Privacy policies
Image Source - https://rb.gy/jfgxeh

This article is written by Anurag Mawai, pursuing a Diploma in Advanced Contract Drafting, Negotiation and Dispute Resolution from Lawsikho.

Introduction

In the early Mercantile Age when the concept of contract emerged, its purpose was to bring two or more parties to agreement regarding some terms and conditions which would later form the basis of any transaction which they may undertake between themselves. But this concept of simple written or oral agreement evolved as mankind climbed the ladder of science and technology, and made possible for parties to enter into agreement without even seeing each other even go as far as not even knowing each other’s identity. These new age contracts are called “Technology Contracts” and are aimed to facilitate transactions for masses in events like software updates and website cookie or privacy policy agreements. In these contracts the parties are usually massive in number hence these agreements are rigid and unable to be tailored for every specific individual, but the impact of these contracts are far and wide the most important being in the field of privacy as these contracts enable companies to open the floodgates to their consumer’s lives and sometimes can go as far as to predict their actions.

Main points of privacy policy

A privacy policy can be defined as a statement which discloses some or all of the ways a party collects, makes use of, reveals, or/and manages a user’s data. The user data can be anything that can be used for identification of an individual, including but not limited to name, address, date of birth, contact information, Identification proof, financial information, purchase history, travel history, and other ancillary things like search results on the company’s website or app interface.

A Privacy policy essentially serves as a contract between a website/application and its users in deciding the terms of data collection, storage, processing, ownership and selling rights. A basic draft Privacy Policy should cover the following points:

  • Which information is collected.
  • How is the information used (processing details).
  • How the information is stored or steps taken to ensure the privacy of the user.
  • Company’s contact information.
  • The policy details on cookies, tracking and log file maintenance.
  • How can a User opt out of the data collection.

A Company’s Privacy Policy differs according to its business profile and its data collection needs. For a better understanding of privacy policy, we must have a comparative analysis of the privacy policy of two major corporations of the world which dominate the internet space and whose privacy policies affect almost all internet users in one way or another i.e. Google and Apple.

Google vs. Apple – To each his data needs

Company

What information is collected

How the information is used

Who can access the information

Google

– It’s the major internet giant, its privacy policy covers almost all facets of internet use, from play store, google images, Gmail, Maps, Android, YouTube and the everyday search results on google done on any browser including Google Chrome

  • Personal details like Name, gender, birthday, country, telephone number, email address, payment information, pictures uploaded.
  • Device details like model, OS, mobile network
  • Information while logged in: Search Results, Voice data (voice searches), browser setting, bookmarks, URLs
  • Location details: Daily movements, common routes (Maps data), IP Address.
  • Other Application settings from Google Play store
  • Cookies: Used in Google Analytics and advertising services
  • Content Preference (YouTube), ads clicked
  • Email Contacts and Gmail details, Calendar and Drive data
  • Any other activity on websites which use Google AdSense and Google Analytics.

The Privacy Policy of Google says that all information Google collected by Google and its subsidiaries is used for providing and maintaining better Google services. This includes refining relevant search results and making more tailored ads.

If a person has a Google account, their name, profile picture, and certain actions linked to the account may appear publicly depending on their visibility settings.

Account details like specific application, device and language settings are used for enabling a consistent experience across all Google services.

Google says it does not use cookies for associating with ads based on race, faith or sex of the user but there are no bounds on economic profiling which can be used as a proxy for all the above criteria.

Any information provided to one Google service can be used by other Google Subsidiaries which creates a whole ecosystem of data.

Users of Google Services get an option for reviewing and managing what information is collected and how it can be shared by adjusting the privacy setting.

Google can share the personal data of the User with companies, organizations or individuals outside Google which follows the privacy setting chosen by the User. The Privacy setting permissions include app permissions and consent given to third party applications when Google Account login is used.

User’s personal data may be given to third parties, Google’s affiliates or even to law enforcement, for complying with government requests. Google says they screen the information requests but does not specify any specific authorities whose permission would be necessarily required. This opens the gate for many executive agencies and does not leave room for one specified procedure for extracting data.

Apple-

Unlike Google, Apple is not primarily involved in advertisement, hence it has less use for mining personal information for commercial profiling and sale oriented data analytics. Apple segregates the data it collects into two separate categories: personal and non-personal. But this information division is not easily scrutinized once the privacy policy is seen in detail.

  • Personal details the User may provide like Name, email address, contact information like phone number and financial information,
  • Name, email address, contact and financial information of others who receive gift cards in Apple stores from the User’s ID.
  • Details of Aadhar or KYC information for payment.
  • Non personal information, under non personal information details like location, ISP details, network settings, Maps are included which give time zones, location areas, daily movements, frequent places visited. It also includes activities done on the ICloud, App Store, Mac App store, iBooks and other apple affiliated products. 
  • Search queries on the Safari browser when logged in to your Apple device
  • Cookies and Pixel tags are used for monitoring user behavior, which websites users have visited and serve target ads on Apple platforms.

Apple’s Privacy Policy specifies the following uses of personal data of its subscribers

 Personal information like device information, contact information is used for updating the customers about any new product announcements, update of software, any purchases made from Apple store, and communication regarding any changes made to Apple’s terms and conditions. Apple says the personal information is not shared with third party users and it only uses non-personal information to be accessed by third party applications or websites. The reason which Apple cites is that the non-personal information cannot be used for targeting one specific individual but data like Maps, ISP details can be used for pinpointing individuals.

This Non personal information can be shared with third parties. Apple does not even prescribe the conditions when the data can be shared and instead uses terms like “in any condition” which is a very wide ambit. Most of this data is used for targeted ads on App stores and iTunes.

Apple does have privacy barriers like if the information collected by apps or websites has both personal and non-personal information then Apple will only let the third party use it when both are clearly separated. 

Apple asserts that Third party apps and websites can only use non-personal information for building a faceless profile, they cannot identify the individual. This profile is made for serving targeted advertisements.

Apple’s privacy policy does not cover instances when the user allows third party apps permission to use their location tracking services.

Apple’s Privacy Policy states that the Personal information a user provides to them, can only be used by Apple and its “strategic partners” a term which is not clearly defined and depends on commercial partnerships which Apple may undertake.

Apple states that the personal information provided to Apple shall be only used for improving its own products and services and not shared with third parties. But this may not be binding in cases where the User gives the website or app another permission.

Apple says that only non-personal information is shared with third-parties for their purposes of marketing and advertising.

Users with Apple IDs may enable “Limit Ad Tracking”, which can prevent them from receiving targeted ads.

Apple says that it will hand over personal information about its users to government agencies and law enforcement only if “disclosure is necessary or appropriate”, or for enforcement of terms and conditions, or in order to protect other users and Apple. 

Again no specific procedure for taking permission from the government authorities is prescribed or court orders are mandated. This puts the framework of seeking personal information in the hands of the government authorities.

As can be gauged from the above cursory understanding of the Privacy Policies of Apple and Google, their enforcement and extraction of a user’s data are heavily dependent on the local legislation and its provisions regarding personal data management by the companies which extract, store or manipulate it for marketing and advertising purposes. Hence for a clearer impact of the privacy policy the legislation regarding Data protection in India is required and we shall compare it with the latest most comprehensive Data Protection legislation i.e. the Global Data Protection Regime (GDPR).

Data protection legislation comparison – India vs. France

Topic

India

France

Legislation and Authorities

As of 2020, India does not have a single comprehensive code regarding Data Protection. The Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) are the only legislative and executive framework to deal with protection of personal data.

The Union Government has presented the Personal Data Protection Bill, 2019 in Parliament which is pending before a House Committee.

As of 2018 the General Data Protection Regulation (GDPR) is applicable on any matter of data protection or cyber security matters in all EU Member Countries.

Authorities responsible for data regulation

Although in India there is no dedicated authority for data protection, the IT Act provides for appointment of Adjudicating Officers for adjudicating on IT Act offences. 

The Personal Data Protection Bill provides for the constitution of a Data Protection Authority of India (DPAI).

In France they have a dedicated Supervisory Authority, named Commission Nationale de L’informatique et des Libertés (CNIL) which issues guidelines regarding data protection measures to be taken by corporations and other entities.

Territorial Scope of the Current Legislation or Regulation

The question of applicability of the IT Act and SPDI Rules on an entity incorporated outside India is not provided explicitly. IT Act says that it shall apply to offence or contravention committed outside India by any person irrespective of their nationality as long as the act which has offended involves a computer based in India.

The GDPR’s territorial limitation includes businesses established in EU countries including businesses which process the data of EU residents in context of that business even if the processing is not done in the EU. 

Extent of Individual Rights available  

Accessing the data/copies

Providers of data under SPDI have the right to review the data.

The PDP Bill also provides for a right where the data provider can obtain personal data summary from the Intermediary by making a request.

Rectification of errors

Providers of data under SPDI can seek corrections or amendments to the data. 

The PDP Bill also gives similar provisions.

Delete data/Right of being forgotten

This right has not been provided under the SPDI Regulations, only inaccurate data can be specifically deleted.

The PDP Bill provides for this right, under it the User can restrict continued disclosure after obtaining a direction from the DPAI only in cases where the disclosure of data has served its purpose, the disclosure is not required any more, the User has withdrawn his consent to the disclosure, or the disclosure process was in violation of PDP Bill or any other law.

Objection against data processing

No such right is provided in the SPDI or the PDP Bill.

Restrict data processing

No such right is provided in the SPDI or in the PDP bill.

Objection against Marketing

No such right provided in the SPDI or in the PDP Bill

Accessing data/copies

The user can obtain from the data controller the following information:

  • If the controller is processing the data and if so, where the data is being processed.
  • The purpose of the data processing.
  • The categories of data being processed
  • Kinds of recipients which receive the processed data.
  • The time period for which the data will be stored.
  • Information about the data rights User has to this processed data.
  • In cases where the User is not a direct source of data then disclosure about the real source.

Rectification of errors

Controllers have responsibility to verify data and correct if incomplete or inaccurate. Data subjects have a right to seek rectification.

Delete data/Right of being forgotten

Users have the right to erase their personal data if

    • Data is no longer needed for the original purpose.
    • User withdraws his consent.
    • The User object to the processing and the controller has no grounds to seek overriding of said objection.
  • The Data processing is unlawful, or deletion is required as per EU law or national laws.

Objection against data processing

Users can object to data processing where it is stated that the data processing is for the benefit of the controller (commercial). The Controller can override such objection by showing compelling grounds for processing as necessary such that it overrides the interest of the User.

Restrict data processing

Users can also seek to restrict the data processing in cases where:

  • The accuracy of data is doubtful.
  • Processing is unlawful.
  • The original purpose of collecting data is exhausted.
  • Erasure request is pending before the adjudicating authority.

Objection against marketing

Users can object to data marketing and to processes like data profiling.

Conclusion

As is fairly apparent from the above table, India still operates in a legislative vacuum regarding data protection regulation, and with every passing year, the data mining needs of the Fifth Industrial Revolution are bound to increase. Nowadays from banking to chatting on email leaves a trail of data open for profiling of the individual which is being monetized and used by corporations for advertisement or product development. Coupled with the security concerns abound in Western societies about government interference, a strong and well-crafted data regulation statute a sine qua non in the time to come. India is the country of over four hundred million smartphones with their data in hands of several hundred companies unregulated in its usage or processing, it’s time that the country taps into this vast ocean and makes a case for the citizens and creates an environment for them to enter the new era in a safe, independent manner.


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

Did you find this blog post helpful? Subscribe so that you never miss another post! Just complete this form…

LEAVE A REPLY