India: Commercial Exploitation Of Personal Data – Through The Looking Glass

Introduction

Loosely translated, the word "Data" in technology means and includes all results or technical information that have either been developed or obtained in the performance of a certain activity. In our daily lives, we go through a number of activities without realising that at every step of an activity, a large amount of our data is being used, collected, and commercially exploited by huge corporations in order to provide us with advertisements, commercial calls as well as using it to further their marketing purposes.

According to the law, personal data can mean any information relating to any identified or identifiable individual by either reference or one more factors. Specifically, their physical, physiological, mental, economic, cultural, or social identity.

Personal data is any piece of information that can be double checked to identify a specific individual such as fingerprints, DNA, or certain information specific to the said person. Personal data possesses a great deal of the commercial worth for businesses. As a result of which, these files containing such huge personal information are bought and sold and these commercial groups become tempted to identify and search for potential clients for their business. Organizations usually collect many different type of information on people and even if one piece of data doesn't identify as belonging to someone, it could become irrelevant to other information and be sidelined. For instance, a data controller that requests information on people who download products from their website might put down their occupation as banker, therefore since there are millions of people who might be working in a bank, the information gets sidelined since it is of no use for their websites.

In the last decade, the collection and use of consumer data by commercial entities has transitioned from being under the wraps to being a beaming issue among the daily life of the public. People have certainly realised over a short amount of time how they no longer have any control over who records, purchases, and sells their data. Consumers have surely taken basic activities such as shopping, ordering food, and education online wherein they tend to generate more and more of Data. Large internet companies organising these activities have learned to utilise or sell the same for different customer or marketing engagement.

Processing of Personal Data

The initial stage in data processing is the data collection phase. Data is gathered from various sources, such as data lakes and data warehouses. It's critical that the data sources used by anyone are reliable and well-constructed, so that the data collected (and later used as information) is of the highest possible quality.

After the data has been obtained, the data organization phase begins. The stage of data preparation, sometimes known as "pre-processing," is when raw data is cleaned up and structured in preparation for the next stage of data processing. Raw data is thoroughly validated for mistakes during the preparation process. This step's goal is to get rid of bad data (redundant, incomplete, or erroneous data) and start creating high-quality data for better business intelligence.

After that, the clean data is entered into its intended location and translated into a language that can be comprehended. Data input is the initial stage in which raw data begins to take the form of usable information.

The data entered into the computer in the previous stage is processed for interpretation in this stage. Machine learning algorithms are used to process the data, albeit the procedure may vary slightly based on the data source (data lakes, social networks, connected devices, etc.) and the intended purpose (examining advertising patterns, medical diagnosis from connected devices, determining customer needs, etc.).

The output/interpretation stage is the stage where data is finally usable by non-data scientists. It is translated, readable, and often converted into graphs, videos, images, plain text, etc. Members of the company or institution can start analyzing this data and applying it to their own data analytics projects.

The final stage of data processing is storage. After all the data is processed, it is then stored for future use. While some information may be used immediately, much of it will serve a purpose later. Plus, effective proper storage of data is necessary for compliance with GDPR (data protection legislation).

Profiting from Personal Data

Over the past few years, the adoption of the internet along with our use of smartphones, has led to production of more recordable data than ever before. Social media sites and other internet companies have become some of the largest and most powerful corporations in the world, by knowing every aspect of their customers and using and selling that personal data to marketers in order to target a specific audience based on a customer's personal characteristic while making billions in the process. It is fair to assume that with all the information you pump into your smart phones or web searches on a daily basis, nearly every aspect of your life is being boxed, used, and sold to marketing companies for profit.

The concept of our personal sentiments and interests being used is one that many people will find unpleasant as it is a violation of privacy. Despite the possibility of a change in the way purchases can be made, people would prefer to not participate as their data is being used without their consent under the façade of providing a better customer experience.

How the Indian IT laws protect individual rights

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("Data Protection Rules") notified under the Information Technology Act, 2000 ("IT Act") governs data protection in India. Certain obligations are inflicted upon the organizations that collect, process, store and transfer sensitive personal data or information of individuals such as obtaining consent, publishing a privacy policy, responding to requests from individuals, disclosure, and transfer restrictions by the Data Protection.

Additionally, personal data is also protected under Article 21 of the Indian Constitution which guarantees to every citizen, the Right to Privacy as a fundamental right. The Supreme Court, in a few cases, has held that information about a person and the right to access that information by that person is also covered within the ambit of right to privacy.

Relevant Provisions of the IT Act:

• Section 43A – liability for wrongful loss or wrongful gain to any person caused because of the negligence in implementing and maintaining reasonable security practices, on a body corporate that owns, deals, or handles any sensitive personal data or information in a computer resource that it owns, controls, or operates to pay damages by way of compensation.⁵
• Section 72A penalty for wrongful disclosure of information in breach of a lawful contract or without the consent of the person concerned, with the intent of causing or knowing that he is likely to cause wrongful loss or wrongful gain, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.⁶
• The Data Protection Rules give individuals rights over their sensitive personal information and make it mandatory for any legal entity to publish a privacy policy. It also provides individuals the right to access and verify information and obliges legal entities to obtain consent before disclosing personal information except in the case of law enforcement, which provides individuals the ability to withdraw consent.

Since regulations are widely dispersed, the current legal framework has many loopholes. Furthermore, their applicability is limited to sensitive personal information generated and transmitted in electronic form. In addition, some terms may even be overridden by the contract.

GDPR and Commercialisation

The General Data Protection Regulation ("GDPR") is one of the most stringent global standards for protection of rights of millions of individuals who are termed as 'data subjects'. The GDPR provides clear guidelines on what organizations must do to protect personal data and avoid unnecessary legal penalties, including data protection considerations.

GDPR has identified data privacy as a fundamental human right of all individuals resident in EU and has set clear standards for protecting an individual's personal data while ensuring that data subjects control their data usage and retention. As per the GDPR a data subject has the following rights towards their data:

• parental consent is required until the child is between 13 and 16 years old.
• data subjects must be able to access their data as it is stored by the Data Controller and know-how and why it is processed, and where it is sent.
• data subjects must be able to correct incorrect or incomplete data and data controllers must notify all data recipients of such change. They can also object to the use of their data, and Data Controllers must comply with it, unless they have a legitimate interest that outweighs the data subject's interest.
• data subjects can ask the data controller to "forget" their personal data. Organizations may be allowed to retain data, for example, if they need it to comply with a legal obligation or if it is in the public interest, such as the case of scientific or historical research.
• data subjects have the right to know that they were subject to an automated decision based on their private information and can ask a person to review or contest the said decision.
• if personal data under the obligation of a data controller is disclosed to unauthorized parties, the controller must notify the relevant EU country Data Protection Authority within 72 hours and, in some cases, the data subject must also be notified.

The right to be forgotten is vested in Article 17 and Recitals 65 and 66 of GDPR. It stipulates that the data subject has the right to obtain from the controller the deletion of personal data relating to them without undue delay and the controller is obliged to delete the personal data without undue delay.

Under GDPR, an individual has the right to delete their personal data only in the certain specific cases.

However, an organization's right to process an individual's data in exceptional circumstances, such as when the data is used to exercise the right to freedom of expression and information, either to comply with a legal decision or obligation, or as necessary for public health and public interest purposes, can overshadow the right to be forgotten.

Indian position on Right to be Forgotten

At present, Indian laws do not include a right to be forgotten. However, the Honorable Supreme Court in the Puttaswamy case inter alia recognised "these rights include the right to be forgotten – a right to prevent or restrict disclosure of personal data by a fiduciary. Most importantly, consent has been given a crucial status in the draft data protection law. Thus, a primary basis for processing of personal data must be individual consent. This consent is required to be free, informed, specific, clear and, in an important addition, capable of being withdrawn". This case was however in the context of Aadhar legislations in India and collection of bio-metric data of individuals.

The Personal Data Protection Bill, 2019 ("Bill") proposes the legislation to include the right to be forgotten. Individuals may then limit, delete, separate, or correct any information about them that is misleading, embarrassing, and irrelevant. The Bill declares that data subjects have the right to prevent data trustees from using such data or information if data disclosure is no longer required, consent to use data has been withdrawn, or if the data is used contrary to the provisions of the law.

The Data Protection Rules further provides for the implementation of certain reasonable security practices and procedures ("RSPP") by organisations dealing with sensitive personal data or information of individuals. The Data Protection Rules provide as follows:

• Organizations can show compliance with the RSPP requirement by putting in place security practises and methodologies, as well as having a written information security programmes and policies. These information security policies must include administrative, technical, operational, and physical security controls appropriate to the information assets being safeguarded.
• The international standard IS/ISO/IEC 27001 on "Information Technology – Security Techniques – Information Security Management System – Requirements" is one such standard that would help demonstrate compliance with the RSPP requirement;
• Any self-regulatory organization's codes must be approved and notified by the Central Government; and
• Organizations that have adopted standards as outlined in (i), (ii), or (iii) above would be considered compliant with the requirement to implement RSPPs if audits were conducted on a regular basis by independent Government-appointed auditors. The IS/ISO/IEC 27001 standard specified in the Data Protection Rules is a certification that can be effectively used to prove compliance with the RSPP requirement.

A higher standard, namely, IS 17428 though not prescribed, certification if obtained, will serve organsiations well as a reference for demonstrating compliance with the RSPP requirement.

Penalties for Breach

A violation of confidentiality or privacy is punishable under Section 72 of the IT Act. Any person who, without the consent of the person concerned, secures access to any electronic record, book, register, correspondence, information, document, or other material in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, discloses such material to any other person shall be punished with imprisonment for a term that may extend to two years, or with a fine that may extend to Rs 1,00,000, or with both.

In addition to the IT Act, the GDPR prescribes the following penalties for non-compliance with respect to EU residents:

1. Penalties for violating certain provisions of the Act are punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is more, and
2. Failure to conduct a data audit is punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is more.

Dos and Don'ts for E-commerce

As an e-commerce business, it's critical to have a detailed and comprehensive Privacy Policy in place. E-commerce retailers nearly always need to enlist the help of third parties to process personal data on their behalf, such as payment processors, mail carriers, and marketing firms. In such event, e-commerce service providers must have regard to the disclaimers and privacy statements of such third parties and warn users of the use of data outside their control.

The following items must be included in your privacy policy:

• Your company's contact details
• The categories of personal data you process
• How and why you process personal data
• Your lawful basis for each act of processing
• The categories of companies with whom you share personal data
• Details of any data transfers outside the jurisdiction
• How long you need to store personal data for
• How you can help facilitate your users' data rights
• How your users can make a complaint about your data protection practices

In Sum

Usage of personal data must conform to principles enshrined in Indian data protection law and GDPR (for businesses catering to EU residents) and the same must be sufficiently disclosed to the public at large through a privacy statement. Contrary to popular belief the privacy statement is not just a cookie or cache policy but operates to define and in some cases protect substantial individual rights of consumers.

Footnotes

1. Jigsaw Academy, Isha Upadhyay, 'What is Data Processing? An Important Overview In 6 Points,' 12^th February 2021, viewed 25^th March 2022, (https://www.jigsawacademy.com/blogs/data-science/what-is-data-processing/)

2. Justice K.S Puttaswamy & another Vs. Union of India Writ Petition (CIVIL) NO 494 OF 2012

3. Section 43A in The Information Technology Act, 2000.

4. Section 72A in The Information Technology Act, 2000.

• Rule 8 of the Data Protection Rules.

5. National Law Review, 'Data Privacy Standards Issued in India – Legal Compliance or New Brand Differentiator?' 12^th July 2021, (https://www.natlawreview.com/article/data-privacy-standards-issued-india-legal-compliance-or-new-brand-differentiator)

6. Privacy Policies, 'GDPR Privacy Policy for Ecommerce Stores', 15^th November 2021, viewed 25^th March 2022, https://www.privacypolicies.com/blog/gdpr-privacy-policy-ecommerce-stores/#Lawfulness_Fairness_And_Transparency

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.