
2. Privacy policies: all applications have a disclaimer that needs to be read and accepted by the user before gaining access to the platform; however, not many users read these terms and conditions, as very long and complicated, and as a result of this there is misinformed consent.

Way forward:
Many social media platforms lack transparency regarding their collection of personal data, often exploiting the paradoxical tension between the demand for openness and accountability on one hand, and the need to safeguard individual privacy on the other.

1. Ethical Advertising: With data-driven marketing, it’s crucial that data collected is used responsibly and not at the cost of the privacy of an individual. ASCI’s influencer and digital advertising guidelines stress transparency, especially when targeting users based on behavioural patterns. 
2. Data Localisation: India’s increasing emphasis on ‘data sovereignty’ should be respected by the platforms, and they need to stick to the data localisation norms. Personal data collected from Indian users must be stored and processed within India, or in countries approved by the Central Government under the DPDP Act.
3. Avoid oversharing: users of these platforms also have to be cautious while sharing information with these sites, as they can be used by any third party. Sharing personal phone numbers, access to gallery, and providing location information can all be avoided to protect from exploitation and manipulation of user information.
4. Accountability, Grievance Redressal, and User Empowerment: The future of social media data mining must be built on strong governance and user empowerment. Companies engaged in data mining must appoint Data Protection Officers (DPOs) and set up accessible grievance mechanisms. They should also provide users with dashboards that allow them to view, access, correct, or delete their mined data. Features like “Why am I seeing this ad?” can increase transparency and reinforce trust. In the longer term, ASCI and the Data Protection Board could collaborate to develop a joint code of conduct for data-driven advertising, ensuring both legal and ethical standards are upheld.