INTRODUCTION
In the era of digitisation and data privacy, privacy regulations are required and utilised all over the world. These policies are created in order to protect personal information of every citizen in the country. A privacy policy can be defined as a legal instrument that deals with the manner in which information is gathered by a site or an application from its clients/users.
The owner of a website is required to indicate what information they will gather from the users and how such information will be utilized and applied. The user information given on the site or in a mobile application can be subject to exploitation and breach and the same can be avoided if it is regulated in an appropriate way. Hence, every site or application should have measures to safeguard such information and that is the main objective of privacy policies.
Whenever users submit their personal data to organizations, they provide the organizations with their personal and sensitive personal information which can be utilized against them if it falls into some untrustworthy hands.
In the light of the foregoing, data privacy policies or privacy policies are implemented in the websites or applications to safeguard the personal information of the users, including the clients and employees of the organizations.
PRESENT CONDITIONS OF DATA PRIVACY POLICIES
In 2020, India prohibited 118 extra Chinese applications since they were violating Section 69A of the Information Technology Act, 2000. According to reports, these applications were viewed as indulgence of the unlawful collection of information. The data gathered included delicate data of shoppers, their GPS locations, WiFi access names, and so forth.
LinkedIn, the world’s biggest professional website, in April 2020, affirmed a huge information break and information of more than 500 million of its clients were exposed and subject to the breach. The spilled data sets included personal data of its clients and allegedly were sold to unknown and illegal websites. Furthermore, in April 2021, renowned Indian start up, Big Basket, announced information breaks and security bugs in their framework, compromising the sensitive data of more than 20 million users.
Like the ones mentioned above, several such data breach incidents have taken place in the recent past. While enormous fines for information breaks stand out as truly newsworthy, it is appropriate for developing businesses to consider the risk management based approach while overseeing information security since the result of these breaches are unlimited.
SALIENT FEATURES OF DATA PRIVACY POLICIES
Privacy policy is similar to any kind contract or legal instrument. Privacy policies require to be tailored as per the requirements of the organization or websites in which it is to be implemented. A privacy policy is ought to be made with reason and thought, as the same safeguards the procedure of collection of personal information of several users by the organization.
The fundamental elements which is important to be incorporated in a privacy policy are the following:
- Consent
One of the most essential elements of a privacy policy is ‘consent’. The essential aspect of consent has been highlighted in the Supreme Court case of JusticeK.S Puttaswamy v. UOI [(2017) 10 SCC 1].
It was stated in that judgement that “if an individual grants permission to somebody to go into their house it doesn’t imply that others are also allowed to go into the house. It becomes essential to maintain and keep in check the rights of the individual which is applicable in both, be it in physical form or technological form.”
No data should be utilized without the consent of person providing the data. Ordinarily, organizations make their privacy policies as detailed as possible to stay away from risk. Consent forms the fundamental crux of any privacy policy. Over the time, the Government and the Judiciary through several judgments have cited the importance of consent.
A privacy policy should distinctly ask for user consent for processing their personal or sensitive personal data. Such consent should be mandatorily obtained in an expressive and explicit manner and should not be ambiguous or implied. When the user starts to use the web platform for its services, the action of the user utilising the web services is usually considered as an agreement to the privacy policies of the website.
- Choice
The essential element of data privacy policy is the choice or option to agree or opt out of it. It is not adequate enough to provide the fact that the user has accepted the policy or the privacy agreement on the website through a ‘click-wrap’ procedure; the user should be given an option to either opt-in/out of the agreement in regards to sharing their personal data with the business.
The websites asking for user consent should also have the provision wherein the users can opt out of the data processing mechanism. The privacy policy should explicitly lay down the procedure for opting out of the data processing conducted by the organisation.
Furthermore, the privacy policy should also enumerate that in case the user opts out in the future, how will the data which has already been submitted or processed be taken care of.
- Purpose of the Data Collected
The privacy policy is required to mandatorily determine the reason for collecting the information. The reason for collecting the personal data, whether the reason is mandatory or optional, the period for which such personal data would be stored in the organization servers, all are to be enlisted in the privacy policy itself.
An exhaustive privacy policy which includes all the possible reasons and aspects for data collection and data processing would negate any potential risk which can be attributable to the organization in the future.
In the event, later on, there is a modification in the purpose for which the data was collected; the same shall be informed to the users at the earliest. Usually, the data gathered for a predefined reason cannot be held for longer than it is expected of the purposes.
In this way, when the personal data has been utilized as per the required reason, it is ought to be disposed by the Data Controller.
- Third Party Data Transfers and Cross Border Sharing
In today’s boundary-less nature of the internet, it is important to stipulate the extent of data sharing or data transfer. The users should be aware about whether their personal data would be transferred beyond the national jurisdiction or to any third party.
Furthermore, the organizations should also ensure to be compliant with the data protection laws across several jurisdictions as the same might have different implications on the data that is being processed and transferred.
AMLEGALS Remarks
Taking into account that the technological population in India has developed significantly, information security and information assurance are central points of issues right now. Each user visiting a website leaves his/her computerized impressions which is usually their private information. This might include, purposely or accidentally, giving their IP address, name, gender, or other such personal and sensitive personal data.
To regulate this entire process of data collection, processing and storing, the organizations should implement exhaustive privacy policies which shall include all the important elements as discussed hereinabove.
Terms of purpose and privacy policies ought to be treated as one of the most important legal instruments which is mandatory while building a website, and the same should be tailored as per the business necessities and the target user base, along with due compliance with the national and international laws.
–Team AMLEGALS assisted by Ms. Amrita Ghosh (Intern)
For any queries or feedback, please feel free to get in touch with aditi.tiwari@amlegals.com or mridusha.guha@amlegals.com
Leave a Reply