Online consumer personal data protection laws

by Dulara Vithana, Bhanushi Perera and Kaushalya Kariyawasam

The term, ‘online’, pertains to the Internet. The ‘consumer’ is a person who buys things or enlists services. Therefore, the ‘online consumer’ can be defined as a person who engages in activities and achieves his goals through the use of internet and social media networks. With increasing globalization, humans are becoming busier and more dependent on the Internet. As a result, the number of people who used computers and the internet has increased exponentially, especially after the outbreak of COVID-19, which upended the world and caused almost all countries to be locked down partially or completely. Educational activities from primary to university students, various work-related day-to-day activities, bank transactions, etc., have come to be conducted online, causing an unprecedented increase in the number of online consumers.

Under such circumstances people have turned to internet technology to buy goods and services. With the increasing number of online consumers, potential threats to personal data have become a matter of grave concern. This article attempts to analyze what cyber laws, rules and regulations can be made use of to safeguard personal data of online consumers and which laws and related rules and regulations have been enacted and have to be enforced for the public sector as well.

The COVID-19 pandemic has changed the behaviour of online consumers. Overall retail prices dropped during lockdowns which lasted for weeks if not months in 2020. However, with shoppers confined to their homes, an increase in internet shopping was recorded, and this has affected consumer habits to a considerable extent. According to Rakuten Intelligence, US e-commerce spending rose more than 30 percent between early March and mid-April year-over-year. Overall retail sales during May were up by 17.7 percent compared to April.

Getting used to the
new standard’

The ‘comfort factor’ has been a significant aspect of the COVID-19 epidemic, as customers have had to respond to many novel trends. Yet, they adapted well, both physically and mentally. Although the fashion market took a pounding, online sales have skyrocketed. In April, sales shifted significantly in favour of comfortable clothing. E-commerce sales for pajamas increased more than 143 percent. Nearly a third expect to make more online purchases than they did before the pandemic. According to a non-doctrinal research, even nonagenarians do their grocery shopping online, despite their age. According to Carufel R, ‘The New COVID Consumer Emerges: Two-Thirds Are Returning To Non-Essential In-Store Shopping’ (Agility PR Solutions, 2020) almost half of the respondents (49 percent) reported they don’t expect their shopping habits to change in the long term.

Shifting purchasing behaviour

The top five categories, under which consumers reported purchasing most online, prior to the outbreak, were apparel, electronics, home goods, accessories, and food and beverages. According to the National Retail Federation (NRF), headquartered in Washington, D.C, US, every category of retail has seen month-over-month gains and consumers are heading back to stores. Consumers have largely shifted their attention and spending to digital channels, marking a major opportunity for brands and retailers to attract shoppers, open to exploring new and different options. Now is the time to invest in tools that help one understand their customers, so they are better positioned to secure loyalty.

Opening up to
exploration

With these changes, the personal data of an increasing number of online consumers is or will be under threat. Personal data, as identified in the US, is any information relating to an identifiable person. In the European Union (EU), the term ‘personal data’ is significantly broader, and determines the scope of the regulatory regime. A user’s IP address is not classed as Personally Identifiable Information (PII) on its own but, is classified as a linked PII in the EU. Personal data is defined under the EU’s General Data Protection Regulation (GDPR) as “any information which is, related to an identified or identifiable natural person.” The abbreviation PII is widely accepted in the US, but the phrase has four common variants based on personal/personally, and identifiable/identifying.

The concept of PII has become prevalent as information technology and the Internet has made it easier to collect PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to aid in the planning of criminal acts. Information that might not count as PII under the US Health Insurance Portability and Accountability Act of 1996 (HIPAA) can be personal data for the purposes of the GDPR. For this reason, ‘PII’ is typically depreciated internationally. The European Parliament has enacted a series of legislation such as the GDPR.

However, personal data of consumers should be protected throughout the process by cyber laws, rules and regulations which are implemented and to be implemented in future, for protection of public data as well. This article focuses on how to protect personal data of online consumers and what laws, rules and regulations should be enacted to protect it as public data and which legislations, related to cyber laws and data protection laws in Sri Lanka, should be changed.

On the one hand, online technology has its pros such as efficient time management, mobile-friendliness and scrapping of travel time. However, cons thereof are also high. As those who use the internet and technology are aware, they have to provide their personal data such as name, date of birth, identity card number, age, phone number, email address, passwords, credit card numbers and pin numbers to gain access to some websites, and they face various risks and threats in the process. But there is no particular solution since the provision of such information is essential to perform the required functions. Hence the need for relevant laws, rules and regulations to protect online consumers’ privacy and rights.

Most prominent among the threats to online consumers’ personal data is phishing, which enters and duplicates personal data. The risk here is that personal information can be extracted and it can lead to misuse. Unsecured web browsing is another threat to online consumers and in this case as there are insecure websites that automatically releases personal data of online consumers to social media and other private/public entities. Malware is another threat to online consumers’ data.

According to Team T, ‘Experts on The GDPR #3: What Is Personal Data Under The GDPR?’ (Tresorit Blog, 2017), when focusing on data, it can be categorized as follows:

Personal data

Personal data covers any information that can be used to identify an individual. Individuals can be identified by various means as mentioned above. This type of data concerns the subject’s race, ethnicity, politics, religion, trade union status, health, sex life or criminal records. As mentioned above, this kind of personal data should be protected by means of legislations and this in turn can provide protection to online consumers. It should be protected legally so that at any time this data is stolen or misused, the law will be enforced against the offenders concerned.

Internet use in Sri Lanka within the public and private sectors has grown rapidly. E-Government project was recently launched to provide accurate and accelerated services to the public. Many government agencies have been brought online. But, as in many countries, existing legislations do not provide ample protection to the users of these services.

For example, consider the local Computer Crimes Act no. 24 of 2007, section 3 on the ‘unauthorized access’ to a computer and section 4 on the ‘unauthorized access in order to commit an offence’. Here the word ‘access’ is ill-defined, which means it does not describe a specific area and the word ‘access’ is too broad.

Also, section 3 on ‘Computer Crimes’ does not identify ‘Computer Crimes’, and makes no mention of online consumers and their personal data protection. Moreover, in the situations mentioned under section 3, the punishments in respect of the incidents referred to are not sufficient. It emphasizes that ‘any individual who deliberately does any act, in order to secure for himself or for any other person, access to

(a) any computer; or

(b) any information held in any compute

knowing or having reason to believe that he has no lawful authority to secure such access, shall be guilty of an offence and shall on conviction be liable to a fine not exceeding one hundred thousand rupees, or to imprisonment of either description for a term which may extend to five years, or both such fine and imprisonment.’

In some cases, involving public and state security, except in certain personal cases, this fine is not sufficient. Because, for an example, in an issue related to state security, the loss and damages to the state is much larger than the fine. So, this law must be amended.

Moreover, the following crimes are not recognized under the Computer Crime Act No. 24 of 2007.

– Computer-Related Fraud

– Spam

– Promotion of Racism and Hate Speech

– Computer-Related Forgery

– Publication of liable and false information

– Illegal Gambling

– Identity Theft

It is thus clear that Sri Lankan law, related to computer crimes, is inadequate.

In addition, when entering their personal data, online consumers have to do so in a secure and accurate manner and by paying special attention to privacy to prevent the misuse thereof.

We are of the view that there is a pressing need to amend the following Acts and introduce new laws for the benefit of Sri Lanka online consumers.

* The Computer Crimes Act no. 24 of 2007 in Sri Lanka needs amendement.

* In the UK, Data Protection Act was introduced in 1998 to protect personal data. In Sri Lanka there’s only a Data Protection Bill. However, a bill is not a law. To enforce a law, it should be converted into legislation. Therefore, according to our view, there should be a Data Protection Act in Sri Lanka to enforce the law against people who steal personal data of online consumers.

* Although there’s a Cyber Security Bill (or Act?) in Sri Lanka, there are some errors therein. For example, the word ‘crime’ is ill-defined and has not identified ‘cyber crimes’.

* There’s no particular process to detect cyber crimes in Sri Lanka. There should be an agency to catch the thieves of online consumers’ data.

* Section 4 of the Evidence (Special Provisions) Act No. 14 of 1995 recognises electronic recordings as evidence. But in the interpretation of the Act, it does not mention online consumers or their data protection. Therefore, the interpretation of the Evidence Ordinance should be amended with regard to the online consumers’ data protection.

* The interpretation of Copyrights in Intellectual Property Act No. 36 of 2003, section 5, does not identify online consumers’ data protection. It also needs to be amended.

* Online consumers’ data protection is not included in the Consumer Affairs Authority Act No. 09 of 2003, as objectives of the authority. This is also a serious lapse that needs rectification.

Thus, it could be seen that the existing Sri Lankan law should be tightened and news ones introduced to ensure the safety of the online consumers’ data and punishment for the theft of personal data should be enhanced.