DATA COLLECTION AND BACKUP PROCESS : THE RISING IMPORTANCE OF CONSUMER DATA PROTECTION IN INDIA

The Problem Businesses and Startups face Today

In the recent times, collection of personal data over the internet via services used by consumers has been criticized for invading privacy of people. Since the Pandemic started, consumers have become more aware of their digital data privacy rights. This has led to several consumers losing trust over the practices of a business. Worse than that, consumers are even willing to abandon well-reputed brands if their data is misused, breached or inappropriately traded. An instance to show the same is when WhatsApp brought a new change in its Privacy Policy in India in the year 2021, several users shifted to other services like Telegram abandoning WhatsApp.

Breaking Down what Data Collection means

Data Collection over the internet is a practice that is very common and can be seen in almost all websites. This includes the use of various types of cookies and othersimilar technologies.Collecting user data reveals different forms of information about the user itself such as the IP address, the device information, etc. Data Collection not only poses a threat to the Privacy of the individuals but also invades their privacy.The practice of Data Collection is used to track behaviors of customers Online so that Businesses may gain an understanding of the Consumer Behavior. This activity per se is unconstitutional since Privacy is a Right that has been included under Article 21 and other Articles of Part III of the Constitution.

Is Privacy at all related to Data Collection?

Personal data is any information can be identified with, or can identify any living individual. Different pieces of data, collected together leading to the identification of a specificperson, also constitute personal data. According to the website of the European Commission¹, the following are a few examples of what constitute personal data:

1. A Name and Surname;
2. A home address;
3. An identification card number;
4. Location data (for eg,: GPS Location);
5. Internet Protocol (IP) address;
6. The advertising identifier of a user’s phone;

What saves Startups and Businesses

PRIVACY POLICY. A Privacy Policy is a statement that is legally binding on both parties to an agreement: the online service provider as well the user of such service. It provides detailed information on how a website or a web app or any mobile app collects data and what data it collects and how such data is used thereafter. A Privacy Policy needs to be well drafted so as to clearly express what the service provider wants to communicate to the consumers regarding the treatment of their Privacy while using its services.

The New IT Rules, 2021 make some Significant Changes

The Information Technology Act, 2000 does not address the issue of personal data collection over the webin detail. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, however does not try to fill up this gap. The new Rules have been framed with the intention of protecting the sovereignty and integrity of India.

What the Rules Say

The Rules do not speak about intermediaries collecting personal data of users but instead state that people who will be using the services should not host, display, upload, modify, publish, transmit,store, update or share any information that is invasive of another’s privacy,including bodily privacy. Rule 3(1)(a) makes it mandatory to publish rules and regulations, privacy policy and user agreement of the service to the consumers. Rule 3(1)(b) lists down whatever shall have to be mandatorily informed to the user of the service (whether website or web app or mobile app).

The Rules make it mandatory to register each user of a service. In addition to that, it states that if an intermediary collects any user data, then such data shall have to be retained by the intermediary for 180 days after the cancellation or withdrawal of his registration but the new Rules do not prevent collection of data from users. In relation to intermediaries whose primary service is messaging, the Rules speak of tracing the origin of a message.

The Rules even mention that intermediaries shall have to provide information under its control or possession, or assistance to Government agenciesThis implies that Consumer Data stored with intermediaries shall have to be traceable and monitored by providers of such services (irrespective of the platform in which a service is provided). This has been done to ensure safety to the sovereignty and integrity of the country. As such, the privacy of those consumers will be invaded, who are not involved in any activity detrimental to the sovereignty and integrity of the country.

What the Indian Judiciary said…

Justice K.S. Puttaswamy vs. Union of India

The landmark judgment in matters relating to Privacy is the case of Justice K.S. Puttaswamy (Retd.) vs. Union of India¹. In this case, the Petitioner had filed the case before the Supreme Court of India challenging the constitutional validity of the Aadhar Scheme of the Central Government which proposed to make Aadhar mandatory to access all government services and benefits. The case was brought before the Court on the ground that biometric data of every individual stored with the Government was an invasion to Privacy since it could be used by the Government or any other agency which may have access to such data.

The Hon’ble Supreme Court of India held that the right to privacy is protected as an intrinsic part of the right to life andpersonal liberty under Article 21 and as a part of the freedoms guaranteedby Part III of the Constitution.

Karmanya Singh Sareen and Anr. Petitioners v. Union of India And Ors.²

In this case, the Petitioner filed the present petition before the Delhi High Court seeking issue of writs against WhatsApp. In this case, the Petitioner contended that the change in the Privacy policy of the WhatsApp service would mean irreversible damage to the fundamental right of the citizens of India. The Petitioner contended that sharing of data collected from users would amount to violating their Privacy Online.

Since the case of Justice Puttaswamy was not decided, the Court did not take a stand on speaking about Privacy but directed WhatsApp to not share their data collected till 25.09.2016 with Facebook.

Data Privacy Laws in Other Countries

United States of America

The United States of America do not have any specific single code that may govern the matters on data privacy and protection of consumer data. Instead the various states have enacted various legislations with respect to data privacy. Though there are certain federal laws as follows, these laws are focused on specific sector of activity and collection of data:

1. Children’s Online Privacy Protection Act (COPPA)
2. Health Insurance Portability and Accounting Act (HIPPA)
3. Gramm Leach Bliley Act (GLBA)
4. Fair Credit Reporting Act (FCRA)

European Union

The Primary Data Privacy Law in the European Union is the General Data Privacy Regulation (GDPR). The regulation entered into force on 24 May 2016 and applies since 25 May 2018. A parallel law besides the GDPR is functional in the European Union which is the Data Protection Law Enforcement Directive

The regulation applies if the data controller (an organization that collects data from EU residents), or processor (an organization that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU.³ The GDPR is very strict in relation to Data Privacy Laws.

United Kingdom

The United Kingdom recently, in the year 2018, enacted the Data Protection Act, 2018 which repealed the previous Data Protection Act, 1998. The newer law “is the UK’s implementation of the General Data Protection Regulation (GDPR)⁴.

Alongside the UK Data Protection Act, 2018, the Privacy and Electronic Communications Regulations exist. These Regulations give people specific privacy rights in relation to electronic communications.

The Data Privacy Problem with India

The major problem in India lies with the mass of people. Majority of the consumers are either unaware about their Online Privacy Rights or are indifferent to various Privacy Policies of businesses. In a leading newspaper, the following was noted⁵:

“….. the consumer’s evident lack of concern (or may be awareness?), about the data privacy issues, might explain the Indian government’s relatively sluggish pace on the issue.”

As it can be observed, there is no significant consequence if companies and businesses getting away with the personal data of their users in India. The new IT Rules, 2021 try to curb some practices that might be very invasive of a person’s privacy.

Which countries have relaxed laws relating to data for Startups?

Overall, there is no specific country where its data protection laws are relaxed enough especially for startups. Countries that have data privacy laws have a single thing in common: rules and regulation regarding collection and processing of data with or without the consent of the user.

Norms for data collection and processing apply equitably to all business and non-business organizations irrespective of whether a particular organization is a startup or not. However, some variations, do take place between different countries. Nonetheless, the primary object remains the same: to protect the data privacy of people.

However, countries in the European Union do have a stricter law in effect. Other countries like the USA and the UK also have very strict data privacy laws though countries like Canada, Romania and Ireland are even stricter when it comes to data privacy.

What can Businesses and Startups in India do?

There are not many cases in India regarding data collection by web or mobile services. However, the fact that collection of data without consent or without informing the users is a violation of Privacy Right still holds true. As such, it becomes even more important that websites, web apps and mobile apps communicate clearly with the consumers. Therefore, educating consumers becomes essential. Given the fact that many people do not even bother to check out Privacy Policies, the same cannot be ruled out since some consumers are very cautious about their digital footprints.As such, effective communication between online services and consumers can only take place when the online services educate effectively. Therefore, proper drafting of Privacy Policy considering the current scenario becomes very essential. Moreover, the Policy, or the link to the Privacy Policy Page should be easily noticeable by Consumers upon their use of the services.

References

1. Writ Petition (Civil) No. 494 of 2012.
2. W.P. (C) No. 7663/2016.
3. https://en.wikipedia.org/wiki/General_Data_Protection_Regulation.
4. https://www.gov.uk/data-protection.
5. https://www.financialexpress.com/brandwagon/why-india-is-indifferent-to-the-data-privacy-issue/2193807/.