Google Faces Legal Hurdles Under Brazilian Internet Law

By Raissa Campagnaro[1]

The Brazilian Federal Prosecution Ministry has brought civil proceedings against Google for flouting its data protection law. The suit challenges Google’s access to the content of emails exchanged by Gmail users on multiple grounds, including Google’s failure to obtain express consent.

In October, 2016, Brazil’s Federal Prosecutor filed a public civil suit against Google, claiming that the search engine had failed to comply with the country’s internet law, the Internet Bill of Rights. The suit argues that during a previous prosecution investigation, through a civil inquiry, Google had made it public that it scans the content of emails exchanged by Gmail users. According to the Federal Prosecutor, this violates Brazilian data protection standards.

The Internet Bill of Rights establishes data protection principles similar to those set up under the EU Data Protection Directive 95/46/EC. Under this law, any processing of data must be pursuant to express consent. The law specifically requires that the clause seeking consent be prominently displayed and easy to identify amongst other terms of the contract. The law also recognises a right to not have one’s data transferred to third parties without consent and a right to be informed about the specific purposes of the personal data collection, usage, storage, treatment and protection.

When asked about its compliance with the legislation, Google submitted that it analyses the email messages so it can improve consumers’ user experience by filtering the messages for unwanted content, spam, or other kind of malware. It also submitted that the scanning of messages is used to offer products and advertisement for the user and to classify emails into various categories such as ‘social’ ‘promotions’ etc. Finally, Google has contended that the scanning of emails is  consented to by the user at the time of signing up, by agreeing to the privacy policy within Gmail’s terms of service.

However, the Federal Prosecution Ministry considers these practices to be ‘profiling’ – a consequence of personal data aggregation that allows the creation of users’ profiles based on their behaviour, online habits and preferences. These can be used to predict their future actions and decisions. Profiling is frequently used for behavioural advertisements in which aggregated personal data is transferred to other ISPs, who use it to direct ads, products and services determined by the person’s past online activity. According to the Federal Prosecutor, this not only violates people’s right to privacy, especially their informational self-determination right, but also interferes with a consumer’s freedom of choice.

Several scholars and researchers have also opposed profiling and behavioural advertising, arguing that it has severe negative consequences. These include (i) denial of credit or loan concessions; (ii) offering different health insurance deals based on a person’s medical history or the nature of activities they engage in; and (iii) offers with adaptive pricing, based on a variety of criteria that involve some level of discrimination. This is problematic because online profiles are limited. A person’s life is based on several aspects apart from the online information which is collected and aggregated. As a result, personal data aggregation, processing and analysis can lead to an incomplete or incorrect picture of an individual, leading to wrongful interventions in their life. Even if the profile is a complete reflection of a person’s life, the choice to have one’s data collected and used for determined purposes must always be the users’.

The suit alleges that Google’s practices are not in consonance with the legal requirement of seeking express consent, including through prominent display within a policy. It suggests that Google be required to take specific consent in order to access the content of emails.

The case also  challenges the fact that Google’s privacy policy does not allow consumers to withdraw consent. This violates consumers’ control over their data. Further, it is also argued that consent should be sought afresh every time Google changes its privacy policy. The lack of clear and precise information around how data is processed is another issue that has been pointed out in the case, violating the right of Gmail users to information regarding the usage of their data.

To substantiate its case, the Federal Prosecutor is relying on an Italian case in which Google’s data processing activities had been challenged. The ruling was based on Italy’s Data Privacy Code, which establishes data protection guarantees such as i) fair and lawful processing of data; ii) specific, explicit and legitimate purposes and use of data; iii) processing to not be excessive in relation to the purposes for which it is collected or subsequently processed; and iv) that the data must only be kept for the amount of time truly necessary. In addition, the law stipulates that a data subject must receive notice about how their data will be processed, allowing them to make an informed decision. Furthermore, the Italian code also requires consent to be express and documented in writing.

In 2014, Garante’s (i.e. the Italian Data Privacy Authority, furthermore “the Authority”) decision held that Google had failed to comply with some requirements under the Italian legislation. Firstly, the information given by Google around how data processing was carried out was considered insufficient, as it was too general. Secondly, the consent format given through the privacy policy agreement was also held to be too broad. The Authority held that consent should be prior and specific to the data treatment. Although the decision condemned the company’s practices, it did not establish any guidelines for Google to adopt in this regard.

Through the present suit, the Brazilian Federal Prosecutor seeks (i) suspension of Google’s email content analysis, that is, scanning of emails of Gmail users where express consent has not been received ; (ii) an obligation to obtain express and consent from users before scanning or analysing the content of emails and (iii) ensuring the possibility of consent withdrawal. The suit seeks an order directing Google to change its privacy policy to ensure consent is informed and particular to content analysis.

This case demonstrates a new aspect of data protection concern. Apart from the most common cases over data breach situations, where the damage is usually too late or too massive to repair, the Brazilian and the Italian cases are great examples of proactive measures taken to minimise  future risks. Further, the importance of a legal framework that utilises data protection principles to guarantee consumers’ right to privacy is well recognised. Now, it appears that these rules are starting to be more effectively enforced and, in consequence, the right to privacy can be observed in practice.

[1] Raissa is a law student from Brazil with an interest in internet law and policy. Raissa has been interning with the civil liberties team at CCG for the past month.

“The Right to be Forgotten”: Balancing Personal Privacy with the Public’s right to access Information

Evolution of the right and Global framework

In the Internet age, when access to information is quick and easy, procuring personal information or past records about an individual is no longer a herculean task. The relevance of such information or the duration for which such data should be available for public access has hitherto not been debated.

There is growing global debate on a new right called “the right to be forgotten” or “the right of erasure”. This right allows people to request for removal of their personal information/data online after a period of time or if such information/data is no longer relevant. The origin of this right can be traced back to the French jurisprudence on the ‘right to oblivion’ or droit à l’oubli. The rationale behind this right was to allow criminal offenders who have already served their sentence to object to the publication of information regarding their crime and conviction. This was done to ease their process of social integration.

It was along these lines that the 1995 EU Data Protection Directive acknowledged the right to be forgotten. Under the Directive, it was stipulated that the member states should give people the guaranteed right to obtain from the ‘controller’ the rectification, erasure or blocking of data relating to them, the processing of which does not comply with the provisions of the Directive. The term ‘controller’ here refers to a natural or legal person, public authority, agency or any other body which alone or jointly determines the purposes and means of processing personal data.

In May 2014, the Court of Justice of the European Union (‘Court’) recognized the right to be forgotten as a part of the fundamental right to privacy in the Google case. The plaintiff, in this case, had requested for delinking of search results appearing on Google and the deletion of newspaper articles appearing online with respect to bankruptcy proceedings against him. The Court held that individuals have a right to request search engines to delink information which causes prejudice to them. However, the Court was careful to state that this right is not absolute and can be applied only when the data becomes ‘inadequate, irrelevant, excessive, not kept up to date, or kept for longer than necessary’ with respect to the purpose for which it was collected or processed. Accordingly, the Court directed Google to delink the search results in the instant case. It was further held that the publication of accurate data may be lawful at a given point in time, but in due course, it might become inconsistent with the law.

While the judgment in the Google case is a step in the right direction, it leaves much to be desired. The Court did not set out any guidelines or parameters to filter out information as ‘inadequate’ or ‘irrelevant’ or ‘excessive’. It has thrust the onerous task of balancing the right to privacy of an individual and the public’s right to access information on private search engines like Google. This raises critical questions regarding the suitability of private entities taking decisions which are of constitutional import. Pursuant to this judgment, the EU adopted the Data Protection Reforms which includes the right to be forgotten as an essential right under Article 17 of the Data Protection Regulations. This lays down the conditions for application of the right to be forgotten, and requires entities processing personal data to inform third parties regarding requests for erasure of links to any personal data. A detailed discussion of these regulations and their impact on India can be found here.

Challenges in enforcement

There are many legal and technical challenges in the enforcement of the right to be forgotten. The success rate of governments across the world in banning or removing pornographic websites or torrent sites from the Internet has not been great, since there are various ways of circumventing such bans. Further, the blocking or delinking of URLs by search engines does not guarantee that such information has been blocked or deleted from the Internet. There is also no way to ensure that such information is not uploaded again.

To enforce the ruling of the case discussed above, Google has created a mechanism through which an individual can make a request for taking down of or delinking of a specific search result bearing an individual’s name. Google evaluates such requests on various parameters like whether these results are an infringement on his right to privacy or whether such information is of public interest. In case of the former, the individual’s right to be forgotten trumps the public’s right to access information. However, if the information is of public interest, the right to information of the public prevails over privacy rights. This squarely makes Google the decision maker of the relevance, adequacy, and need for data to be available online for public access or not.

With the growing recognition of the right to be forgotten, the number of requests that search engines receive for taking down or delinking is only likely to increase, making it extremely difficult and cumbersome to scrutinize such requests manually. According to Google’s Transparency Report, as on 9^th October, 2016, Google had received 565,412 requests for the removal of URLs. The Report further states that it has already evaluated 1,717,714 URLs since May, 2014. The Report shows that Google has removed 43.2% of the URLs from the requests received. With a substantial increase in the number of requests, search engines may even consider using algorithms to deal with such requests instead of manually evaluating the privacy rights vis-à-vis public interest.

Further, search engines are also likely to tread on the side of caution and accept such requests rather than face expensive legal challenges across jurisdictions for non-compliance. This right may be misused by individuals as it will lead to artificial alteration of the content available online which may result in the delinking of pertinent information.

Recent developments in India

The data protection regime and data privacy laws of India are not comprehensive and dynamic enough to respond to technological advances in the modes of collection, transfer and use of personal information. The Information Technology Act, 2000 and the rules framed under the Act make up the primary legal framework that governs this subject. The Delhi High Court is currently hearing a matter (Laksh Vir Singh Yadav vs. Union of India, WP(C) 1021/2016) where the petitioner has requested for the removal of a judgment involving his mother and wife from an online case database. The petitioner claims that the appearance of his name in the judgment is causing prejudice to him and affecting his employment opportunities. It will be interesting to see the outcome of this case and how the larger debate of the right to privacy of an individual versus the right of public to access information unfolds in this case.

It is pertinent to note that the Delhi High Court is dealing with the request for removal of a court order which is a public document. This request is unusual and distinct from a request for delinking of search results appearing in search engines like Google since such delinking does not result in the removal of the information itself. Allowing the removal of such judgments from online case databases could result in the expunging of public records. Furthermore, the removal of judgments from online public databases will obstruct public access to case materials shedding light on critical questions of law.

While implementing the right to be forgotten, a very fine balance has to be struck between the right to freedom of speech and expression, public interest and personal privacy. To balance these conflicting rights, the judiciary may consider implementing a system where personal information like names, addresses etc. of the litigants are redacted from reportable judgments/orders especially in personal disputes. The courts have, in the past, refrained from divulging the identities of parties in order to respect their privacy in many rape or medico-legal cases.

With many unanswered questions surrounding this right, India requires a comprehensive data protection regime to regulate the entities collecting and processing personal data and to define the terms of use, storage and deletion of such personal data. This will ensure that such entities are obliged to take due care of the personal data in their possession and will also provide a framework for dealing with requests for removal or erasure of such personal data.

The New Data Protection Regulation and its Impact on India

Written By Joshita Pai

The European Parliament  adopted  the new Rules on Data Protection on the 14^th of April, 2016. The new Regulation replaces the General Rules on Data Protection, 1995 and the 2008 framework decision on cross-border data processing in police and judicial cooperation within the EU. In January 2012, the EU Commission first presented a package of proposals in order to update and modernize the present EU legal framework which was accepted subsequently by the Council in December 2015. The new data protection package consists of a general regulation on personal data processing in the EU and a directive on data processed by the police and judicial authorities.

Highlights of the Regulation

The regulation, establishes a stronger regime for protection of personal data by giving more control to the users in the digital market. It enshrines provisions on the much awaited right to be forgotten in the virtual space,[i] provisions  on the need for clear and affirmative consent and the right of an individual to be informed. Profiling of an individual by collecting a person’s data is often presented in the name of customized service and commercial interest of the company. The new regulation allows for a right to object against profiling unless it is necessary for legal enforcement purposes or for scientific research. The Directive also envisages provisions on data portability which will enable users to shift from one service provider to another, without losing the data accumulated in the use of the former.      Aside from vesting a bundle of rights in the hands of the users, the regulation makes way for an array of provisions for companies to abide by. The crucial provisions affecting business companies include:

1. Sanctions on companies that breach data transfer of upto 4% of annual profits: This provision in the regulation holds heavy bearing since its application extends to companies established outside the European Union. organisations will additionally be required to carry out data protection impact assessmentswhere their plans to process personal data are “likely to result in a high risk for the rights and freedoms of individuals”.
2. Provision for appointing a data protection officer if the company engages in processing of sensitive data: For businesses in which the “core activities” consist of processing operations that “by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale”; or if it involves processing sensitive data on a large scale, the new Directive recommends the mandatory appointment of a DPO.
3. The introduction of the new one-stop-shop concept in the Regulation: The Regulation states there will be a single supervisory authority who will be engaging with business houses, instead of one authority in each member state. The ‘one-stop-shop’ will streamline cooperation between the data protection authorities on issues with implications for all of Europe.

The Impact of the new EU Regulation on India

The cross-border flow of data from the EU states to other nations has been contentious, visibly so after the Schrems decision which rendered the EU-US safe harbour provision inadequate. The decision called for a new set of guidelines which resulted in the creation of the EU-US privacy shield.

The EU framework of 1995 as well as the enhanced edition of the Regulation, prescribes a mandatory adequacy decision to determine whether the country in question adequately protects personal data. The new Regulation, dedicates a chapter on transfer of personal data to third party countries, and India’s interest in the Directive lies here. It provides that:

“A transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, or a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection.”

The European Commission in 2015 produced a report on Data Protection in India to assess the measures and standards adopted for protection of data in India. The report highlighted the lacunae in Indian laws pertaining to personal data. According to a recent survey by NASSCOM-DSCI, there is an opportunity loss of USD 2.0 billion – 2.5 billion owing to data transfer related issues. The report notes that EU clients are hesitant to offshore work to Indian companies because of the dearth of data protection standards in India. With particular regard to data protection, institutionalizing a regulatory regime in India has become a herculean task with no comprehensive legislation on data protection in force. Statutory attempts to this effect have either been dissipated across the arena or have not been effectively executed so far. The penalty of a 4% of annual turnover of a company on account of data breach is one of the outstanding features of the new Regulation and pitching this against the backdrop of a staggered regime on data protection in India indicates a host of repercussions.

Joshita Pai was a Fellow at the Centre for Communication Governance  (2015-2016) 

[i] ‘The right to be forgotten’ stirred up as a concept after a Spanish national sued Google Spain and a Spanish newspaper for retaining information about him that was published several years ago.

The EU-US Privacy Shield: The Safer Harbour?

Written By Joshita Pai

On 29^th February, 2016, the European Commission published details of the legal text which will be the building blocks for the EU-US Privacy Shield. The NSA’s bulk collection of the data EU users’ data has been a contentious issue since the Snowden revelations. The new agreement will replace the Safe Harbour agreement which had been struck down by the Court of Justice of the European Union in the Schrems judgment, where the Court rendered the existing provisions as inadequate and incapable of protecting data.

The European Commission today issued a Communication summarizing the actions taken to replace the data protection standards. The Commission announced a number of steps to restore trust in the flow of transatlantic data.  It finalised the reform of EU Data protection rules, which apply to all companies providing services on the EU market negotiated the EU-U.S. Umbrella Agreement ensuring high data protection standards for data transfers across the Atlantic for law enforcement purposes, and built a promising framework for commercial data exchange- the EU-U.S. Privacy Shield.

A preliminary dissection of the collective text indicates a commitment to build a stronger framework towards protecting transatlantic data. The European Commission in its draft adequacy decision published yesterday, provides for the establishment of an enhanced regime, stating that the EU-US Privacy Shield will continue to be based on a system of self-certification where U.S. organisations will commit to the EU-U.S. Privacy Shield Framework Principles.  Article 4 of the Draft Decision provides that:

“The Commission will continuously monitor the functioning of the EU-U.S. Privacy Shield with a view to assessing whether the United States continues to ensure an adequate level of protection of personal data transferred thereunder from the Union to organisations in the United States.”

Intricacies of the Agreement

Under the new agreement, American companies will have to register to be on the Privacy Shield List and self-certify that they meet the requirements set out. This process will be carried out each year with periodic reviews. The Privacy Shield includes the crucial principles of: consent of the user the choice of the user to opt out of divulging personal information; the security of the transmitted information, the purpose limitation principle to ensure that the information is not used for any other purpose but the one the user had consented to.

Aside from these guidelines, the draft decision lists out accountability and transparency provisions for the companies engaging in data transfers and carves out a redressal mechanism for aggrieved users. The FAQs accompanying the Privacy Shield framework, provides that the complaints have to be resolved by the companies within 45 days.

The framework also provides for an alternate dispute resolution process: “A free of charge alternative dispute resolution [ADR] solution will be available. EU citizens can also go to their national data protection authorities, who will work with the US department of commerce, and Federal Trade Commission to ensure that unresolved complaints by EU citizens are investigated and resolved.”  Roping in the recently passed U.S. Judicial Redress Act, the FAQ notes that the Privacy Shield will provide EU citizens access to US courts to enforce privacy rights in relation to personal data transferred to the US for law enforcement purposes. The Judicial Redressal Act however encompasses the last minute amendment which caters to US security interests as an exception to the safe harbour guarantee.

The Article 29 Working Party, in its statement issued recently, outlined on a four-part guideline whenever personal data is transferred from the EU to the United States, to other third countries, as well as to other EU Member States. The statement recommends the following:

“1. Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred;

2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual;
3. An independent oversight mechanism should exist, that is both effective and impartial: this can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks;
4. Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body.”

The new agreement factors in all the recommendations mentioned above. The 3^rd recommendation mentions the need for an independent oversight mechanism. This mechanism also resurfaces as an essential criteria in the communication from the Commission to the European parliament and the Council as well as in the draft adequacy decision, both of which were released yesterday. The new agreement creates an “Ombudsperson” to deal with complaints from the EU citizens on how their data has been used by the NSA, however, the autonomy of the oversight authority is debatable.

The draft also provides for suspension of adequacy decision “if the Commission concludes that there are clear indications that effective compliance with the Privacy Principles in the United States might no longer be ensured, or that the actions of U.S. public authorities responsible for national security or the prevention, investigation, detection or prosecution of criminal offenses do not ensure the required level of protection. Alternatively, the Commission may propose to amend this decision, for instance by limiting the scope of the adequacy finding only to data transfers subject to additional conditions.”

Conclusion

The protection of data has been treated as a paramount right in the EU unlike in the US set-up where pro-privacy norms are a rare delight. The Schrems judgment did stir up the status quo and the negotiation process has resulted in the revised agreement. However, The NSA has found its way into the new agreement, visibly so in the exception appended to bulk collection of data. The draft decision envisages six contingencies in the event of which US would be permitted to collect signals intelligence in bulk. These exceptions include detecting and countering certain activities of foreign powers; counter-terrorism; counter-proliferation; cyber-security; detecting and countering threats to U.S. or allied armed forces; and combating transnational criminal threats, including sanctions evasion. The New York Times had recently reported that the bulk collection of data by the NSA will be shared with other U.S. agencies including the FBI and the CIA without removing the identifying information. This marks the meeting point of data processing for commercial purposes and for the purpose of surveillance. In light of the recent FBI-Apple duel, such collision should be viewed cautiously.

 Joshita Pai was a Fellow at the Centre for Communication Governance from 2015-2016

New EU-US Data Protection Agreement Imminent

Written by Siddharth Manohar

Data exchange flowing from the EU (specifically the European Economic Area) to the US currently has no legal framework regulating it. Does it mean that any data transfer from EU to US is illegal?  In my previous post on the issue I mentioned that the old agreement regulating the data transfer had been struck down at the Court of Justice of the European Union (CJEU). National data protection authorities in the EU have taken a pragmatic step by holding back on attacking all data transfer, until a new agreement is reached to replace the old Safe Harbour Agreement.

A breakthrough in this respect came about a couple of weeks back, with the European Commission announcing that they have agreed on a new framework to protect the rights of individuals who give data to US companies that process the data in their local servers. The agreement once finalised will replace the Safe Harbour principles in order to legalise the data transfer. This new framework, called the US-EU Privacy Shield, has three sets of strong obligations: data handling, transparency, and redress mechanisms.

The first major obligation is on US companies to make and publish commitments on data protection and individual rights. These commitments hold them accountable to US Federal Trade Commission (FTC), as well as the diktats of the European Data Protection Authorities (DPAs). The second consists of restrictions on surveillance practices by US state authorities. Any kind of surveillance will now be subject to clear limitations, safeguards and oversight mechanisms, and the methods will be only those that are necessary and proportionate. Mass surveillance has been completely ruled out, and meetings to review these practices have also been planned for future follow-up. The third part of this arrangement consists of a redress mechanism. European DPAs can refer cases to the US Department of Commerce and the FTC, and the option of alternate dispute resolution is also provided.

The parties are now working towards the measures required to put the new agreement in place, specifically the US, who will try to formalise the commitments made in the agreement. The European Commission on the other hand is preparing a draft for an ‘adequacy decision’ that member states can adopt to formalise the process on the EU side. The full text of the agreement is expected to be made available in the coming weeks.

The agreement has also come under criticism from privacy experts, who claim that the agreement suffers from the same weaknesses of the Safe Harbour agreement. They argue that this agreement is a mere political compromise that does not help protect the rights and data of users. This would require amendments to the national laws in both locations. Controversial provisions in US law that continue to authorise infringements on users’ rights are still effective, like Section 702, which allows for surveillance of data relating to non-US persons to be carried out in the US. Executive Order 12333, which deals with surveillance outside of the US, has no legal oversight mechanism whatsoever. It is these laws that will need amendments in order to make surveillance subject to conditions of necessity and proportionality.

The other persistent problems which have remained include the provision for self-certification, which provides inadequate protection against ensuring enforcement of privacy standards. A recent amendment to a Bill which would provide redress mechanisms for EU users to enforce rights over their personal data, also adds to the problems which plague the possible effectiveness of the new agreement. The long term solution to this situation does not look like it will arise from a single event or set of negotiations, and we now await the release of the full text of the agreement to see where we can go from here.

Privacy in the Context of Data Protection

Written By Joshita Pai

The privacy debate surrounding the aadhaar proceedings has, in the recent past stirred debate on the constitutional perceptive on privacy. In addition to this, the disastrous National Draft Encryption Policy and the Human DNA Profiling Bill, 2015 have challenged the legal contours of privacy, particularly the understanding of data protection in India. Placing increasing reliance on results of consolidated databases of the processed data has posed glaring questions of accountability and transparency in data handling. The inherent potential for privacy violations through processing of data has brought to focus, the legal framework which monitor such databases. However, there is a dearth of such a framework and the notion of privacy stands on unstable grounds.

Data Protection in India

The ongoing battle on judicial determination of privacy as a constitutional right is scheduled to be taken up by the Supreme Court in the near future. This will in definite terms establish the position of the right to privacy within the ambit of the Constitution of India. Statutory conferment of privacy as a right could be parallelly ascertained but legislative attempts on privacy and on data protection are yet to materialize. The Expert Committee that was set up to review the Information Technology Act submitted its report in August, 2005 to the Department of Information Technology and called for an amendment to certain sections in tune with data protection and privacy standards. Following this, the Act was amended to include section 43A which imposes civil liability on account of failure to protect data. It is significant to note that the amendment paved way for self-regulation in terms of defining what constitutes “reasonable security practices and procedures” and “sensitive personal data or information”. However, while this is a workable attempt, it makes only for stopgap arrangement, and must yield to a more comprehensive regulation.

India’s legislative efforts to singularly respond to privacy as a concept, have been reluctant and disorganized. Sectoral efforts are however evident in a few areas. For communication records, the retention requirements of data, for service providers are found in the ISP and UASL licenses, which are grounded in the Indian Telegraph Act, 1885. In the Health Sector, the Ministry of Health & Family Welfare released a set of recommendations for electronic health records in India.    

Taking cue from Other Nations

Article 25(1) of the EU Directive, 1995 which regulates the transfer of data from EU member states to third party country provides that transfer of personal data “may take place only if … the third country in question ensures an adequate level of protection.” To assess India’s framework on data protection,, the European Commission in 2015 brought forth a report on Data Protection in India which highlighted the lacunae in Indian laws pertaining to personal data.

The second edition of the EU-US safe harbour model which rolled into motion at the behest of the ruling in Schrems is eagerly awaited. The Court of Justice in 2015 declared that the existing provisions of the US on protection of data were inadequate and called for a revised version by the end of January, 2016, with better accountability measures for transatlantic flow of data.  The new framework will be based on a stronger regime for protecting data by imposing obligations on companies handling EU’s personal data and enshrining transparency provisions. In the midst of this, the European Union adopted a reformed Data Protection Framework in December 2015 which was proposed by the EU Commission in January 2012. In the backdrop of several such developments on data protection, India’s progress in this regard is dissipated and reluctant. Taking cue from South Africa, which until very recently dealt with data protection within its constitutional ambit of privacy, and in 2014 adopted a legislation on data protection, Indian provisions could be consolidated into a formal and binding statute.

C for Commercial, D for Data

Written By Joshita Pai

A visibly agitated man once entered the American retail giant Target to inquire why his teenage daughter had been receiving coupons of baby products. A few days later, when the manager of the store called up the man to apologize to him, the father replied that his daughter was infact pregnant. Following the incident,  New York Times reported that Target assigns each shopper a unique code, internally known as the Guest ID number which is connected to e-mails sent by the store to its customers, and the store further tracks website visits by its customers. Target, like several shopping portals customarily analyzes data, alongwith demographic information and maps out behaviour information of its customers. Customized services and tailormade offers to customers are  definitely a few benefits of  rigorous data mining mechanisms, and clicks with many as a successful marketing strategy.

Commercial Value in Transfer of Data

Neil Robinson describes personal data as the lifeblood of information economy. Collecting personal data of consumers and trading it for commercial purposes, is a common practice amongst  companies, as was observed by the Data Security Council of India. Uber, Google, Twitter, Facebook and Zomato, independently engage in customized data collection at the time of installation of these applications. These platforms have notoriously been in news for flouting data protection standards. Consumer privacy has been central to the debate on using information as a currency of exchange. Commercial relationships between Google and several companies such as Amazon, Flipkart exist in the name of tailoring better and personal services to customers. It is relevant to note that processing and collection of the data is admittedly easier when services are accessed through applications on mobile phones. Twitter  for instance, demands at the time of installation, information ranging from details of the contacts enlisted on the phone to permission to access photos/media/files saved on the external storage, the device id and call information.

 Jane Bambaueur refers to data as ‘speech‘ since it carries informational value, and on the basis of this notion, she argues that transfer of data should be protected under commercial speech. This notion has found favour with the Courts. The Supreme Court of the United States in 2011, held that the sale of personal data is protected within the ambit of first amendment, and is commercial speech. The Court invalidated a statute that prohibited pharmaceutical stores and companies from selling data obtained through prescriptions of individual doctors. Extending the First Amendment protection to such transfers, the Court reasoned that government agencies collect and store data and this practice cannot be deemed illegal when applied to pharmaceutical companies only on the grounds that the latter have vested commercial interests. The statute in question banned prescription drug companies from obtaining patients’ personal information for marketing purposes without the prescribing physician’s consent. What remained on either side of the battle was the right of the companies to privately sell the data against the State’s claim that data of such nature is not speech. The decision was a victorious one for first Amendment rights but disrupted the notion of medical and consumer privacy.

Commercial Transfer of Data in the India

In India, the judicial development of commercial speech under article 19(1), is yet to touch upon commercial transfer of data. The Delhi High Court dealt with disclosure and publication of confidential information while deciding on the Petronet case in 2009, however,  sale of personal information is yet to be explored in India.

That being said, the IT Act has made scattered but able attempts at securing data by formulation of rules on principles of consent and purpose limitation at the time of collection of data. Rule 4 of the IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 provides that:

“The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract.”

Rule 3 enlists information which could be constituted as sensitive personal data and attaches an exception that it ceases to remain sensitive if the information in question is already in public domain or can be furnished under the Right to Information Act, 2005.

All privacy policies provide disclaimers stating that they will or will not extract personally identifiable information such as health records and sexual preferences or gender specific information, and a few provide disclaimers about dispatching cookies for collection of nuanced data. The policy statements are almost always drawn up on accepted privacy standards under the Information Technology Act, 2000 since there is no well laid regulatory framework to monitor the free flowing data.

Scattered provisions on data protection visibly exist in India and can be worked with temporarily. The issues on transfer of data however, do not necessarily end on commercial contours. Sharing of collected information with government agencies and procurement of data upon request by the government have found their way in the IT Act and are prescribed as clauses to be included in a company’s privacy policy. Such related concerns are by no means secondary, and the need of the hour dictates that concrete and formalized regulatory structures be put in place.

  Joshita Pai was a Fellow at the Centre for Communication Governance from 2015-2016