Company

What information is collected

How the information is used

Who can access the information

Google

– It’s the major internet giant, its privacy policy covers almost all facets of internet use, from play store, google images, Gmail, Maps, Android, YouTube and the everyday search results on google done on any browser including Google Chrome

• Personal details like Name, gender, birthday, country, telephone number, email address, payment information, pictures uploaded.
• Device details like model, OS, mobile network
• Information while logged in: Search Results, Voice data (voice searches), browser setting, bookmarks, URLs
• Location details: Daily movements, common routes (Maps data), IP Address.
• Other Application settings from Google Play store
• Cookies: Used in Google Analytics and advertising services
• Content Preference (YouTube), ads clicked
• Email Contacts and Gmail details, Calendar and Drive data
• Any other activity on websites which use Google AdSense and Google Analytics.

The Privacy Policy of Google says that all information Google collected by Google and its subsidiaries is used for providing and maintaining better Google services. This includes refining relevant search results and making more tailored ads.

If a person has a Google account, their name, profile picture, and certain actions linked to the account may appear publicly depending on their visibility settings.

Account details like specific application, device and language settings are used for enabling a consistent experience across all Google services.

Google says it does not use cookies for associating with ads based on race, faith or sex of the user but there are no bounds on economic profiling which can be used as a proxy for all the above criteria.

Any information provided to one Google service can be used by other Google Subsidiaries which creates a whole ecosystem of data.

Users of Google Services get an option for reviewing and managing what information is collected and how it can be shared by adjusting the privacy setting.

Google can share the personal data of the User with companies, organizations or individuals outside Google which follows the privacy setting chosen by the User. The Privacy setting permissions include app permissions and consent given to third party applications when Google Account login is used.

User’s personal data may be given to third parties, Google’s affiliates or even to law enforcement, for complying with government requests. Google says they screen the information requests but does not specify any specific authorities whose permission would be necessarily required. This opens the gate for many executive agencies and does not leave room for one specified procedure for extracting data.

Apple-

Unlike Google, Apple is not primarily involved in advertisement, hence it has less use for mining personal information for commercial profiling and sale oriented data analytics. Apple segregates the data it collects into two separate categories: personal and non-personal. But this information division is not easily scrutinized once the privacy policy is seen in detail.

• Personal details the User may provide like Name, email address, contact information like phone number and financial information,
• Name, email address, contact and financial information of others who receive gift cards in Apple stores from the User’s ID.
• Details of Aadhar or KYC information for payment.
• Non personal information, under non personal information details like location, ISP details, network settings, Maps are included which give time zones, location areas, daily movements, frequent places visited. It also includes activities done on the ICloud, App Store, Mac App store, iBooks and other apple affiliated products. 
• Search queries on the Safari browser when logged in to your Apple device
• Cookies and Pixel tags are used for monitoring user behavior, which websites users have visited and serve target ads on Apple platforms.

Apple’s Privacy Policy specifies the following uses of personal data of its subscribers

 Personal information like device information, contact information is used for updating the customers about any new product announcements, update of software, any purchases made from Apple store, and communication regarding any changes made to Apple’s terms and conditions. Apple says the personal information is not shared with third party users and it only uses non-personal information to be accessed by third party applications or websites. The reason which Apple cites is that the non-personal information cannot be used for targeting one specific individual but data like Maps, ISP details can be used for pinpointing individuals.

This Non personal information can be shared with third parties. Apple does not even prescribe the conditions when the data can be shared and instead uses terms like “in any condition” which is a very wide ambit. Most of this data is used for targeted ads on App stores and iTunes.

Apple does have privacy barriers like if the information collected by apps or websites has both personal and non-personal information then Apple will only let the third party use it when both are clearly separated. 

Apple asserts that Third party apps and websites can only use non-personal information for building a faceless profile, they cannot identify the individual. This profile is made for serving targeted advertisements.

Apple’s privacy policy does not cover instances when the user allows third party apps permission to use their location tracking services.

Apple’s Privacy Policy states that the Personal information a user provides to them, can only be used by Apple and its “strategic partners” a term which is not clearly defined and depends on commercial partnerships which Apple may undertake.

Apple states that the personal information provided to Apple shall be only used for improving its own products and services and not shared with third parties. But this may not be binding in cases where the User gives the website or app another permission.

Apple says that only non-personal information is shared with third-parties for their purposes of marketing and advertising.

Users with Apple IDs may enable “Limit Ad Tracking”, which can prevent them from receiving targeted ads.

Apple says that it will hand over personal information about its users to government agencies and law enforcement only if “disclosure is necessary or appropriate”, or for enforcement of terms and conditions, or in order to protect other users and Apple. 

Again no specific procedure for taking permission from the government authorities is prescribed or court orders are mandated. This puts the framework of seeking personal information in the hands of the government authorities.

Topic

India

France

Legislation and Authorities

As of 2020, India does not have a single comprehensive code regarding Data Protection. The Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) are the only legislative and executive framework to deal with protection of personal data.

The Union Government has presented the Personal Data Protection Bill, 2019 in Parliament which is pending before a House Committee.

As of 2018 the General Data Protection Regulation (GDPR) is applicable on any matter of data protection or cyber security matters in all EU Member Countries.

Authorities responsible for data regulation

Although in India there is no dedicated authority for data protection, the IT Act provides for appointment of Adjudicating Officers for adjudicating on IT Act offences. 

The Personal Data Protection Bill provides for the constitution of a Data Protection Authority of India (DPAI).

In France they have a dedicated Supervisory Authority, named Commission Nationale de L’informatique et des Libertés (CNIL) which issues guidelines regarding data protection measures to be taken by corporations and other entities.

Territorial Scope of the Current Legislation or Regulation

The question of applicability of the IT Act and SPDI Rules on an entity incorporated outside India is not provided explicitly. IT Act says that it shall apply to offence or contravention committed outside India by any person irrespective of their nationality as long as the act which has offended involves a computer based in India.

The GDPR’s territorial limitation includes businesses established in EU countries including businesses which process the data of EU residents in context of that business even if the processing is not done in the EU. 

Extent of Individual Rights available  

Accessing the data/copies

Providers of data under SPDI have the right to review the data.

The PDP Bill also provides for a right where the data provider can obtain personal data summary from the Intermediary by making a request.

Rectification of errors

Providers of data under SPDI can seek corrections or amendments to the data. 

The PDP Bill also gives similar provisions.

Delete data/Right of being forgotten

This right has not been provided under the SPDI Regulations, only inaccurate data can be specifically deleted.

The PDP Bill provides for this right, under it the User can restrict continued disclosure after obtaining a direction from the DPAI only in cases where the disclosure of data has served its purpose, the disclosure is not required any more, the User has withdrawn his consent to the disclosure, or the disclosure process was in violation of PDP Bill or any other law.

Objection against data processing

No such right is provided in the SPDI or the PDP Bill.

Restrict data processing

No such right is provided in the SPDI or in the PDP bill.

Objection against Marketing

No such right provided in the SPDI or in the PDP Bill

Accessing data/copies

The user can obtain from the data controller the following information:

• If the controller is processing the data and if so, where the data is being processed.
• The purpose of the data processing.
• The categories of data being processed
• Kinds of recipients which receive the processed data.
• The time period for which the data will be stored.
• Information about the data rights User has to this processed data.
• In cases where the User is not a direct source of data then disclosure about the real source.

Rectification of errors

Controllers have responsibility to verify data and correct if incomplete or inaccurate. Data subjects have a right to seek rectification.

Delete data/Right of being forgotten

Users have the right to erase their personal data if

• • Data is no longer needed for the original purpose.
  • User withdraws his consent.
  • The User object to the processing and the controller has no grounds to seek overriding of said objection.
• The Data processing is unlawful, or deletion is required as per EU law or national laws.

Objection against data processing

Users can object to data processing where it is stated that the data processing is for the benefit of the controller (commercial). The Controller can override such objection by showing compelling grounds for processing as necessary such that it overrides the interest of the User.

Restrict data processing

Users can also seek to restrict the data processing in cases where:

• The accuracy of data is doubtful.
• Processing is unlawful.
• The original purpose of collecting data is exhausted.
• Erasure request is pending before the adjudicating authority.

Objection against marketing

Users can object to data marketing and to processes like data profiling.