India is moving towards a privacy conscious regime and is trying to catch up with the world on recognizing privacy in digital space. While handling personal data, a data fiduciary is to adhere to the principles of lawfulness, transparency, fairness, data minimisation, accuracy, integrity, accountability, purpose and storage limitation. The government is in the process of implementing a whole new digital architecture as proposed under the Data Protection Bill, 2021 (hereinafter the ‘Bill’) which is modelled on the General Data Protection Regulation (GDPR) in European Union. This new architecture comes with a completely new set of obligations and compliance requirements which a data fiduciary will have to undertake to become privacy compliant. Our Implementation Series aims to simplify these requirements so that the concerned entities are well aware of what they will have to undertake when the proposed law becomes an Act of the Parliament.
Having a legally compliant privacy notice or policy is amongst the first steps when complying with the provisions of a privacy regulation. A legally compliant privacy notice helps in depicting transparency in data processing and also enables trust between the data fiduciary and its data principals.
A privacy notice is a statement or disclosure which aims to provide an overview of the privacy practices adopted by the data fiduciary. Clause 7 of the Bill provides a non-exhaustive list of requirements which a data fiduciary will have to consider within their privacy notice. In this part of the Implementation Series, we will be discussing the first four requirements for a privacy notice as provided under the Bill.
Statement of purpose [1]
This requirement in the privacy notice stems from the purpose limitation principle[2] of data privacy. Within the privacy notice, the data fiduciary will have to identify all purposes for which the personal data will be processed. The purpose for which data is to be processed should be explicitly specified to enable a clear and unambiguous demarcation of the purpose for which the personal data would be processed
When the purposes are identified and stated in the privacy notice, the data fiduciary will be bound to use the personal data processed only for those specific purposes or for other reasonable purposes.
Since such purposes have to be specifically indicated in the privacy notice, the purposes have to be identified beforehand. Not identifying all the purposes specifically for which personal data is to be processed is likely to lead to situations where purposes may be listed generally, thus risking non-compliance. It is pertinent to note that the Bill does provide for personal data being processed for practiced purposes which are incidental or connected with the purpose communicated. This, however, should not be used for extending the scope of the stated purposes to cover non-incidental practiced purposes.
The data being collected may be used for a variety of purposes. For instance, let’s assume a data fiduciary collects the name, address and contact information of the data principal in an e-commerce transaction, wherein which the personal data would be used for fulfilling an order placed by a customer. Thus, the privacy notice may list the following as purposes: -
- For the delivery of products or to process returns, and
- To obtain feedback of its customer.
The data fiduciary may also use this information-
- For communicating promotional activities,
- To analyse its performance in the business and of the product,
- Sale prospects within a geographical area where it’s products has demand, etc.
The above are only examples and are only provided for sake of explanation. The Bill does not seek to limit the extent of the purposes nor provides a cap for the number of purposes for which the personal data may be processed. It only requires that all such purposes should be indicated in the privacy notice. Considering that purpose limitation[3] is one of the fundamental principles of data privacy, it is always advisable for the data fiduciary to carefully identify different purposes for which the personal data would be used.
Nature and categories of personal data collected[4]
The privacy policy should also indicate the nature and different categories of personal data that is to be collected. The Bill provides three categories of personal data starting from ‘personal data’ of a general nature which has a low risk of significant harm being caused to the data principal, ‘sensitive personal data’[5] which has a higher risk of causing significant harm to data principal and critical personal data (not yet defined) which would be categorised as data that shall have the highest risk of causing significant harm to the data principal in the eventuality of any data breach or loss. The objective here is to ensure that the data principal is aware of the risk category of the data collected from data fiduciary. Therefore, whether the personal data being collected is sensitive or critical, would have to be indicated in the privacy notice.
The data fiduciary should avoid using bundles of information as far as possible. For instance, instead of stating ‘contact details’, it is advisable to provide the specific contact details (e.g., email address, phone number and/or address) in the privacy notice which may be processed.
It is important to note that the obligation to specify the nature and categories of the personal data does not apply only to the personal data being provided by the data principal, but to the personal data being collected. Therefore, care should be taken to not only focus on the personal data being provided by the data principal but also on data that may be collected otherwise (e.g., machine data) through automated means or cookies. In such cases, the data fiduciary ought to indicate that such machine data is also being collected. In case of cookies, cookie choices or cookie polices may be separately provided as well.
Identity and contact details of the data fiduciary and the Data Protection Officer (DPO)[6]
The data fiduciary is obligated to disclose the identity and contact details of the data fiduciary and contact details of the DPO if the data fiduciary is notified as a significant data fiduciary. This is necessary to enable a data principal to raise complaints, resolve grievances, gather information and clarifications, or for other affiliated purposes. A data fiduciary should ideally provide contact details of a point of contact usually referred to as the DPO of the data fiduciary. Alternatively, the data fiduciary may be required to disclose the contact details of its Grievance Officer[7] if the data fiduciary does not qualify as a ‘significant data fiduciary’.[8]
Procedure and right of the data principal to withdraw his consent[9]
For any processing conducted by the data fiduciary, for which the data fiduciary relies on consent as the legal ground for processing, the legality of such processing is determined by the capability of the data principal to withdraw his consent to exhibit his control over his personal data. To this end, the privacy notice should not only explain to the data principle the categories of processing for which the data fiduciary relies on consent as a legal ground for processing but should also inform them their right to withdraw such consent at any time. The procedure for such withdrawal of consent should be as easy as obtaining consent for the same processing activity.
Common mistakes that are to be avoided when preparing a privacy notice
- Purposes kept broad or general.
- Different uses of particular data sets not highlighted.
- Failure to highlight the nature and categories of data.
- Only personal data directly provided by the data principal to the data fiduciary are listed in the privacy notice.
- Details of DPO not provided.
In the next part of our Implementation Series, we will be dealing with the next four requirements for a Privacy Notice as provided under Clause 7 of the Bill.
[The authors are Partner and Associate in the Data Protection and TMT law practice at Lakshmikumaran & Sridharan Attorneys, New Delhi]
[1] Clause 7(1)(a) of the Data Protection Bill, 2021
[2] The privacy principle of purpose limitation means that data collected for a particular purpose should not be used for any other incompatible purpose.
[3] The privacy principle of purpose limitation means that data collected for a particular purpose should not be used for any other incompatible purpose.
[4] Clause 7(1)(b) of the Data Protection Bill, 2021
[5] Clause 15 of the Data Protection Bill, 2021 provides categorization of personal data into sensitive personal data considering aspects relating to risk and possibility of significant harm, expectation of confidentiality attached to a particular data set and the adequacy of protection granted by other ordinary legislations.
[6] Clause 7(1)(c) of the Data Protection Bill, 2021
[7] Rule 5 (9) of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Data Protection Rules”).
[8] Clause 26 of the Data Protection Bill, 2021
[9] Clause 7(1)(d) of the Data Protection Bill, 2021
