PRIVACY IN DIGITAL LANDSCAPE: INSIGHT INTO CORPORATE RESPONSIBILITY IN SAFEGAURDING DIGITAL PERSONAL DATA IN INDIA

By Mahima Jayan

In the era of massive globalization driven by technological advances where data is not limited by any territorial boundaries, discussions about privacy issues have gained prominence. One of the major focuses of the discussion revolves around companies routinely collecting and processing substantial volumes of personal data, raising concerns about possible breaches of privacy violations.

In India, the Apex Court reaffirmed that the right to privacy is a fundamental right protected under the Constitution of India.1 The personal data of any person, which can include name, contact details, and birth date to be protected from any kind of misuse such as financial loss, reputational loss, or profiling.2

Corporates are collecting and processing a lot of data for a varied lot of purposes ranging from marketing to customizing services. However, the manner of collection, processing, and storage of such data was questioned to be violative of privacy rights. Hence, companies collecting any personal data that relates to any individual who can be identified, directly or indirectly by that data are required to satisfy various legal requirements. In order to ensure that the companies are required to publish a privacy policy setting at least the basic standards of protection of personal information.

Understanding the Legal Framework

In India, the Digital Personal Data Protection Act, 2023 (referred to as ‘DPDP Act, 2023’) sets out the basic guidelines that every person, natural or legal, who collects and processes personal data in either digital form or physical form later digitalized, shall conform to. The Act along with the Information Technology Act, 2000 (referred to as ‘IT Act, 2000’) and its rules regulate companies in general in relation to the protection of the privacy rights of individuals.

IT Act, 2000 has made body corporates bound to protect the ‘sensitive personal data’ while possessing, handling, or dealing with such data, which is stored in the computer resources which it owns, controls, or operates, and it shall be held liable for any negligence in maintaining and implementing reasonable security measures. The reasonable security measures indicate security practices and procedures designed to protect the data from unauthorized access, damage, use, modification, disclosure, or impairment which shall be ascertained as per the law for the time in force, in its absence the terms of the agreement between the parties and further, as prescribed by the Central Government.3

In pursuance to implement the Section, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (referred to as ‘SPDI Rules, 2011’) was implemented. The Rule mandated body corporates shall publish a privacy policy consisting of the following contents:

1. Clear and easily accessible statements of its practices and policies for handling and dealing with personal data, including sensitive personal data.

2. Type of personal or sensitive personal data or information collected.

3. The purpose of the collection of data and usage of such information

4. Manner of disclosure of information including sensitive personal data or information

5. Reasonable security practices and procedures are undertaken by the Company.4

The aim of mandating corporates to publish their privacy policy is to enable the customers intending to deal with the company to be aware of the personal data collected by the company and the purpose for which it shall be processed and thus, can provide an informed consent. The broader objective is to safeguard the personal data of individuals from unauthorized access and processing.

Scope and Applicability

A Body Corporate has imposed the liability to pay compensation for any negligence in the implementation and maintenance of reasonable security practices and procedures thereby resulting in wrongful loss or gain to any person while possessing, dealing, or handling any sensitive personal data or information in a computer resource which it owns.5 For the purpose of the section and rules made thereunder, ‘Body Corporate’ is defined as any company and includes a firm, sole proprietorship, or other association of individuals engaged in commercial or professional activities.6

Hence, all entities that fall under the category of ‘Body Corporate’ are liable to safeguard the information they own as well as abide by the SDPI Rules (i.e. implement and publish a Privacy Policy)

Statutory Requirements for Privacy Policies

Personal Data is defined as “any data about an individual who is identifiable by or in relation to such data”.7 It refers to information that can identify an individual either on its own or in relation to other pieces of information. For instance, a date indicating date of birth may not identify a person but in combination with a name will help to point out one person's identity.  Thus, the company in its privacy policy has to specify the personal information that shall be collected from individuals, whether by its customers or not, which can include name, contact details, gender, location, web cookies, etc.

Sensitive Personal Data are information regarding a person relating to passwords, financial information such as Bank account, credit card or debit card or other payment instrument details, physical, physiological, and mental health condition, sexual orientation, medical records and history, Biometric information and any such information provided to a body corporate for providing services which is collected, processed, or stored under lawful contract or otherwise. However, any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005, or any other law shall not come under the ambit of sensitive personal data.8

The essential factor to be laid down in the privacy policy is the nature and manner of consent. DPDP Act 2023, inspired by the GDPR, lays down that consent shall be free, specific, informed, unconditional, and unambiguous with clear affirmative action.9 Consent should signify an agreement between the person providing the information (referred to as ‘Data Principal) and the person processing and utilizing the data to their benefit (referred to as ‘Data Fiduciary’), to the processing of the personal data. The consent can be limited for the specified purpose and to such personal data as is necessary for such purpose for which the data is collected.10 Further, the Act stipulates that consent should be preceded or accompanied by a notice mentioning the personal data and the purpose for which the same is proposed to be processed, the manner in which she may exercise the rights under the Act, and the manner in which the Data Principal may make a complaint to the Board. Such notice should be made available in English, or any language specified in the Eighth Schedule to the Constitution.11

The SDI Rules further strictens the standards of consent with regard to sensitive personal data. The Rules mandate consent should be obtained for collecting sensitive personal data and the information must be collected for a lawful purpose connected with a function or activity of the body corporate and the collection of the sensitive personal data or information is considered necessary for that purpose. The Rules suggest that the person providing the information should have notice of the following:

1. the fact that the information is being collected.

2. the purpose for which the information is being collected.

3. the intended recipients of the information, and

4. the name and address of —

Another matter that must be expressly specified in the Privacy Policy is the purposes and duration for which the company shall collect, process, and utilize the information collected.13 It should conform to the stipulations of the DPDP Act and the law for the time being in force.

Any disclosure of personal data or sensitive personal data can be done by a body corporate, only after prior approval of the information provider, i.e. Data Principal. Hence, the company has to provide notice to the Data Principal through its Privacy Policy regarding the third parties with whom the data will be shared (disclosures).14 The Data Principal has the right to obtain information regarding his personal data such as a summary of personal data that is collected and manner processed, the identities of the bodies with whom data has been shared and the Policy must provide for a mechanism that the Data Principal can avail.15

The Privacy Policy must enable mechanisms to enforce the rights of data principals such as a right to withdrawal, right of erasure, right of correction, and similar rights.16 The Privacy Policy must further provide the details of the person of contact in case of any grievances relating to the mentioned rights of the customer with respect to their personal information. In case the grievance redressal mechanism becomes ineffective, the aggrieved person shall approach the Data Protection Board of India established by the Central Government.17

Key Components of Privacy Policy

Thus, on a keen understanding of the legal framework mandating the corporate houses to ensure non-violation of privacy rights by providing adequate notice in the form of a Privacy Policy, the following points will be required to be included:

• The information the company intends to collect from their customers and other individuals.

• The purposes for which the information collected shall be processed and utilized.

• Assurance that the consent is free and voluntary, and the customer/person can choose not to provide such consent.

• Assurance that the Customer/person may review the information that has been retained within the Company as well as entities with which the information is shared.

• Assurance that the consent provided can be withdrawn at any stage with ease.

• Assurance that on withdrawal of concern, all data retained by the Company and the third parties with which the data was shared shall be erased.

• Assurance that the Customer/person may correct, complete, update, and erase their personal data.

• Assurance that the Company has taken reasonable security measures to protect the personal data of the customer from any unauthorized access and misuse.

• Provide an Opt-Out option to the Customers to opt-out from any marketing or promotional activities of the Company.

• Provide adequate details about the Contact information about the person of contact for grievances and specify the customer, in case of non-redressal, shall be able to approach the Data Protection Board of India

Conclusion

To summarize, the current panorama of globalized connections, fueled by technological breakthroughs, has sparked more discussion around privacy issues. A large aspect of this discussion revolves around concerns about companies' massive collection and utilization of personal data, which may result in privacy breaches. In India, there has been a significant turn to recognize the privacy rights of individuals, and the courts, most notably the Supreme Court, have upheld the Constitution's basic right to privacy. Personal data protection, which includes information such as name, contact information, and birth date, is thought necessary to be safeguarded against potential misuse, which could result in financial or reputational losses and inappropriate profiling.

In response to these concerns, legislative frameworks, such as the Digital Personal Data Protection Act, 2023 (DPDP Act, 2023), and the Information Technology Act, 2000, have been implemented to oversee the company's collection and utilization of personal data. The legislation requires corporate entities to develop and publish privacy policies that establish essential requirements for the protection of personal information.

According to regulatory requirements, the Privacy Policy must address a wide range of issues, including the nature and manner of consent, the types of data acquired, the goals of data processing, the security measures used, and mechanisms for redressing concerns. The emphasis is on getting free, precise, informed, unconditional, and unambiguous consent, as required by the DPDP Act as well as, following international norms like the General Data Protection Regulation (GDPR). Furthermore, severe rules, such as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules of 2011, emphasize the significance of explicit agreement, particularly for sensitive personal data.

Moreover, the Privacy Policy functions as an indispensable instrument for informing individuals about their rights, thereby facilitating informed decision-making concerning the management of their personal information. It articulates the procedures for withdrawing consent, rectifying data inaccuracies, and provides channels for addressing grievances, thereby reinforcing the dedication to upholding privacy rights. This strategic delineation not only ensures transparency in data processing practices but also emphasizes the commitment to safeguarding individual privacy in compliance with legal and ethical standards.

In essence, the Privacy Policy emerges as a crucial component of corporate governance, fostering transparency, accountability, and compliance with legal mandates. It not only ensures adherence to statutory requirements but also empowers individuals to exercise control over their personal data in an era characterized by rapid technological advancements and interconnected global networks.

The author of this article is Mahima Jayan, a LLM (Specialization in Corporate and Finance Law) student at Jindal Global Law School, Sonipat.

References

1. Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. AIR 2017 SC 4161

2. Saket Surya, “Legislative Brief The Digital Personal Data Protection Bill, 2023” [2023] PRS Legislative Research https://prsindia.org/files/bills_acts/bills_parliament/2023/Legislative_Brief_Digital_Personal_Data_Protection_Bill_2023.pdf .

3. Section 43A, Information Technology Act 2000

4. Rule 3 Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

5. Section 43A, Information Technology Act 2000

6.  Explanation (i) of Section 43A,  Information Technology Act 2000

7.  Section 2(t),  Digital Personal Data Protection Act, 2023

8.  Rule 3 Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

9.  Section 6, Digital Personal Data Protection Act, 2023

10.  Section 6, Digital Personal Data Protection Act, 2023

11.  Sections 6 and 7, Digital Personal Data Protection Act, 2023

12.  Rule 5, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

13.  Rule 5,  Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 & Section 7 Digital Personal Data Protection Act, 2023

14.  Rule 6, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

15.  Section 11, Digital Personal Data Protection Act, 2023

16.  Section 12, Digital Personal Data Protection Act, 2023

17.  Section 13, Digital Personal Data Protection Act, 2023

This article contains the view of the author and the publisher in no way associates with the views or ideologies of the author. All the moral rights vests with the Author(s).