ORDINANCES AND DATA PROTECTION

With the introduction of modern world of tech and internet, every second person is indulge in data usage. The consumption rate could be assumed through customers of digital world. Frequent Birth of new network companies every then and now proves the fact of ultimate favourable market. The data usage helps these companies in growth and competitiveness by exploiting these data.

There is no particular definition of ‘big data’, however, it is largely accepted that the importance of big data lies in its sheer volume as its continuous flow from a vast group of sources such as Facebook posts, tweets, clickstream, online transactions, email, uploaded images, cookies, and the internet of things including smart watches, smart gear, smart lighting, and the like. Big data consists of data created in real space, collected in real time, and pertaining to highly personal, sensitive behavioural patterns such as habits, likes, and dislikes, as well as travel, movements, health statistics, among others.

Data mining helps companies in several ways in enhancing their business while it undemines the privacy of its users. As a result, there is demand for stronger regulatory norms to govern the collection, storage, transmission, and usage of big data. There are three essential elements for the sustainable development of big data: transparency in personal data processing; robust user control over how their data is used; and the establishment of a comprehensive data protection framework.

GOVERNMENT STAND FOR DATA PROTECTION:

India has no as such particular rule book for data protection and privacy. However, in the context of digital data processing, certain aspects of data protection are covered under the Information Technology Act of 2000 (‘IT Act’) and the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules of 2011 (‘Data Protection Rules’).
While Government bodies and individuals engaged in data processing are not covered under the Data Protection Rules. It includes only companies, including firms, sole proprietorships, and associations of individuals engaged in commercial/professional activities (collectively, the ‘body corporate’) fall under the purview of these Rules.1
The Rules distinguish between ‘sensitive personal data’ and other ‘personal information.’ ‘Personal information’ could be explained as information relating to a natural person which,with other information, is directly or indirectly capable of identifying such natural person, 2 and within its area exists the smaller set of ‘sensitive personal data’: in form of passwords, finances, health conditions, sexual orientation, medical records and history, and biometric information.

The limitation of the Data Protection Rules is that Information of personal nature pertaining to other persons that are knowingly or unknowingly captured in the background—as in the case of the internet of things—is not covered by these Rules.. As technology like the ‘internet of things,’ facilitates huge data collection, and other sensitive personal information such as location, habits, and activity.

In case of anonymization of data, it can be said that if the collected data is encrypted such that it is no longer capable of revealing identities, then the de-identified data would not qualify as personal information, and that , would not fall under Data Protection Rules. In the context of big data, this implies that even if data collectors anonymize individual datasets obtained from different sources so that the person to whom the data corresponds cannot be identified, if the identity of the person can be revealed upon aggregation of this data, then the anonymized individual datasets and the aggregated data would be classified as personal information under Data Protection Rules.

PRIVACY PROTECTION RULE:

Ordinance 4 of the Data Protection Rules needs body corporate across the link of data processing that engage in the collection, storage, or otherwise deal with, or handle ‘personal information,’ to publish a privacy policy on their websites. The privacy policy is to clearly mark out their data processing practices, the type of personal information collected, the purpose of collection and usage, as well as details of disclosure made to third parties, and the reasonable security practices and procedures adopted.

Inspite of creating additional transparency, a privacy policy does little to actually prevent misuse of data.It is critical to note that ordinance 4 creates a special obligation upon the body corporate to ensure that its privacy policy is available for view to individuals who have provided information to further a lawful contract. This interpretation is supported by Section 72A of the IT Act, wherein penal liability has been established for persons, including intermediaries, for any wrongful disclosure of personal information secured while providing services under the terms of a lawful contract. While, under Section 43A of the IT Act, mere compensatory liability has been provided in case of any wrongful loss or wrongful gain arising from the negligence of a body corporate in implementing and maintaining reasonable security practices and procedures for sensitive personal data or information.

OTHER RULES :

Rules 5, 6, and 7 of the Data Protection Rules makes compulsory that the body corporate obtain consent from data providers prior to any collection, disclosure, or transfer of data. Rule 5 also requires a body corporate to disclose the purpose of collection, intended recipients of information, the particulars of the collecting agency, and where the collected information will be stored, as well as the details of the intended use of the collected data.These stipulations are limited in their applicability to sensitive personal data or information. It leaves a large amount of data for processing without obtaining prior consent or making adequate disclosure to data providers.

Customer consent and notice do not fare well in the world of data exchanges. , It would be practically impossible to obtain prior written consent before each instance of data collection Where information is continuously collected through sensors on a real-time basis. Instead, services such as WhatsApp and Facebook have incorporated a perpetual consent on part of their users within their terms of service.

Additionally, it is quite difficult for data collectors to provide the particulars of the purpose and usage of the information collected in real time, and it would be impossible for them to identify the multiple hands through which the collected data may pass in the future. This is further complicated by the notification requirement of the data provider to divulge the intended use of data, which is directly tied to the actual collection and usage of data. Data collectors are barred from collecting data beyond what is necessary for the function or activity of the body corporate7 and from using the collected data in any manner that is not disclosed.8 Data collectors also cannot retain the collected data for longer than is required to meet said purposes.9 The only way left for data collectors is to make wide disclosures of the potential use of data in their terms of service for the processing of all existing and future data, which ends up being completely unfruitful in terms of data protection.

Individuals usually ignore such notices or face difficulty in understanding their scope given the complexity of data flows. The effectiveness of prior consent and notice remains doubtful. Sometimes individuals have no choice but to agree to the terms of service in order to avail themselves of the desired service or product.

DECLINING CONSENT:

When using the service, product, or otherwise, individuals may at any time withdraw their consent to share their data with the body corporate. Such withdrawal is to be indicated to the body corporate in writing. Once a person has declined, the body corporate has the option to cease provision of the service or product for which the impugned data had been sought.Yet, no provision has been made to allow data providers access to their past data stored by the data collectors so that they may switch service providers.

SECURITY PRACTICES:

Section 43A of the IT Act requires an institution handling sensitive personal data in a computer resource to implement ‘reasonable security practices and procedures’ to protect such information from ‘unauthorized access, damage, use, modification, disclosure or impairment.’ Explanation of Section 43A clarifies that the design of these security practices and procedures may be specified in an agreement between parties or in any law being in force at the time. As a result, it remains open for data processors to forge agreements with data providers regarding adoption of security measures for the protection of data. Such a discretionary stance favors data collectors instead of data providers because in actual practice individuals usually fail to grasp the finer points of such terms of service and trade off their personal information to access or acquire the service or product.

Further Rule 8 of the Data Protection Rules also lacks specificity, in that the rule gives body corporate the discretion to formulate their security control measures so long as their security practices and standards for the protection of information assets are commensurate with the nature of business. However, there is no clarity as to how this data security threshold shall be determined, leaving it to the discretion of data collectors to determine the extent of security measures to be put in place for data protection.

Even little ignorance in implementing or maintaining these reasonable security practices that result in wrongful loss or wrongful gain to any person becomes a liability in as much as a body corporate may have to compensate or pay damages to the affected persons. However, this liability has been narrowly defined to accrue only in respect of ‘sensitive personal data or information’ and with regard to ‘wrongful loss or wrongful gain’, which is to say not just the mere loss of privacy. Furthermore, excluding the minimal residuary liability arising under Section 45 of the IT Act, the unauthorized or negligent divulgence of other personal information, other than as obtained under the terms of a lawful contract, has not been penalized under the IT Act or Data Protection Rules.

CONCERNED CASE:

The matter misusing data could be observed in case of Karmanya Singh Sareen v. Union of India12 before the High Court of Delhi. In this case, privacy activists through a writ petition challenged the new terms of service of WhatsApp by virtue of which the application can share its users’ data with Facebook.WhatsApp had assured its users that their data / details would not be shared in any manner. However, with the change in ownership – acquisition of WhatsApp by Facebook – WhatsApp’s privacy policy has undergone a drastic change. Now, the account information of all those users who have not opted out of the new terms of service is being shared with Facebook as well as other group companies and is being subjected to Facebook’s deep data mining, for the purpose of targeted commercial advertising and marketing. Petitioners claimed that this unilateral action contradicts the most valuable, basic and essential feature of WhatsApp that is complete security and protection of privacy.

WhatsApp counsels argued that they value privacy of its users, which is evident from the fact that it does not ordinarily retain messages of its users and offers full end-to-end encryption for its services such that WhatsApp and third parties cannot readuser messages. Moreover, all those users who are unwilling to share their account information with Facebook / other group companies are free to delete their WhatsApp account, using WhatsApp’s in-app ‘delete my account’ feature. Upon deletion, such information of prior users that WhatsApp no longer needs for operation of its services would automatically stand deleted. Specifically in respect of revision of its terms of service, they averred that WhatsApp had provided advance notice to its users, and only those users who have chosen to continue with the service are being bound by the revised terms, including terms relating to data collection and usage.

Petitioners further argued that this change in the privacy policy is contrary to the principles of estoppel and is against the right to privacy guaranteed under the Constitution of India.
The Court held that users cannot now compel WhatsApp to continue with its original terms of service when the original terms entitled WhatsApp to unilaterally change its privacy policy and stipulated the continued use of WhatsApp service, post amendment of privacy policy, to be considered as “deemed consent” to the terms of the revised policy. Further, the Court observed that no relief can be granted under the Constitution of India as the legal position with respect to the “right to privacy” is, as yet, undecided. The Constitution does not specifically guarantee a right to privacy and the judicial interpretation that the Constitution does provide a right to privacy – primarily through Article 21 – is under challenge before the Supreme Court of India in the pending case K.S. Puttaswamy v. Union of India.13 As such, further to WhatsApp’s terms of service, the Court directed:

I: WhatsApp to completely delete information / data / details of those users who have chosen to delete their WhatsApp account
II: so far as those individuals, who have opted to continue with the use of WhatsApp service, are concerned, restrained WhatsApp from disclosing their information/data/ details, which was collected under the terms of the original terms.

Inspite of many benefits of big data analytics, big data processing poses serious risks to privacy. The cocern is not whether to apply data protection laws to big data, but the process to apply them innovatively. In the absence of a specific data protection framework and with the growing ubiquity of data collection, the limited protections of the Information Technology Act and Data Protection Rules make it increasingly difficult to protect data privacy. Hence, it could be concluded that data protection is significant issue and our ordinances need to be applied effectively with further editing of these laws.