In January 2020, one of the latest entrants of the unicorn startup club, Unacademy, suffered a data security breach. In October 2020, uproar was caused because Airtel, in its privacy policy on its website, mentioned that the company and its authorised third parties could collect, store and process sensitive personal information of their users. After much debate and furore, the privacy policy was updated to remove the contentious parts. Another comical instance occurred when an app by the name of ‘Tooter’, riding on the wave of ‘aatmanirbharta’, was launched as a substitute to Twitter. The only problem was that the app developers didn’t check that their privacy policy stated that the laws of the state of Pennsylvania, US would govern the app and disputes related to it.
There are numerous such instances where companies pay only lip service in the name of privacy policies—and some not even that—even though they are mandated by the law. This article seeks to draw attention to this often overlooked issue by companies and their users alike.
LEGAL FRAMEWORK
A privacy policy, broadly speaking, is an internal statement that governs an organisation or entity’s handling practices of personal information. In India, in the absence of a dedicated privacy law, privacy and matters pertaining to it are governed by the Information Technology Act, 2000 (“Act”) and various rules issued under it from time to time. The applicable rules under this are the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Rules”).
Rule 4 of the Rules states that, anybody corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handles information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under a lawful contract. Further, the privacy policy shall be published on the website of the company or body corporate collecting such information.
The privacy policy should clearly state the type of information being collected, the purpose and usage of such information, the method and procedure of disclosure of such information, including sensitive personal information, and the security practices and procedures that the company or body corporate maintains, to keep the information secure.
Rule 5 of the Rules lays down the procedure of collecting data or information. Among other things, it states that the company or body corporate shall take consent from the user in writing through letter or fax or email and the information collected shall only be for a lawful purpose. Further, the user shall have the option to withdraw the consent and the service provider, company or body corporate is free to refuse the services.
Inter alia, the Rules also state that the company, service provider, or body corporate shall appoint a grievance officer and shall publish her/his name and contact details on the website.
Rule 8 of the Rules also talks about industry-standard security practices, wherein it states that the organisation, company or body corporate must have in place a comprehensive data security programme at the level of internationally accepted standard. International standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” may be adopted.
GDPR COMPLIANT PRIVACY POLICY
In a scenario where a company is collecting the personal data of subjects residing in the European Union, they also fall in the ambit of the General Data Protection Regulation (GDPR) framework and their privacy policy should reflect compliance to the same. Before subjecting to the collection of personal data, an active consent from the party, from whom personal data is being collected, should be taken. The privacy policy then should compulsorily contain (i) a declaration as to who is processing the data, (ii) statement for legal purpose and basis for collecting and processing the data, (iii) whether or not the company is transmitting the data internationally along with any third party with whom the company is sharing the data, (iv) clear information about the data subjects’ rights and (V) a statement whether the data will be used for automated decision making and profiling.
CONCLUSION
As discussed earlier, the privacy policy on the website of a company is as important as the product itself—if not more—as far as legal requirement goes. Companies ignore this or pay only lip service, only to realize later that the cost of non-compliance is much higher. Keeping in mind the recent episodes, whether with Zoom, Unacademy, Airtel or Tooter, companies would be well served to incorporate a comprehensive, nuanced and legally compliant privacy policy. Certain steps may be taken to ensure that the privacy policy is nuanced, comprehensive and legally tenable.
The language should be simple and plainly worded so that it is understood easily and, at the same time, captures the essence of the policy document. It should be nuanced and not a cut-copy-paste job. By way of illustration, the data collected by a telemedicine company and what it may seek to do or not do with the information so collected is a lot different than what a social media company may seek to do with the information. Also, the type of data collected will be different in both cases.
The policy should lay down in clear simple terms the information being collected and the purpose of the information being collected. If any third parties are involved, the privacy policy should clearly mention the information being collected by such parties.
Active consent should be taken from the users. The Rules provide certain rights to the users/data subjects. These rights should be clearly laid down so that the users/data subjects are aware of the same and before giving any consent to the collection of data, a subject must be given a chance to opt-out from being subjected to the privacy policy and exercising the rights contained therein.
Proactively, companies should follow a practice of minimal data collection, which is to say that only absolutely necessary data should be collected to limit its liability to the extent possible. The employees of the companies should be sensitized to follow industry-standard practices and employment contracts should also mention the duty to maintain privacy and inculcate such standards in the company culture.
In India, while another law is in the offing, in the form of the proposed PDP Bill, what is really needed is that regulators ensure to enforce those rules and laws strictly. The regulatory and enforcing bodies must ensure that a privacy policy is comprehensive and presented in an easy-to-understand language and ensure privacy by design in every aspect of data and privacy.
Lastly, awareness among the public at large is the most effective catalyst in driving change. So, the public at large, the users and the consumers must be conscious of what data is being asked from them and whether it is required, and made aware of their rights to keep companies on their toes.
The writers are lawyers advising startups and fintechs. The views expressed are personal.
