This article has been written by Kumar Saurabh pursuing the Diploma in Advanced Contract Drafting, Negotiation and Dispute Resolution from LawSikho. This article has been edited by Zigishu Singh (Associate, Lawsikho) and Ruchika Mohapatra (Associate, Lawsikho).
Way back in 2008, I created my first account on a social networking site. It was a nice experience to connect with everyone and socialize virtually. However, I never predicted that a decade later I will be writing about sensitive issues associated with accounts on social networking sites and the issues are Data Privacy, Personal Data, Sensitive Data, Non-Personal Data, etc. At that time, I was unaware of the existence of these terms and the relevance they will carry with them in future. Presently, data is a new currency and the regime of data privacy has witnessed evolutions and credit goes to the evolution of the internet.
If today someone asks me, what is the most valuable asset for any organisation ranging from recent technologies to launching a product in the market, for taking any strategic decisions, targeted audience for any kind of advertisement, etc., my answer will be Data. Today, all the vital functions of our day-to-day life have “e” added as a prefix, e.g., e-commerce, e-marketing, e-education, e-meeting, e-shopping, e-advertisement, etc. With the introduction of the internet in our life, most of the activities are taking place virtually on platforms like Instagram, Facebook, etc. these platforms are very user friendly and user compatible, however, the only concern with the use of these platforms is collected data.
A huge amount of personal data, non-personal data, sensitive data, etc, is collected and we are unaware of this. Another concern is the process taken while collecting, storing, and handling the collected data. To address this issue, General Data Protection Regulation (GDPR) was introduced in the European Union and in the same line, different jurisdictions have introduced respective data privacy laws. We need to see how these platforms are complying with the Data Privacy Laws.
a) Types of data to be collected.
b) Steps for collecting the data.
c) Scenario for using the data.
d) Permission whose data to be collected.
e) Timeline for storing the data.
f) Different Intermediaries.
g) Scenarios and restrictions regarding data transmission.
h) Removal and erasing of data.
The data collected by Instagram include:
1. Information (such as racial or ethnic origin, philosophical beliefs or trade union membership) could be subject to special protections under the laws of the country.
2. Information related to the people, Pages, accounts, hashtags and groups that we are connected to and how we interact with them across Instagram Products.
3. Contact information if we choose to upload, sync or import it from a device (such as an address book or call log or SMS log history).
4. Information about the purchase or transaction. This includes payment information, such as your credit or debit card number and other card information, other account and authentication information, and billing, delivery and contact details.
5. Information such as the operating system, hardware and software versions, battery level, signal strength, available storage space, browser type, app and file names and types, and plugins.
The list is very exhaustive and when it comes to the use of collected data, the reasons as given in their website are:
1. To improve and personalize their products.
2. To communicate with users.
3. Promoting safety and integrity.
4. Research and innovation for social good.
The page also discloses information related to the deletion of the collected data. Once the account is deleted, all the information related to the user will be deleted automatically. Instagram will store the data until it is no longer necessary to provide services and Facebook products or until the account is deleted.
Presently, India has no statutory provisions to govern the collection, processing and transferring of personal data except Section 43 of the Information Technology act, 2000. However, this section is not sufficient to govern all issues that crop out of the domain of Data Privacy. Considering the situation, the Personal Data Protection Bill, 2019 is tabled in Lok Sabha which is in line with the General Data Protection Regulations(GDPR) enacted by the European Union. This bill includes Processing and collection of personal data, non-personal data, sensitive personal data, its limitation and other requirements for that, retention of personal data and its resections, transparency and accountability measures, penalties and contributions, appellate tribunals, etc. The bill is very exhaustive and covers all the issues related to personal data.
Some of the important aspects of the bill when it comes to the responsibility of the person or company collecting personal data:
a) A notice has to be given while collecting the data.
b) The right of a person whose data is being collected, to withdraw his consent and the procedure for withdrawing the consent of the personal data being processed based on the consent.
c) If the personal data is not collected from the person personally, then the source from where the data is being collected.
d) How to deal with sensitive personal data.
1) No disclosure includes personal data, non-personal data and sensitive personal data.
2) There is no disclosure about the notice that needs to be served to the person whose data is being collected.
3) How to handle the data which falls under the purview of sensitive personal data.
4) The situation in which the data is to be transferred outside the territory.
5) Liability in case they are not complying with the rules and regulations associated with the collecting, processing, storing and retention of the data.
6) The Act is considered as an offence and penalties for offences.
Right to privacy and case laws
In Kharak Singh’s case, it was established that the Right to Privacy is a fundamental right. Even in the case of Puttuswamy Vs the Union of India, it was declared that the right to privacy is a fundamental right. Once it is declared as a fundamental right, no one is allowed to infringe upon it without our permission. However, numerous players are collecting and using our personal data without our permission. They are liable under the law for snatching our fundamental rights and we are legally authorised to deny the same.
Impact of Personal Data Protection Bill
Once the bill is passed and THE Personal Data Protection Act come into existence, all the companies or players or organisation collecting data need to:
2. Amendment in clauses to make it compatible with the provisions of the act.
3. Offences and Penalties for offences.
4. Vacancies and appointment of personnel to look into the matter which is relevant as per the act.
5. Inclusion and definition of different terms and applicability.
6. Applicability of different laws of the land which will govern any particular situation.
7. Difference between different types of data and scenarios when the specific type of data is collected.
8. More awareness among the employees regarding data privacy and for the same to be included in CSR activities.
The list may stretch to the number of pages, but companies have to keep in mind that data privacy is a fundamental right and any unauthorised act or illegal act will be treated as a criminal activity.
A few years back, the Cambridge Analytica controversy cropped up which was associated with data leakage and there was a compromise with the personal data. To avoid these types of incidents in future, there has to be some roadmap and its proper implementation. This also demands time to time amendments in the clauses to be on par with the Data privacy laws of the respective Jurisdiction.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA