- US - No overarching data protection framework but Sector wise laws - GLB - provisions for collection and use of financial data
- EU - GDPR (Replaces the Data Protection Directive of 1995) - Technology and Sector agnostic
Current state in India - SPD Rules were issued under Section 43A of the IT Act -
- Against negligence in implementing and maintaining reasonable security practices and procedures while dealing with sensitive personal data or infoirmation
Data Principal (Individual/Consumer) and Data Fiduciaries (Data collecting entity)
The law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India. However, in respect of processing by fiduciaries that are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling which could cause privacy harms to data principals in India. Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India. However, the data protection law may empower the Central Government to exempt such companies which only process the personal data of foreign nationals not present in India.
- the likelihood that processing of a category of personal data would cause significant harm to the data principal
- any expectation of confidentiality that might be applicable to that category of personal data
- whether a significantly discernible class of data principals could suffer harm of a similar or relatable nature
- the adequacy of general rules to personal data
- Passwords
- Financial data
- Health data
- Official identifiers which would include government issued identity cards
- Sex life and sexual orientation
- Biometric and genetic data
- Transgender status or intersex status
- Caste or tribe
- Religious or political beliefs or affiliations
Standards for anonymisation and de-identification (including pseudonymisation) may be laid down by the DPA. However, de-identified data will continue to be within the purview of this law. Anonymised data that meets the standards laid down by the DPA would be exempt from the law.
Any enumeration of a consent framework must be based on this salient realisation: on the internet today, consent does not work.
Not respecting the terms of agreement or the agreement being in a form which is not compliant with the Data protection law can cause certain harms:
-
Manufacturing defects
- Such personal data is collected which are not those reasonably expected by the data principal
- Purposes for which personal data sought are not those reasonably expected by the data principal
- Disclosure and sharing of personal data is allowed with such persons and in such manner not reasonably expected by the data principal
-
Design defects
- Notice did not appear before application is installed
- Pre-checked boxes existed
- Appropriate standard of clarity of notice not met
-
Marketing defects
- Potentially harmful/ burdensome/ onerous clauses of the contract were not pointed out specifically to the data principal
Taking Consent - the correct way:
- Collect personal data necessary for providing service to the data principal to fulfill the purposes specified and disclose such data only to such persons as reasonably expected by the data principal
- Communicate (1) above through a clear notice
- Ensure that contractual terms that are potentially onerous or harmful do not escape the attention of the data principal
- Show notice before any such practices communicated in the notice take place
- Require affirmative consent from the data principal without any pre-checked boxes
- Provide requisite granularity thereby allowing data principals to access services without necessarily consenting to all or nothing
For consent to be valid it should be free, informed, specific, clear and capable of being withdrawn. For sensitive personal data, consent will have to be explicit
For a data fiduciary in the digital economy, abuse of power is understood as the data fiduciary processing personal data in a manner not authorised by the principal or law, for ends that may not be in the principal‘s best interest. The objective of preventing such abuse is best captured by an obligation to ensure fair and reasonable processing.
- The right to confirmation, access and correction should be included in the data protection law
- The right to data portability, subject to limited exceptions, should be included in the law
- The right to object to processing; right to object to direct marketing, right to object to decisions based on solely automated processing, and the right to restrict processing need not be provided in the law for the reasons set out in the report
First, all personal data to which the law applies should have at least one live, serving copy stored in India. Second, in respect of certain categories of personal data that are critical to the nation‘s interests, there should be a mandate to store and process such personal data only in India such that no transfer abroad is permitted. Third, the Central Government should be vested with the power to exempt transfers on the basis of strategic or practical considerations thereby facilitating free flow of data across borders where justified. While these measures may not lead to perfect compliance, it is expected to significantly bolster domestic enforcement and reduce reliance on the MLAT request regime.
All relevant laws will have to be applied along with the data protection law, as the latter will be the minimum threshold of safeguards for all data processing in the country. In the event of any inconsistency between data protection law and extant legislation, the former will have overriding effect.
Sources: