[Aditi Jaiswal]
Aditi is a 3rd year student Dr. Ram Manohar Lohiya National Law University, Lucknow
What is Corporate Social Responsibility?
United Nations Industrial Development Organisation (UNIDO) defines Corporate Social Responsibility (hereinafter “CSR”) as, “A management concept whereby companies integrate social and environmental concerns in their business operations and interactions with their stakeholders.” It is a concept where Companies strive to strike a balance between the financial, social and environmental imperatives, while addressing the expectations of the stakeholdersThe nature of CSR is such that it is not static in nature, rather is ever evolving.[2]
With a view to keep the local players at par with the global standards, India became the first country to mandate and quantify CSR expenditure under the Companies Act, 2013.[3] Schedule VII of the Companies Act, 2013 lays down the list of CSR activities and suggests that communities should be kept at the focal point, but the draft rules suggest that the CSR needs to go beyond the concept of philanthropy.[4]
Data – a Significant Corporate Asset
The present day world can, without a shred of doubt, be called the digital age. The devices like mobile phones, wearable devices and personal computers, with their apps, social media, e-commerce platforms etc. have penetrated our lives and produce large amount of data.[5] Such data today has become a vital corporate asset which proves beneficial in a variety of ways, from identifying potential customers, improving customer services, predicting sale trends to recognizing patterns and reasons leading to performance breakdown in a company. A Pricewater Cooperhouse research points out that the total intangible assets comprise, on an average, some 75% of companies’ value.[6]
Rearranging CSR endeavours
The Digital India initiative was introduced in 2014 with a vision to transform the nation into a digitally empowered society. But till date, the Government hasn’t come up with a robust regime for data protection. Considering this, the data privacy protection becomes, important as the companies are heavily relying on the personal data of individuals for multifarious purposes and in lack of any law or regulation protecting such data, the Companies owe an ethical obligation to improve the data privacy protection by framing policies. The Indian Companies venturing in the global arena, need to rearrange their Corporate Social Responsibility endeavours and include data protection of their stakeholders in the list.
Data privacy protection would majorly be covered under the domain of the social dimension of the Triple Bottom Line approach on which the Stakeholder model of CSR works. Social variable of the Triple Bottom line approach focuses on the social dimensions of the community and includes measurements of education, equity and access to social resources, health and well-being, quality of life, and social capital.[7] In the present times, data privacy protection is also one of the significant societal dimensions, as privacy and autonomy of an individual cannot be overlooked due to unregulated and arbitrary use of data, particularly after the Puttaswami judgement, in which the Supreme Court has recognized the informational privacy as an important facet of the Right to Privacy.[8]
Consequences of data breach
As already discussed, data plays a very vital role in identification and targeting of the particular consumer group. However, the data collected includes different forms of information which may include habits, financial details, personal details etc. Here it becomes necessary to point out that the effects of any data breach can be multi-faceted. On one hand, a single incident of data breach can harm the consumers psychologically, socially or economically, depending on the type of information leaked. Certain information may be central to the identity of an individual, like their sexuality, etc., which if revealed would affect the person psychologically. Disclosure of some kind of sensitive information, many a times, results in the stereotyping and pre-judging of an individual or lowering his reputation, which affects his social life negatively.[9] Leakage of an individual’s social security numbers or financial details can lead to a huge economic loss for him. On the other hand, companies may lose out trust which people have in them, leading to the existing as well as probable customers switching to another company or service provider. Corporate integrity is ensured by maintaining the brand value and goodwill.
A company’s goodwill by breaching the promises of data care, both explicit and implicit, gets contaminated not only in the minds of the consumers, but also the partners, shareholders and all the other stakeholders. This leads to a decrease in the value of its investments in brand identity building by eroding the commercial trust. Attenuation in the goodwill of a Company would diminish the value of a Company’s assets, in turn distressing the Company, thus financially harming the employers, partners, shareholders and other stakeholders at large. According to a study in 2016, 25 percent of the leaders of the largest global companies consider the most serious impact that a cyberattack can have on their organization is the loss of reputation among their customers.[10]
Skeptics may argue that keeping in mind the present scenario, investment in privacy protection is nonessential and would lead to swelling of costs of the Company in India. But this criticism comes due to a lack of a proper understanding of the long term negative effects when the privacy of the stakeholders is breached. A Company may face severe consequences, by ignoring the Data Privacy Protection Principles, especially if such a breach leads to a severe privacy violation of a consumer, or some other abuse of confidentiality, then the expenses involved in covering fines, court fees, advocates’ fees, settlement costs, paying damages and other working out other mechanisms further diminish the capital of a Company.[11]
Above that, these days the databases of personally identifiable information are becoming a lucrative target for the cybercriminals who use this data for identity theft and even extortion rackets, where they can easily blackmail the Companies to pay the ransom otherwise they would leak the data.[12] These cybercriminals may even threaten with attacks from zombie drones, which could disrupt operations of a Company temporarily or permanently.[13] So, Companies by safeguarding the privacy of their stakeholders, would not only be exercising fairness and preventing harm to the privacy of individuals, but in the long run increasing their own protection, and in certain cases investments too.
Suggestions
The lack of any legislation in the direction of Regulation of Data Privacy in our country triggers an ethical duty for the Companies to formulate regulations in this area based on the lines of EU GDPR (General Data Protection Regulation). As laid out in the EUGDPR, Companies in India also, should include in their practice, extensive range of principles such as that of purpose specification, data minimization, data quality, use limitation, storage limitation in order to prevent reasonable and possible harms to the privacy of the people. Further, the Companies should not only issue comprehensive privacy notices for obtaining consent, but even conduct regular data auditing.[14] In order to avoid another . This can be easily done by contractual means.[16]
Conclusion
As it is widely acknowledged fact that CSR activities are to serve a social purpose, and are dynamic in nature and are not limited to the particular set of activities. The privacy of an individual is an intrinsic social element, this becomes more manifested when consideration is given to the number of people from whom data is collected and who might be at a probable peril if it is not properly protected. Inculcation of data privacy protection mechanisms would not only protect the individuals related to the company but in a longer run would benefit the stakeholders, in turn augmenting the profits of the Company. Moreover, if the societal good is kept at sidelines, then too it would help companies in meeting the standards of the global markets, particularly those countries which have already enacted legislations on the issue.
[1] What is CSR, united nations industrial development organization, https://www.unido.org/our-focus/advancing-economic-competitiveness/competitive-trade-capacities-and-corporate-responsibility/corporate-social-responsibility-market-integration/what-csr.
[2] Corporate Social Responsibility, the national academies press, https://www.nap.edu/read/11833/chapter/8.
[3]Corporate Social Responsibility, finnovation, http://www.fiinovation.co.in/corporate-social-responsibility/.
[4]Sabharwal D & Narula S., Corporate Social Responsibility in India Introspection, journal of mass communication and journalism, (July 31, 2015), https://www.omicsonline.org/open-access/corporate-social-responsibility-in-indiaintrospection-2165-7912-1000270.php?aid=59520.
[5] Stefaan G. Verhulst, Corporate Social Responsibility for a Data Age, stanford social innovation review, (Feb. 15, 2017), https://ssir.org/articles/entry/corporate_social_responsibility_for_a_data_age.
[6] Tony Hadjiloucas, The increasing importance of brands and intangibles in industry, pwc,(April 2014), http://www.wipo.int/edocs/mdocs/sme/en/wipo_smes_lis_14/wipo_smes_lis_14_g_hadjiloucas.pdf.
[7]Timothy F. Slaper & Tanya J. Hall, The Triple Bottom Line: What Is It and How Does It Work?, indiana business review, http://www.ibrc.indiana.edu/ibr/2011/spring/article2.html.
[8] White Paper of the Committee of Experts on Data Protection Framework in India, http://meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_171127_final_v2.pdf.
[9] White Paper of the Committee of Experts on Data Protection Framework in India, http://meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_171127_final_v2.pdf.
[10] Landry Signe and Kevin Signe, Global Cybercrimes and weak cybersecurity threaten businesses in Africa, brookings(May 30, 2018), https://www.brookings.edu/blog/africa-in-focus/2018/05/30/global-cybercrimes-and-weak-cybersecurity-threaten-businesses-in-africa/.
[11]Andrea M. Matwyshyn , CSR and the Corporate Cyborg: Ethical Corporate Information Security Practices, 88 (4) journal of business ethics 579, (2009), https://www.jstor.org/stable/27749732.
[12] Sanjay Kumar, Will the Data Protection Regulation Open NewAvenues For Cyber Criminals?, livelaw (Sept. 8, 2018, 12:56 P. M. ), https://www.livelaw.in/will-the-data-protection-regulation-open-new-avenues-for-cyber-criminals/.
[13] Andrea M. Matwyshyn , CSR and the Corporate Cyborg: Ethical Corporate Information Security Practices, 88 (4) journal of bisiness ethics 579, (2009), https://www.jstor.org/stable/27749732.
[14] White Paper of the Committee of Experts on Data Protection Framework in India, http://meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_171127_final_v2.pdf.
[15] Alix Langone, Facebook’s Cambridge Analytica Controversy Could be Big Trouble For The Social Network, time( May 20, 2108), http://time.com/5205314/facebook-cambridge-analytica-breach/.
[16]White Paper of the Committee of Experts on Data Protection Framework in India, http://meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_171127_final_v2.pdf.