Exploration of the Policies regarding Personal Data

As we live in the Digital Era, there is so much innovation happening around us all the time. Have you ever tried to file your taxes online? Have you ever used dating apps? Have you ever used a smartphone? I’m sure you would have answered yes to at least one of these questions. I would say that means you have used technology to ease the way of going about the daily life tasks we come across. To use such services, we need to share some personal information either in person or online to various entities to access the service. Sharing data allows us to enjoy the benefits of such services but it also puts us at risk of being exploited by it. Here we can take a look at how personal data is used, identify the challenges, current policies about it and possible solutions.

Personal Data and its Collection 

Personal data is the data an individual shares online containing information he/she voluntarily provides to the companies. As a user you have the unsaid notion just like a social license that the company will protect your data to an extent. Users share information to platforms that they consider to be necessary and effective.

We see that consumers are not aware of their data being collected without their consent and the recent data breaches we hear about in the news, such as the professional networking giant LinkedIn saw data associated with 700 million of its users posted on a dark web forum in June 2021, impacting more than 90% of its user base. 

It can be interpreted that the context of right to privacy according to the consumers varies depending on the context of the use of the data is collected, what is it used for, and how it impacts them. To understand better with regards Nissenbaum’s revised ‘Principle of Respect for Context’ -‘Respect for Context means consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the [social] context in which consumers provide the data.’ 

How are Consumers Responding to Access to their Personal Data? 

  • A survey conducted by McKinsey&Co showed that 10% of internet users globally (and 30% of US users) use ad-blocking software to prevent companies from tracking their online activity. 
  • The survey also revealed that a vast majority, 87%, of respondents would hesitate to do business with a company if they had concerns about its security practices. 
  • Additionally, 71% of respondents stated that they would stop doing business with a company if it shared sensitive data without their permission. 
  • Consumers have found ad-blockers and other tools that allow them more control over their online information. However, the numerous questions that the application asks the consumer leaves the consumer with doubts. They view interactions that require more information as misguided or confusing, as they question the reason behind it.
  • These findings indicate lack of trust from consumers towards companies. The consumers want to feel safe and secure and they have left that responsibility on the ‘law’. They trust  the government and regulatory bodies and want to see them get involved in helping them  protect their data.

Why Does Sensitive Data Matter ? 

Sensitive data consists of data that includes confidential information such as address of the user, passwords, credit card details and more. Such information is critical to an individual’s privacy. Especially in the case of the recent data breach of Medicare, many of the international students personal details such as the intimate medical records were stolen from the database by hackers. As an international student myself, the news has impacted me as it made me feel vulnerable and fragile. It made me wonder if my details were out there. What if an anonymous person could use it to target me in the future?

Why Do We Need Data Protection?

To delve further , let’s first understand the term “data protection”. It refers to a set of measures, precautions, and mandatory regulations that aim to safeguard your personal information and grant you control over it. To put it simply, you should have the ability to decide whether or not to disclose certain information, determine who can access it, for what purpose and duration, and have the ability to alter some of this information as well as other aspects.

We need to make use of a variety of governing means, such as administration, law, technology, media, economy, and culture, to improve the data protection system and enhance coordination throughout the review process. The big corporations have most of the hold in respect to the protection but it can be implemented in an effective manner by the policies and laws that support it. Therefore, I believe it is essential that the governing bodies and policy makers take into consideration the responsibilities of making policies and laws that compel the companies to follow a strict guideline. Especially, the guidelines that make the consumer’s data safe and sound. 

Many countries are taking efforts to protect the data of their citizens. In recent times, the Canadian government has introduced  The Personal Information Protection and Electronic Documents Act (PIPEDA) . It is an initiative to  get an individual’s approval before gathering, utilizing or revealing their personal information. Individuals have the privilege to acquire their personal information held by an organization and to challenge its correctness. 

The utilization of personal information is limited to the reasons for which it was initially collected, and if an organization intends to use it for another reason, they must obtain consent again.


Now, when I see such initiatives, I feel the world is getting more aware. The fact that at least the issue of data protection is addressed. The government is taking action keeping the consumers safety in mind. Earlier the consumers didn’t have a platform to raise their concerns. Although their voices are heard, these policies are still at the nascent stage. For example, it can be observed that the act applies to private sector organizations across Canada to use personal information. But, it does not cover personal information handled by government organizations or by businesses and journalistic purposes. 

We can see that it is not as stringent as the GDPR which we have spoken about in the later section and PIPEDA  has a long way to go as far as implementation is concerned. 

“Data is not only about memory, but also about power.”

 Mantelero (2013)

What Challenges Do We Face While Protecting Personal Data?  

There are many challenges that are present, I decided to succint the impactful challenges that affect the consumers,government and companies within the social and economic sphere  –

Economy model of companies 

The majority of companies use customer data to provide targeted ads such as 

The laws that shape the framework of protection of data needs to acknowledge the consumers right to privacy as well as the companies 

The economy of the corporate companies sustain on profit derived from the adverts/campaigns they run on their platforms however some platforms such as facebook allows the user to create a profile for free allowing the user to use it for free.

Concern of Safety

The concern of safety and risk of data being leaked is always present due to unforeseen circumstances such as hacking or stealing of data for example such as phishing and malware.

Undefined laws on protection of data.

Some acts and laws supporting data protection are laid by regulating bodies , but are hardly operable and fairly implemented. The provisions under the laws are usually abstract.For example China’s PIPL (Personal Information Protection Law) , it doesn’t clearly define the relevant departments within the Government that has access to the personal information.

Inconsistent public and private laws supporting data protection

There are many inadequacies in the public and private laws that support data protection.

With the evolution of big data, the processing of information is quicker and the information is stored, collected, transmitted and used in different methods. This means that the user is unaware of the actual extent to which this data can be used in certain situations.

Difficulty of processing and operating of collected data

There is a huge debris of personal information collected already and the processing of consent for every personal data retrieved by the companies would add to the longer time periods of functions of the service provided to the user. It will cause the user to have fatigue and lose interest in completing the task itself.Companies would be less motivated in innovating technologies if they are restricted by laws and it also adds an extra burden on the operational cost of storing and protecting the consumers data.

Hidden visibility of the processes on personal data 

The processing of such data is handled more virtually and lacks transparency 

The lack of faith and trust in the system will lead to having a direct impact on the consumers well-being. 

Lack of supervision mechanism 

The overall supervision of data by the Government is absent and the regulating entities are still updating themselves and need to stay ahead of the innovation companies 

The responsibility of supervision on the personal data of the companies would be inadequate as it needs more resources. 

Our personal data and information should be protected. It is considered as valuable assets in the digital environment. It deals with key issues as such as 

  • Preserving the information with confidentiality 
  • Guarding of the information from external disturbance from third parties
  • Preserve the authenticity of the information and avoid manipulation
  • Reliable access and timely use of the information

Case study of Amazon vs EU

Amazon is the largest online retail store. They offer a wide range of services all around the world. Their ability to stay ahead of the curve with innovative technologies and trendsetting strategies is proof of their power in the market. Additionally, Amazon utilizes customer data to tailor their services even further to the consumer.

However, recently, they were under the scanner by the Luxembourg National Commission for Data Protection. There was a case filled on 16th July ,2021. It was filed by Luxembourg data protection regulators CNPD- Commission Nationale pour la Protection des Données , accusing the company of using personal information of the customers without their consent so that they can target advertisements to said customers.

This was a breach of the Data laws of the EU. 

Data collection is being regulated by governments as it is a security concern of the consumers. We can take a look at understanding the European Union’s –  General Data Protection Regulation (GDPR)

It is one of the most stringent laws in this regard. It was approved by the EU Parliament 14 April 2016, took effect 25 May 2018. The GDPR gives consumers the power to control their data by requiring companies to obtain their consent before collecting it. Companies are also required to make their data collection practices easily understandable and to allow users to access, transfer, or delete their personal data. The EU has warned that companies not complying with GDPR regulations when dealing with EU citizen data will face penalties of up to 20 million euros or 4% of their annual revenue. It is crucial for organizations to adhere to these guidelines to avoid serious financial consequences.


From the case study I can deduce that a complaint had been registered against Amazon and the following legal procedures took place. The hefty punishment was being imposed as regulatory authorities had been increasing their overview on huge tech corporations, in response to worries about data privacy and fake news, as well as grievances from certain organizations claiming that the tech behemoths have misused their dominating position in the market.

The gravity of the case can be seen in the fine imposed. It is the largest fine imposed on a corporation ever since 2018 (when the law came into effect). The fine is set at a staggering   amount of 887 million. The national authorities had notified the company and they had appealed before the committee defending their position of the decision being without merit.

Key takeaway 

  • The EU law is stringent within the protection of the sensitive data of its citizens. 
  • A small country within the EU itself, Luxembourg , showed grit and resilience in the enacting of the law, undeterred by the tech giant.
  • The power imbalance is evident, the autonomy of the collection and storage of data is seen mostly by the corporations and conglomerates. 
  • The laws are beneficial to uphold the right of privacy in regards to personal data being misused without consent. Thus bringing in more faith towards the governing bodies and confidence in the judicial system.
  • There are many other companies that have also come under the scanner, implying we still need to look out and raise our voices as individuals

The way forward ……

Technological innovation has brought us by leaps and bounds. In society, each individual must remain mindful of data privacy rights, it is a universal right. Therefore, we must investigate possible ways to solve these concerns with data protection-

  • The consumers, governing bodies and the companies must be unified and work on a consistent framework for the protection of data. 
  • The awareness and education of the risks of data breach and the need to protect it must be spread to its users so that they are informed.
  • The policy makers must stay ahead of the companies and push for regulations frequently.
  • However, we do understand that some companies rely on making profit by target marketing and advertising and if the policies are very stringent then they may impact the consumers. So, the policies should be introduced keeping in mind the economy of the companies like Amazon.
  • Along with data, we will encounter such concerns as mentioned above and that’s why we need to enforce the laws laid by the Government to protect the sensitive data of the people and their rights.


BBC News. (2021, July 30). Amazon hit with $886m fine for alleged data law breach. BBC Newshttps://www.bbc.com/news/business-58024116

Clayton, B. J. (2020, June 15). Amazon v EU: Has the online giant met its match? BBC Newshttps://www.bbc.com/news/technology-53050716

DATA PRIVACY STANDARDS IN THE UNITED STATES: A CASE STUDY OF FACEBOOK Presented by Michael Pearce Blend. (2020). www.repositories.lib.utexas.edu. https://repositories.lib.utexas.edu/bitstream/handle/2152/81240/Final%20Capstone%20Thesis.pdf?sequence=2&isAllowed=y

Data protection. (2021, June 4). European Commission. https://commission.europa.eu/law/law-topic/data-protection_en

Deighton, O. (2021). Remote Learning Best Practices: The Importance Of Protecting Data Privacy. ELearning Industryhttps://elearningindustry.com/remote-learning-best-practices-importance-of-protecting-data-privacy

Goswami, S. (2020, December 14). The Rising Concern Around Consumer Data And Privacy. Forbeshttps://www.forbes.com/sites/forbestechcouncil/2020/12/14/the-rising-concern-around-consumer-data-and-privacy/?sh=48b207f9487e

Gstrein, O. J., & Beaulieu, A. (2022). How to protect privacy in a datafied society? A presentation of multiple legal and conceptual approaches. Philosophy & Technology35(1). https://doi.org/10.1007/s13347-022-00497-4

Kurmelovs, R. (2022, November 10). Medibank hack: what do we know about the data breach, and who is at risk? The Guardianhttps://www.theguardian.com/technology/2022/oct/21/medibank-hack-explained-what-do-we-know-about-the-data-breach-and-who-is-at-risk

Lawless: The secret rules that govern our digital lives. (2019). www.eprints.qut.edu.au. https://eprints.qut.edu.au/123199/

Nissenbaum, H. (2018). Respecting Context to Protect Privacy: Why Meaning Matters. Science and Engineering Ethics24(3), 831–852. https://doi.org/10.1007/s11948-015-9674-9

Privacy in the next generation Internet Data protection in the context of European Union policy. (2002). www.diva-portal.se. http://www.diva-portal.se/smash/get/diva2:9234/FULLTEXT01.pdf

Rahnama, H. (2022, February 25). The New Rules of Data Privacy. Harvard Business Review. https://hbr.org/2022/02/the-new-rules-of-data-privacy

Sannon, S., Bazarova, N. N., & Cosley, D. (2018). Privacy Lies. Human Factors in Computing Systemshttps://doi.org/10.1145/3173574.3173626

Swinhoe, M. H. a. D. (2022, November 8). The 15 biggest data breaches of the 21st century. CSO Online. https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html

The consumer-data opportunity and the privacy imperative. (2020, April 27). McKinsey & Company. https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/the-consumer-data-opportunity-and-the-privacy-imperative#/

The data privacy paradox and digital demand. (2021, June 28). CEPR. https://cepr.org/voxeu/columns/data-privacy-paradox-and-digital-demand

Be the first to comment

Leave a Reply