PSL Advocates and Solicitors | View firm profile
Users are often required to enter their personal data, such as names, phone numbers or such other data that can be used to identify them to avail services offered on the application/platform. Users may also be given no option but to grant access to information completely irrelevant to the services being offered and, refusal to do so can lead to denial of service altogether. The information so gathered is sometimes also used to send out newsletters or targeted advertisements by the service provider or third parties without the user having specifically consented to it. Legally, this raises concerns not only relating to protection of personal data of users but also their freedom of choice.
One way around is to take a better quality of ‘consent’ than what is currently mandated. India could soon see an extensive personal data protection legislation that would check the unscrupulous collection and use of people’s data. The Personal Data Protection Bill, 2019 (‘Proposed Bill’) lays down detailed requirements that would have to be followed by persons or entities determining collection, processing or purpose of using personal data extracted through such applications/platforms (‘data fiduciaries’). Failure to comply could attract fines to the tune of crores of rupees, uncapped amounts of compensation and even imprisonment of defaulting individuals.
As per the Proposed Bill, lengthy and complex privacy and cookie policies would have to give way to clear, concise and easily comprehensible versions. Users should be able to easily identify what information is necessarily required and the specific purpose of use consented to. Its aim is to resist unwittingly parting with or permitting sharing of personal data with third parties such as advertisers or other websites, say Facebook or Youtube, under the garb of generalised purpose statements such as ‘personalised user experience’. Data fiduciaries would now have to explain how information would be processed to enable such an experience.
Privacy policies in themselves would have to be over-hauled to prioritise the rights and interests of users. They must be structured to give them granular control over what they consent to. This means that an all-encompassing or bundled consent will not be valid. Contrasting the prevalent practice, users would have to be given a default option to ‘opt-in’ rather than to have to ‘opt-out’ of consenting to each different process, where possible.
Consent must be informed and free from defects such as duress or misrepresentation. Users must not be denied provision of or quality of goods or services should they refuse to consent to inessential processing. Consent must be given by an affirmative action rather than be merely inferred in a given context. It may even be withdrawn. In fact, in case of specified sensitive personal data, like financial data or any official identifier such as Aadhar number, separate and explicit consent must be obtained for each piece of information and purpose after informing about any risk of significant harm.
The Government would classify data fiduciaries or social media intermediaries who, amongst other things, process high volumes of data, use new processing technologies or engage in processing that could cause harm to persons as significant data fiduciaries. They would have to comply with additional obligations and be subjected to heftier penalties.
Many have expressed concerns that certain obligations under the Proposed Bill could impose undue legal and monetary burden on individuals or smaller organisations collecting or processing data through applications or web platforms. To understand the market’s perspective, the Parliamentary Committee has sought views of industry leaders Microsoft and Facebook and industrial associations ASSOCHAM and NASSCOM on the Proposed Bill.
Authored by: – Ms. Aastha Saxena, Associate, PSL Advocates & Solicitors