Introduction
Privacy is a concomitant of the right of the individual to exercise control over his or her personality. It finds an origin in the notion that there are certain rights which are natural to or inherent in a human being.[1] Due to this expanse of this concept it means different things in different contexts, to different people in different cultures. Privacy can refer to bodily, territorial, informational or data, and communicational privacy.
Data privacy as a subset of privacy is focused on the use and governance of personal data, putting policies to regulate the collection, usage and sharing of consumer personal Data. At the heart of digitisation is the collection, processing, sharing and exchanging of consumer personal data to enhance the user experience and innovate to develop new services and products.
The collection of consumer personal data has become an important part of any business segment. Accurate customer data allows firms to target markets more effectively, engage in customer relationship management, and be more market oriented. [2]
Since the process of digitisation so heavily depends on the consumer’s personal data, it essential to ensure that all the processing activities around the consumer personal data should be done in such a manner to enable consumer to establish control over these aspects of processing. This ability to control use is paramount to re-establish the eroding faith of the consumers in organisational and government use of their data.
In this growing environment of distrust, the data privacy regulations should evolve to provide protection to the consumer that is flexible to allow for rapidly changing technologies, business processes and consumer demand. The Regulatory authorities must also be Regulators must be equipped to articulate clear requirements for protection, educate companies and citizens, and monitor compliance.
Even though many consumers are becoming more aware of the risks of misuse of their data and their rights in this regard, still a larger section of the consumer base remains unaware or rather indifferent to the possible repercussions of data misuse and associated privacy violations. This begs the question, ‘How far have the privacy principles and regulations at the international and nation levels have been successful in protecting the consumers in this age of hyper digitisation?’ and ‘How can we ensure consumer protection in this age where a consumer may very well trade her/his personal data to gain a free service or product?’
Through the course of this article we shall examine some possible solutions and regulatory approaches to solve this conundrum.
Consumer Behaviour and Data Privacy
Katz and Tassone[3] hypothesized that consumers, despite being displeased with the prospect of a loss of privacy, have become acclimatized to the necessity of giving up their privacy in order to participate in modern society.
To an extent participating in an information society does require the consumer to let go of the privacy as a “right to be left alone”[4]. However Consumers hardly agree to let go of their want to avail a service in order to safeguard their right to privacy.[5] When we examine this consumer behaviour and also draw from our experiences as a user, few things become apparent for the outset. First and foremost being the failure of the privacy notice to communicate to the consumer in an unambiguous manner the practices and usage of personal data by the data controller[6]. This information supplied to the consumer at the time of offering goods and services, is the first instance when the consumer gauges the privacy risks associated with the use of her/his personal data.
Privacy notices also play a broader role in creating transparency and accountability regarding an organization’s practices. Forcing organizations to publicly articulate their practices creates incentives for those organizations to adopt practices they are not embarrassed to describe.[7]
Informed Consent
Under most privacy laws that require consent for certain types of data collection or use, that consent must be informed. A privacy notice contains sufficient detail to help individuals make informed consent decisions can play a critical role in meeting those legal obligations.
Consent and notice go hand in hand. An individual can make an informed choice regarding the collection and use of her personal data, only on the basis of data that she receives from an organisation.[8]
In certain situations, when individuals do read the privacy notice, then end up confusing the user more than removing ambiguity around the use of data of the consumer. The Notices tend to be lengthy, written in complex legal language or technical language and more often than not delivered in the textual form. Finally, even if individuals manage to read and understand the collection and immediate usage of data contained in the notice, there still remains a veil of legalese around the secondary usage of data.
A consumer may rationally decide to share personal information with an entity because she expects to receive a net benefit from that transaction; however, she has little knowledge or control upon how the entity will later use that data. The entity may sell the consumer’s data to third parties at profit, but the consumer may not share any of that profit, or may even bear a cost when the third party abuses her data for instance, for spam, adverse price discrimination, and so forth. [9]
Purpose Specification
This brings us to an important privacy principle that needs to be imbibed in the entities practices and clearly reflected in the communication to the consumer, the purpose specification principle. The principle as inscribed in the OECD Guidelines states: “The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.”[10]
This principle provides guidance regarding the type and quality of transparency or notice.[11] From an entities perspective, creators of products or services should carefully consider how personal data will be used throughout the lifecycle of the data and should plan ahead as carefully and fully as possible to ensure that enough flexibility for data processing is introduced and communicated through the notice leading to transparency and understanding of data use.
Use Limitation
Complimentary to the purpose specification principle is the principle of Use Limitation. This principle states that “Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the Purpose Specification Principle.”[12]
This principle qualifies both the limits for data processing and the expectations of the data subject and also suggests conditions for potentially adding to the type, kind, and timing of data processing when that processing was not included in the initial communication.
Data minimization
Data minimization refers to the practice of limiting the collection of personal information to that which is directly relevant and necessary to accomplish a specified purpose.[13]
There are broadly two schools of thought around the adoption of data minimization as a principle of regulation. The first begin to guard against overemphasis on minimisation at the point of collection of personal data. This limitation might be detrimental to new opportunities to innovate with the usage of data for example, predictive analysis, artificial intelligence, machine learning, etc. The search for a potential blue ocean drives many organisations to experiment with the processing of data to create new products and services and to sustain this experimentation the limitation of collection of data at the first instance would create a cumbersome exercise for organisations to go back again and again to collect personal data. So, it would be logical to fix accountability on the entity with respect to typical use cases of violations.
The other school of thought essentially focuses on the ubiquitous nature of data collection in today’s day and age, especially with the advent of Internet of things devices, which has rampantly increased the collection of personal data, and also sensitive personal data with respect to collection of biometric and body sensory data. Such large-scale collection of data which reveals attributes of a consumer’s personality and behaviour, has led to profiling and what has been termed as “Corporate Surveillance”.
A nation while incorporating this principle would have to conduct a thorough analysis of economic repercussions of its adoption and see if the same the objective can be achieved through firm implementation of purpose specification and use limitation principles and deterrent penalties for misuse of personal data.
Regulatory approaches towards Consumer Data Privacy
The Federal Trade Commission: The Federal Trade Commission (herein after as FTC), an independent law enforcement agency of USA is in charge of protecting the rights and interests of consuemrs. It also aims to enhance competition between broad sectors of the the economy. It is empowered to prohibit unfair or deceptive practices in the marketplace.[14] IT uses various tools to protect privacy of consumers. Its strategy alo includes when necessary to implement comprehensive privacy and security programs, biennial assessments by independent experts, monetary redress to consumers, disgorgement of ill-gotten gains, deletion of illegally obtained consumer information, and provision of robust transparency and choice mechanisms to consumers. [15] The commission is empowered to order civil monetary penalties for data privacy violations of companies. It can also obtain civil monetary penalties for violations of certain privacy statutes and rules, including the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act, and the Telemarketing Sales Rule.[16]
European Union’s GDPR: The EU General Data Protection Regulation has promogulated adoption of ‘accountability’ as a key principle of privacy implementation, which can be evolved to derive practices for protecting consumer data privacy. The principle advocates concepts like ‘privacy by design’[17] and ‘privacy enabling technology’. Article 5 of the EU GDPR[18] also lays down keep privacy principles that the data controller must follow in ensure compliance with the legislation. Other keys principles include: ‘lawfulness, fairness and transparency’, the principle focuses on the promulgating transparency around the practices of an organisation around use of personal data, through an unambiguous notice. Purpose limitation and data minimisation have also been included in the legislation.
Sensitive Personal Data or Information Rules, 2011: The rules notified under Section 43A of the Information Technology Act, 2000, mirror the principles inscribed in the OECD guidelines and fix accountability on a body corporate to exercise transparency through its privacy notice[19] to the end user and also maintain reasonable safeguards[20] for protecting the sensitive personal data of the consumer.
Justice BN SriKrishna Committee on Data Protection in India: The whitepaper published by the committee on the proposed data protection law in India deliberates use of ‘accountability’ principle for privacy implementation. The whitepaper states that the principle of ‘accountability’ demands proactive actions from organisations in enabling informed consent and demonstrating accountability through putting in place practices and processes that encourage adoption of concepts such as privacy by design, to move towards a consumer centric approach to consumer data privacy.
Towards Re-establishing Consumer Trust : Consumers are increasingly aware of the value of their personal data. Thus, entities processing personal data can no longer afford to dismiss customer concerns about the use of that data. The first step towards re-establishing trust of the consumer to the ends of protection consumer privacy is to be prepare a well-crafted privacy notice that takes into account the diverse audience base that would be going through the notice.
Notices should not be hidden within the terms and conditions/terms of use of a service or product. It should be instantly accessible to the consumer. The organisations must also be creative in making notices appealing to the consumer and in a manner making it a part of the consumer experience itself.
Transparent communication to the consumer is the biggest step towards creating trust and a long-standing relationship between with the organisation and the consumer. This would go a long way in alleviating the privacy concerns and risks that the consumers have around the collection and usage of their personal data.
A notice should at least mention: The identity of the data controller, What data is collected or otherwise obtained, how data is collected or obtained, whether providing data is required and the consequences of not providing data, Third-party sources of data, how data is used, Disclosures of data to third parties, third party tracking, use of cookies, use of data for online behavioural advertising, Use of sensitive data, Individual Participation rights available to the consumer.
Privacy Regulations should make certain parameters necessary for entities to incorporate in their privacy notices. Self-regulatory approach to privacy protection can be leveraged here to create best practices for building these notices and creating a minimum market standard and enable privacy to become a market differentiator.
These regulations should include provisions to facilitate strict implementation of principles of purpose specification and use limitation by organisations to govern the practices around usage and collection of personal data of consumers. This would go a long way in securing the privacy of consumers in today’s information age.
This Article has been written by Shri Anand Krishnan, Manager, Policy, Data Security Council of India, Delhi.
References:
[1] Justice K.S. Puttaswamy (Retd.) v. Union of India & Ors. 2017 (10) SCALE 1, Per Dr D Y Chandrachud, J. at paragraph 40.
[2] Myerscough, Stuart, Lowe, Ben, and Alpert, Frank (2006), “Willingness to Provide Personal Information Online: The Role of Perceived Privacy Risk, Privacy Statements and Brand Strength,” Journal of Website Promotion, Vol. 2 (1-2), Pages 115-140. DOI: 10.1080/15533610802104182
[3] James e. Katz, Annette r. Tassone; Public Opinion Trends: Privacy and Information Technology, Public Opinion Quarterly, Volume 54, Issue 1, 1 January 1990, Pages 125–143.
[4] In their seminal article, Warren and Brandeis observed that: “The principle which protects personal writings and all other personal productions, not against theft and physical appropriation, but against publication in any form, is in reality not the principle of private property, but that of an inviolate personality.”
Warren and Brandeis, “The Right to Privacy”, Harvard Law Review (1890), Vol.4, No. 5, at page 195.
[5] See: Norberg, Patricia A., Horne, Daniel R. and Horne, David A. (2004) “An Empirical Exploration of the Privacy Paradox”, AMA Winter Educators Proceedings, Vol. 15, p247-253.
[6] “An entity that has the authority over the processing of personal information. This entity is the focus of most obligations under privacy and data protection laws. It controls the use of personal data by determining the purposes for its use and the manner in which the data will be processed. The data controller may be an individual or an organization that is legally treated as an individual, such as a corporation or partnership.”
International Association of Privacy Professionals. Iapp.org. (2018). International Association of Privacy Professionals. Available at: https://iapp.org/resources/glossary/ (Accessed 22 Apr. 2018).
[7] Hintze, Mike, Privacy Statements: Purposes, Requirements, and Best Practices (November 18, 2016). Cambridge Handbook of Consumer Privacy, Jules Polonetsky, Evan Selinger & Omer Tene, eds., Cambridge University Press (2017).
[8] Committee of Experts on a Data Protection (2017). White Paper of the Committee of Experts on a Data Protection Framework for India, Ministry of Electronics and Information Technology (MeitY). Page-79.
[9] Acquisti, Alessandro. (2010). The Economics of Personal Data and the Economics of Privacy. Available:https://www.heinz.cmu.edu/~acquisti/papers/acquisti-privacy-worth.pdf. Page 7 (Accessed 22 Apr. 2018).
[10] Organisation for Economic Co-operation and Development Oecd.org. (2018). OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data – OECD. Available at: http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm (Accessed 22 Apr. 2018).
[11] Academic Library. Ebrary.net. (2018). Data Quality Principle, Purpose Specification Principle, Use Limitation Principle – The Privacy Engineer’s Manifesto – Academic library – free online college e textbooks. Available at: https://ebrary.net/22187/computer_science/data_quality_principle (Accessed 23 Apr. 2018).
[12] Supra note 10.
[13] Forbes. (2018). Why Data Minimization is an important concept in the age of big data? Available at: https://www.forbes.com/sites/bernardmarr/2016/03/16/why-data-minimization-is-an-important-concept-in-the-age-of-big-data/#a92922e1da45 (Accessed 23 Apr. 2018).
[14] Section 5(a) of the Federal Trade Commission Act (FTC Act) (15 USC §45).
[15] Federal Trade Commission. (2017), Privacy & Data Security Update (2016), available at: https://www.ftc.gov/reports/privacy-data-security-update-2016#how (Accessed 23 Apr. 2018).
[16] Ibid.
[17] “The Privacy by Design approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred − it aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after.”
Cavoukian, Ann. (2011). Privacy by Design The 7 Foundational Principles. Available: https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf. (Accessed 23 Apr. 2018).
[18] Article 5 of the EU General Data Protection Regulation, 2016 (Regulation (EU) 2016/679).
[19] Rule 4 of Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.
[20] Rule 8 of Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.