Whistleblower as digital regulator?

The long debated Digital Markets Act legislated by the European Union (EU) came into effect from March 6, mainly targeted at six Big Tech firms, designated as “gatekeepers”, namely, Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft.

The EU has put in place severe penalties if firms deviate from the code of conduct mentioned in the Act. The last time such measures were enacted by the EU was the General Data Protection Regulation (GDPR) in 2016.

In India, the Digital Personal Data Protection (DPDP) Act 2023 has been inspired by the GDPR. It has been observed that if any legislation is not audited and enforced, it doesn’t deter deviations.

Since its inception, the collective fines for violations of EU-GDPR have grossed €4 billion; the largest being the €1.2 billion slapped on Meta by the Irish Data Protection Commission in 2023. Norway slapped a daily fine of $93,000 on Meta for unlawful behavioural advertising.

However, the enforcement mechanism is still weak in many countries, including India. Pending enactment, the DPDP Act envisages setting up the Data Protection Board (DPB) of India to address grievances regarding personal data breaches. It remains to be seen whether DPB will be able to act efficiently, given the large volume of data being processed by the Data Fiduciaries.

Violations of the DPDP Act by Data Fiduciaries, such as selling personal data to third parties or processing it without explicit or deemed consent of Data Principals, are often very difficult to detect.

Hence the regulations dictate that the Data Fiduciaries put in place measures and processes to detect, report and initiate corrective actions in case of deviations.

However, unless the probability of detecting such violations through external audits authorised by the DPB is high and the penalties very severe, there is little incentive for the Data Fiduciaries to comply.

We propose an alternative — “whistleblowing” — for detecting deviations of Data Fiduciaries with respect to breach of personal data. Whistleblowers, mainly employees of the Data Fiduciaries, who have knowledge of violations could come forward and expose such incidents.

However, they may get fired and/or blacklisted by their employers. Hence, we propose to financially incentivise whistleblowers.

Act’s drawbacks

India’s Whistle Blowers Protection Act, 2014 is meant to protect individuals who blow the whistle against power abuse by public servants.

The biggest drawback of this Act is that it does not protect or incentivise those who work in the private sector and want to blow the whistle on their employers to the government.

Some contend that whistleblowing should be considered as an “altruistic” activity for the larger social good and no steps should be taken to provide personal gain or a financial incentive to whistleblowers to prevent false positives.

On the contrary, financial incentives have long been provided to whistleblowers under the False Claims Act (FCA) (originally enacted in 1863) in the US. The Department of Justice — the watchdog regulatory body in the US — has ensured speedier settlements with some payouts to the whistleblowers.

There is a concern that introducing financial incentives for whistleblowers will lead to more frivolous lawsuits being filed. Furthermore, retaliation is found to be common towards whistleblowers in the US, with nearly 37 per cent being fired, 16 per cent harassed, 10 per cent threatened, etc.

Researchers have estimated that while the average employment gap between the job at the previous firm and the next job is 1.1 years, the average payout to the whistleblower is about $140,000, which is roughly the income for three years.

Hence, the whistleblower is able to sustain herself well before finding another job.

In more than 30 per cent of the cases, the whistleblower’s next job is better than the job at the accused firm.

Empowering whistleblowers

Hence, we propose that the whistleblower can become the backbone of detecting cases of personal data breaches in India, thereby reducing the complexities of auditing and enforcement.

We recommend that the whistleblowers may report to the DPB any such incidents and that the DPB may take it forward with further auditing if required.

Any legal costs are borne by the DPB, once it is satisfied that the case bears merit and may even be carried on for overseas whistleblowers. The penalty is divided between the DPB and the whistleblower(s).

Using the EU GDPR as a guideline, our extensive simulations indicate that out of the penalty of 4 per cent of the annual gross revenue, if 1 per cent is awarded to the whistleblower, it can effectively stop voluntary breaches by Data Fiduciaries.

This assumes importance, especially in India, which is witnessing exponential growth of the digital economy, but is lacking in regulatory capacity for protecting the digital nagriks of the country.

The writers are with IIIT-Bangalore

COMMENT NOW

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.

Whistleblower as digital regulator?

Financial incentives to whistleblowers can curb breaches by data fiduciaries

Act’s drawbacks

Empowering whistleblowers

Latest from Opinion

Editorial. SBI on check

All’s not well on the rice front

Face-off over Gaza and a farce in an election year

Societal pitfalls in women’s empowerment

India can teach IMF Marxist economics

You might also like

You might also like

Comments