Data Privacy and Data Protection: Regulation is Neither Far-fetched nor Impossible

Author Name: Maheen Shafeeq      31 Aug 2021     Cyber

The terms ‘data privacy’ and ‘data protection’ are used interchangeably, where data privacy is about who has authorised access to your data, and data protection relates to methods and policies regarding restricted access to data. Ensuring data protection does not guarantee data privacy and vice versa. However, what needs attention is that data privacy is a ‘right’ of the users, and it is a ‘responsibility’ of companies and businesses to guarantee both data privacy and data protection. Unfortunately, neither is being ensured.

There is either lack of clarity or loopholes in privacy and data protection policies of companies. Often times, the data protection and data privacy policies are so exaggerated that a common person simply agrees to them without going into the detail of the entire document. Some have calculated that reading through privacy policies that one encounters would take 76 working days! Another reason users generally agree to these policies with eyes closed and an instant click of the mouse is because of lack of awareness regarding how their private data is will be manipulated and sold by various companies for profit. According to a study by PEW Research Centre, only 9% of people actually read privacy policies. Moreover, since virtually everyone is now using social media, search engines, apps tec. that they have become inevitable.

For example, even if you do not wish to use WhatsApp, it could be your employer’s requirement to join some work group on the app. And of course, since a majority share their pictures, you believe that there is no harm in doing so because everyone is doing it.

What we are not aware of is that we are contributing to Big Data which is gathered to create Artificial Intelligence while compromising our privacy. As the old saying goes ‘if you are not paying for it, you are the product’, and such is the case with the companies and businesses using our data. Your personal data such as name, email address, phone number, location and IP are being sold, and various tech companies are earning millions off of something that is personal to you, and yet, you have no control over.

The data that we are providing, at the expense of our privacy, does not sit there for a while, to be deleted after sometime. Rather, it is collected, stored, and shared with third-parties that include the government for political purposes, and security agencies for intelligence purposes. The scandal of Cambridge Analytica exposed that the firm used data improperly obtained from Facebook to build voter profiles. Edward Snowden, a whistle-blower and former technical assistant for the CIA, revealed that Facebook, Amazon and Google sell their data and are more like surveillance companies. This data is further used to conduct Psychological Operations (PsyOps) and Information Operations (IO) on the public that is completely unaware of where, how, and who is abusing their data. This has made spying and surveillance a lot easier than it was when there was no Internet and online profiles. This also helps intelligence and government agencies identify one’s circle and engage them to conduct PsyOps and IO such as the Indian Chronicles exposed by EU DisinfoLab in which an Indian business group was targeting and engaging people through the use of their identified circle of European policymakers.

People may think that they do not have anything to hide so they should not be worried, or that they do not share a lot of data so the matter of data privacy and data protection does not concern them. In reality, they should be concerned since most social media, search engines, mobile applications and internet service providers also collect their data through their browsing history, social media usage, people they follow and so on. This data is used to make behavioural profiles by assessing and monitoring the pattern of their activities. They track which application one uses, for how long, which links are clicked, which sites one visits and how often. In fact, these are aspects that even one’s own cell phone or laptop indicate by showing how much one’s usage increased and when various sites were visited.

With all this tracking of personal data, a shadow profile emerges that predicts behaviour and every move one makes online. For example, if you click on a shoe advertisement, social media will start showing you similar ads. And if you use shared Wi-Fi, these ads will also start showing up on the phones of people who use the similar Wi-Fi.

So, this is not just one’s own privacy and interest that is being put on display, but it is also endangering the privacy of those around us. This helps giant tech companies as well as cybercriminals to target us and our loved ones easily. More alarmingly, this is also the technique used by terrorist organizations to recruit like-minded people. Additionally, it is through this tracking and profiling technique that fake news, disinformation and hate speech is spread.

Such data breaches should ring alarm bells and signal that it is high time to take back control of one’s data and stop the chain of data abuse. One might think that such control over massive data, that the scientists are not completely aware of how to handle, cannot be established. At least, this is what we are made to believe. However, that is not the case. There are implementable data protection and privacy laws that can be enforced on these internet and social media giants for compliance. For instance, the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR) are examples of limited and comprehensive data regulation policies, respectively. Both the CCPA and GDPR require businesses and organizations to disclose in their privacy policy, the methods and categories of personal data that would be collected, stored and shared. They are also required to disclose in their privacy policy, the consumer’s right to correct, inspect and delete their personal data. And in case of violation of GDPR, for instance, the violators are fined 4% of their annual global turnover. According to the DLA Piper GDPR Data Breach Survey, between 2020 and 2021, data protection authorities recorded 121,165 data breach notifications, which is a 19% increase from 2019. This led to an increase in GDPR fines by nearly 40%, and the top companies that were fined included Google, H&M, British Airways, and Marriott, to name a few.

Therefore, regulation of any company that collects personal data is not a far-fetched idea; rather, it requires initiative by governments to make the general public aware of their privacy rights on the internet and social media. It is the responsibility of a government to develop, implement and police data privacy and data protection regulations. These policies could include consent of the user, right to removal of data, right to agree or disagree to share data, third-party management in user-friendly and precise privacy policies. These companies need to learn how to process data while ensuring the protection of privacy, as well as offer more transparency and control to the users over their data in order to gain their trust. If this matter of privacy is neglected, data breaches would continue to mount and the Internet could ultimately become an unsafe place.


Maheen Shafeeq is a researcher at Centre for Aerospace & Security Studies (CASS). She holds a Master’s in International Relations from the University of Sheffield, UK. This article was first published in The Asian Telegraph. She can be reached at


Image Source: Shafeeq, M. Data privacy and data protection: Regulation is neither far-fetched nor impossible. The Asian Telegraph. August 30, 2021.