In Part 1 of the Implementation Series, we discussed the first four essentials as proposed under the Data Protection Bill, 2021 (the ‘Bill’). Here, we will deal with the next four elements of a privacy notice specified under Clause 7 of the Bill. As was explained in Part I of the Series, the purpose behind having these essentials in the privacy notice is to ensure that the data fiduciary is in compliance with the Principles of Data Privacy, when processing personal data relating to data principals.
Basis and consequences[1]
Under the privacy framework defined under the Bill, processing personal data is not permitted unless it is expressly allowed by law, or if the data principal has consented to the processing of their personal data. Under the Bill, the privacy notice is to specify such bases pursuant to which processing of personal data is contemplated. If such bases are present, processing of personal data would be considered as lawful.
The following bases of data processing have been provided for in the Bill –
1. Consent[2]
Consent is one of the most widely used grounds for data processing. Consent thus obtained from a data principal has to be valid. The Bill also prescribes the elements of what would be considered a valid consent.[3] Further aspects as to what constitutes a valid consent and other related considerations will be discussed later. One thing to note is that privacy notice itself need not fulfil obligations relating to capturing or obtaining consent – it only serves as a medium to inform the data principal that consent (or as the case may be) would form the basis for processing of personal data.
2. Grounds for processing personal data without consent[4]
For certain specific purposes, the data fiduciaries may process personal data without data principal’s consent. This includes purposes relating to –
- performance of State functions,
- processing by virtue of law,
- processing as required by an order/judgement by a competent legal authority,
- responding to medical emergency which pertains to severe threat to life or health on an individual,
- provision of healthcare services during an epidemic, outbreak of a disease, during a disaster or during the breakdown of public order.
It may be noted that even though consent is not required in such scenarios, the Bill still requires that such circumstances be intimated to the data principal to ensure that complete transparency from the data fiduciary.
3. Processing for purposes necessary for employment, etc.[5]
This basis is applicable in cases where employers and entities acting on their behalf, process employee personal data. This would be a valid basis if the personal data processed by the employer is necessary or can reasonably be expected by the data principal (i.e., the employee) for employment related activities. These include, but are not limited to:
- For recruitment and termination of employment.
- For providing any services/benefit to the employee.
- For verifying attendance of the data principal.
- For assessment of the performance of employees.
This basis however may not be relied for the processing of sensitive personal data of the employees. In such cases, consent would be required.
It may be noted that such a privacy notice governing processing of employee data may be structured as a separate recital and need not be provided in a general privacy notice issued by the data fiduciary.
4. Processing for reasonable purposes[6]
This category covers residual bases which may be applicable while processing personal data. When relying on reasonable purpose as a ground, the following factors would be considered for assessing whether the purpose for which personal data is processed, qualifies as a reasonable purpose:
- Legitimate interest of data fiduciary.[7]
- If data processing is reasonably expected from the data fiduciary and if in such situation it is practicable to obtain consent.[8]
- If there is any public interest involved[9]
- If there is any possibility of an adverse effect of the processing activity on the rights of the data principal.[10]
- What are the reasonable expectations of the data principal with regards to the context of processing.[11]
It is important to note that much of the above factors would depend on the circumstances surrounding the processing of personal data. The privacy notice should also indicate the consequences of not providing data which is based on grounds other than consent. For instance, using necessary cookies for running a website is a reasonable purpose on part of the data fiduciary and therefore the data fiduciary may highlight in its policy that it will not be able to offer its products or services to the data principal if he denies those cookies. Similarly, an employer when recording attendance of its employees (data principals) should highlight the consequences, if any, for not providing attendance records to the employer.
Sources of data collection[12]
Companies may collect data from multiple sources. Apart from collecting data from the data principals directly, data may also be obtained from other sources like data exchanges, data brokers, data intermediaries, etc. Information can also be collected from public platforms and social media websites. In such instances, the privacy notice should specify this information, if such data is not directly being collected by the data fiduciary[13].
The privacy notice should also indicate the sources it relies for data collection. This is to ensure data collection activities of the data fiduciary are transparent and data principals become vigilant of how their data is being shared and collected by different entities.
Sharing of Personal Data [14]
The privacy notice should indicate whether the personal data is to be shared with third parties and indicate the entities with whom personal data may be shared. It is pertinent to note here that it may not always be possible to disclose details about every entity. However, the privacy notice must always indicate the categories of such processors and fiduciaries to whom such information will be shared and the purpose behind sharing information with them. Example of such entities may include, but not limited to, affiliates, distribution partners, service providers (e.g., cloud service providers), etc. This requirement is based on the transparency principle of data privacy.
Cross-Border Data Transfers [15]
The sharing of personal data outside India has been centre of much debate, not only in India but also in other countries[16], and should therefore be done cautiously. Such transfers are subject to security thresholds under the provisions of the Bill especially if such data is of a sensitive or critical nature. Such data transfers are fairly common these days since most multi-national enterprises share data with their parent or affiliate companies abroad or their data centres are usually located outside India due to lack of a reliable and economical data storage option in India. The data fiduciary should highlight within its privacy notice, any cross-border data transfers which the data fiduciary intends to carry out over the personal data relating to Indian residents with the reason for such cross-border transfers. The data fiduciary should ensure that it implements appropriate security mechanisms and assigns contractual liability on the entity receiving such data to comply with all applicable data protection legislations. This requirement is based on the integrity, confidentiality and transparency principles of data privacy.
Common mistakes to avoid while drafting privacy notices
a) Not indicating an appropriate legal basis
Data fiduciaries may end up relying on an incorrect lawful basis which may have consequences at a later stage. To this end, the bases on which the personal data is to be processed has to be carefully identified and specified in the privacy notice.
b) Not specifying instances of cross-border data transfers
While there are many entities that share or disclose personal data outside India, either for storage services or to their affiliate and group entities most data fiduciaries do not appropriately inform the data principals of such transfers. Backing up or storage is one aspect which may be performed on foreign servers and may qualify as cross-border transfers.
c) Not accounting for different sources of data collection
Privacy policies often do not mention the sources from which a data fiduciary is obtaining data and usually only focus on the data directly collected by the data fiduciary.
d) Names of third parties with whom personal data is shared is not specified
Bundling categories of recipients as associates, affiliates, service providers, etc., should be avoided. Where it is not possible to disclose the names of all such entities to the data principal upfront, the data fiduciary can device other mechanisms to disclose such data to the data principals as and when required. For instance, disclosing names of the entities in a phased manner or disclosing such details if requested by the data principal, etc.
In the next part of the Implementation Series, we will cover the remaining requirements for a valid privacy notice as necessitated under the Bill.
[The authors are Partner and Associate, respectively, in Data Protection and TMT practice of Lakshmikumaran & Sridharan Attorneys, New Delhi]
[1] Clause 7 (1)(e) of the Bill, 2021.
[2] Clause 11 of the Bill, 2021.
[3] Clause 11(2) of the Bill, 2021.
[4] Clause 12 of the Bill, 2021.
[5] Clause 13 of the Bill, 2021.
[6] Clause 14 of the Bill, 2021.
[7] Clause 14(1)(a) of the Bill, 2021.
[8] Clause 14(1)(b) of the Bill, 2021.
[9] Clause 14(1)(c) of the Bill, 2021.
[10]Clause 14(1)(d) of the Bill, 2021.
[11]Clause 14(1)(e) of the Bill, 2021.
[12] Clause 7 (1)(f) of the Bill, 2021.
[13] Clause 7 (1)(f) of the Bill, 2021
[14] Clause 7 (1)(g) of the Bill, 2021.
[15] Clause 7 (1)(h) of the Bill, 2021.
[16] Data Protection Commission v. Facebook Ireland, (Schrems II), CJEU - C-311/18.