1. Introduction.

The data protection regime in India is in a state of flux. The year of 2017 has been a humdinger of a year for data privacy laws. On August 24, 2017 the constitutional bench of Supreme Court1 decided that the right to privacy was, after all, a fundamental right.2 The Supreme Court also noted in the matter that "the government has initiated the process of reviewing the entire area of data protection, it would be appropriate to leave the matter for expert determination so that a robust regime for the protection of data is put into place. We expect that the Union government shall follow up on its decision by taking all necessary and proper steps." Following the judgment in re Puttuswamy, the Committee of Experts on a Data Protection Framework for India chaired by Justice B. N. Srikrishna released a white paper on November 27, 2017.3 The Ministry of Electronics & Information Technology (MeitY) issued a press release on December 28, 2017 seeking public comments on the whitepaper by the end of January 31, 2018.

While the country is waiting for the government to issue new laws on data protection and privacy, the popular question right now seems to be what should be included in a privacy policy today.

2. Present position of law.

The extant law on privacy and data protection is very clear. Section 43A of the Information Technology Act, 2000 read with the Information Technology (reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("Sensitive Information Rules") requires every business in India, which collects, receives, possesses, stores, transmits, processes or can associate pretty much any other verb with 'personal information' directly under a contractual obligation with the provider of information4, to have a privacy policy5. Such privacy policy must provide the following6:

  1. clear and easily accessible statements of its practices and policies;
  2. type of personal and sensitive personal data or information collected by it;
  3. purpose of collection and usage of such information;
  4. disclosure of information including sensitive personal data or information collected;
  5. reasonable security practices and procedures adopted by it.

The general trend, unfortunately, has been to (i) use the privacy policy and terms of use provided by the website designer as a package, or borrow one from a competitor, or a friend and in one instance a neighbouring aunty's son's good friend, (ii) hide it at the bottom of the website in smallest font possible, and fill it with incomprehensible legalese with mountain-high clauses. Such lack of thought and casual handling has allowed Indian digital land to become lit with data and identity theft issues. The potential for mischief and crime are indeed very ripe.

3. Elements of privacy policy.

Privacy policy is akin to a pre-nuptial agreement. A one-size fits all privacy policy may not be sufficient. A privacy policy should be crafted with purpose and consideration. The essential elements of a privacy policy as per the extant data protection laws of India are as follows:

  1. Consent: The most crucial component of a privacy policy is 'consent'. In this regard the Supreme Court has in re Puttuswamy7 made the following observations:

    "497. It was rightly expressed on behalf of the Petitioners that the technology has made it possible to enter a citizen's house without knocking at his/her door and this is equally possible both by the State and non-State actors. It is an individual's choice as to who enters his house, how he lives and in what relationship. The privacy of the home must protect the family, marriage, procreation and sexual orientation which are all important aspects of dignity. 498. If the individual permits someone to enter the house it does not mean that others can enter the house. The only check and balance is that it should not harm the other individual or affect his or her rights. This applies both to the physical form and to technology."

    No information must be used without the consent of provider of information. Normally organizations will make their privacy policy as comprehensive as possible to avoid liability. The privacy policy will be at the bottom of the website in tiny font. Ordinary presumption is that lengthy privacy policies filled with legal jargon make for a sturdy legal document. Once the user has proceeded to use the platform for its services or solutions, the action of the user is deemed as consent to the privacy policy. However, it is crucial to understand that these types of consent are bereft of two crucial components of the concept of 'consent' – notice and choice.

    Notice: The manner in which the privacy policy is presented to the user, i.e., not only the placement of privacy policy but also being able to reasonably prove that the user has had a chance to read and understand the terms in the privacy policy is a crucial requirement of consent. If the privacy policy is merely provided as a link at the bottom of the platform in small fonts, it may be argued by a user that he was never given any notice regarding the privacy policy. Thus, data controller must ensure that the privacy policy is provided in an easily accessible manner on the platform.

    Choice: The other vital component is choice8. It is not enough that users have been shown to have accepted the privacy policy through a click-wrap mode; they should have the ability to opt-in and/or opt-out of the information sharing requirements of the business. The present laws allow the data controller to withhold the provision of the goods of services for which the information is sought, if the provider of information does not provide or later chooses to withdraw his consent.9 However, if the opt-in opt-out option is not provided to the provider of information in cases where the information has been collected for a specific purpose but is also intended to be used for some other purpose, then there is a risk that the deemed consent of the user to the long-form privacy policy is construed as 'contracts of adhesion'10 and as unconscionable11 by the Indian courts. For e.g., a healthcare platform which seeks to use the medical information of its users for some other purpose like suggesting fitness equipment that may be most suitable for the information provider, then such information provider should be given two options in the privacy policy – one which allows the platform to use the information being collected for other specifically demarcated purposes, other which disallows the platform to use the information being collected for other specifically demarcated purposes. By providing these two options the platform has essentially ensured that the consent obtained from the user was informed and proper and avoid the risk of being construed as a contract of adhesion.
  2. Purpose of information collected12. The privacy policy needs to clearly specify the purpose of collection of the information.13 Only that personal information should be collected from data subjects as is necessary for the purposes identified for such collection, regarding which notice has been provided and consent of the individual taken14. An omnibus purpose which ambiguously refers to future commercial usage may not be favourably viewed by Indian courts, especially if the other elements of the privacy policy have not been met15.

    If there is a change of purpose, this must be notified to the individual. The information collected for a specified purpose cannot be retained for longer than it is required of the purposes16. Thus, once the personal information has been used in accordance with the identified purpose it should be destroyed by the data controller. However the privacy policy should clearly specify the manner in which the personal information is intended to be used.
  3. Disclosure of information. The type of information collected must also be clearly informed to the information provider. Technological advancement is not equivalent to technological literacy. It is not audacious to assume that many of the internet users are still unaware of the perils of data divulge. Therefore, it is vital that the information provider be informed about the nature of his personal information that is being collected. The data controller must also permit the providers of information, as and when requested by them, to review the information they had provided17. The other side of this aspect is that the data controller must also obtain prior permission if it intends to disclose the collected information to a third party18 except with government agencies mandated under law.
  4. Security practices. The Sensitive Information Rules19 mandates every data controller to have comprehensively documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of the business. This document is often confused by the business with their privacy policy which is not the case. The international standard IS/ISO/IEC 27001 on "Information Technology – Security Techniques – Information Security Management System – Requirements" is on such standard that may be adopted.

4. Conclusion.

"Digitalization has changed society. While data is becoming the "new oil", data protection is becoming the new "pollution control."20 With the increase of digital population in India, online services and businesses are being redefined every micro second. Technology combined with the vast mines of information available online has pushed the boundaries of standard business industries beyond recognizable horizon. Healthcare, finance, fitness and beauty, e-commerce, transportation, software solutions, music, arts, movies, etc., are evolving as an industry on a daily basis. The nature of services being offered by these industries are no longer limited to vanilla sale and purchase or a pure service model. However, nothing is more deleterious to a man's physical happiness and health than a calculated interference with his privacy21.

Considering that the digital population in India has grown substantially, data privacy and data protection are key issues at the moment. Every internet user leaves his/her digital footprints in the form of personal data when browsing the internet. This may range from, knowingly or unwittingly, providing their IP address, name, mobile number to personal and sensitive information like their sexual orientation, medical records, etc. This leaves the internet users vulnerable to crimes like identity theft, breach of privacy and financial crimes.

The pervasive question today is crafting a privacy policy that balances the privacy of the internet user with the burgeoning requirements of the businesses.

Businesses will do well to review their privacy policy to ensure that their notice and consent designs, i.e., their privacy policy and the manner in which the user is expected to consent to the same, have been designed in a manner which can withstand the test of time. Considering that despite certain flaws the mechanism of notice and choice continues to be used widely across many jurisdictions it may serve one well to ensure that their privacy policy and terms of use adapt the notice and choice mechanism.

Terms of use and privacy policy should be treated as an art form, rather than long form, i.e., craft the document carefully customizing it to the needs of the business and the general principles of law.

Footnotes

1. See Justice Puttuswamy v. UOI, Writ Petition (Civil) No. 494 of 2012 decided on August 24, 2017.

2. Previously, in the matter of M.P. Sharma v. Satish Chandra, District Magistrate, Delhi (1954) SCR 1077 and Kharak Singh v. State of Uttar Pradesh (1964) 1 SCR 332 it had been observed that the Indian constitution does not specifically protect the right to privacy. The submissions of the petitioners in Kharak Singh and M. P. Sharma matter were founded on the principles expounded in A. K. Gopalan v. State of Madras, AIR 1950 SC 27 where it was held that each provision contained in the chapter on fundamental laws as embodying a distinct protection. This principle was held not to be good law by an eleven judge bench in Rustom Cavasji Cooper v. UOI (1970) 1 SCC 248.

Also in Maneka Gandhi v. UOI (1978) 1 SCC 248, the minority judgment of Justice Subba Rao in Kharak Singh was specifically approved of and the decision of the majority was overruled. Apart from this there were several matters rendered by benches of smaller strength than those in M.P. Singh and Kharak Singh which affirmed the existence of a constitutionally protected right of privacy. Faced with this predicament and having due regard to the far-reaching questions of importance involving interpretation of the Constitution, it was felt that institutional integrity and judicial discipline would require a reference to a larger Bench. Thus, the matter was referred to a constitutional bench of Supreme Court in re Puttuswamy.

3. See 'White Paper of the Committee of Experts on a Data Protection Framework for India' available at http://meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_18122017_final_v2.1.pdf on January 30, 2018. The Whitepaper recognizes in the foreword that the issue of data protection is important both intrinsically and instrumentally. Intrinsically, a regime for data protection is synonymous with protection of informational privacy. Instrumentally, a firm legal framework for data protection is the foundation on which data driven innovation and entrepreneurship can flourish in India. Fostering such innovation and entrepreneurship is essential

4. See Clarification on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under Section 43A of the Information Technology ACT, 2000 issued vide press note dated August 24, 2011.

5. In 2012, a Group of Experts on Privacy was constituted by the erstwhile Planning Commission under the Chairmanship of Justice AP Shah (Justice AP Shah Committee). The report of the Justice AP Shah Committee recommended a detailed framework that serves as the conceptual foundation for a privacy law in India, considering multiple dimensions of privacy. After a detailed deliberative and consultative exercise, it proposed a set of nine National Privacy Principles to be followed, broadly derived from the OECD Guidelines. The nine principles set out by the Justice AP Shah Committee are as follows: Principle 1: Notice; Principle 2: Choice and Consent; Principle 3: Collection Limitation; Principle 4: Purpose Limitation; Principle 5: Access and Correction; Principle 6: Disclosure of Information; Principle 7: Security; Principle 8: Openness; Principle 9: Accountability. See Report of the Justice AP Shah Committee, 21-27 (October 16, 2012).

6. See Rule 4 of the Sensitive Information Rules.

7. Ibid. See para 477 of the judgement.

8. See Rule 5 (7) of the Sensitive Information Rules. As per this provision the prior to the collection of information including sensitive personal data or information, the data controller must provide an option to the provider of information to not provide the data or information sought to be collected. The provider of information shall, at any time while availing the services or otherwise, also have an option to withdraw its consent given earlier to the data controller.

9. See Rule 5 (7) of the Sensitive Information Rules.

10. The term 'adhesion contract' has been defined under the Black's Law Dictionary as "a standardized contract form offered to consumers of goods and services on essentially 'take it or leave it' basis without affording consumer realistic opportunity to bargain and under such conditions that consumer cannot obtain desired product or services except by acquiescing in form contract. Distinctive feature of adhesion contract is that weaker party has no realistic choice as to its terms. Not every such contract is unconscionable."

11. See LIC of India and Anr. v. Consumer Education & Research center and Ors. AIR 1995 SC 1811; and Rakesh Chand and others v. State of Himachal Pradesh and others, [CWP (T) No. 781/2008, Decided on June 15, 2010]. Also see http://www.mondaq.com/india/x/380692/Contract+Law/Happily+Click+after+The+real+story+of+econtracts.

12. See Rule 5 of the Sensitive Information Rules.

13. In re Puttuswamy, the Supreme Court notes vis-à-vis 'purpose limitation' (which is one of the nine principles proposed by the Group of Experts on Privacy) – "Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which it is processed. A data controller shall collect, process, disclose, make available, or otherwise use personal information only for the purposes as stated in the notice after taking consent of individuals. If there is a change of purpose, this must be notified to the individual. After personal information has been used in accordance with the identified purpose it should be destroyed as per the identified procedures. Data retention mandates by the government should be in compliance with the National Privacy Principles."

14. Rule 5 (5) of the Sensitive Information Rules stipulates that the information collected must be used for the purpose for which it has been collected.

15. Rule 5 (3) of the Sensitive Information Rules stipulates that while collecting information directly from the person concerned the body corporate or any person on its behalf must take such steps as are in the circumstances reasonable to ensure that the person concerned is having the knowledge of – (a) the fact that the information is being collected; (b) the purpose for which the information is being collected, (c) the intended recipient of the information; and (d) the name and address of the agency that is collecting the information and the agency that will retain the information.

16. See Rule 5 (4) of the Sensitive Information Rules.

17. See Rule 5 (6) of the Sensitive Information Rules.

18. See Rule 6 of the Sensitive Information Rules.

19. See Rule 8 of the Sensitive Information Rules.

20. Summary to the documentary 'Democracy: Im Rausch der Daten' (2015).

21. In re Kharak Singh, at page 359.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.