Read More: Hacker says ‘flaw’ in Punjab govt power site left consumer data exposed. Firm says snag ‘fixed’
Sensitive personal information, to which the Privacy Rules primarily apply, is defined narrowly to only include specific categories of personal information such as financial information in the nature of a credit or debit card or other payment instrument details, biometric information, passwords, health information, medical records and history, and sexual orientation information.
The second significant challenge with the Privacy Rules is that, though consent for categories of sensitive personal information is required under Indian law, such consent need not be specific or informed, unlike advanced data protection regimes across the globe, like the GDPR enforced by the Norwegian DPA (discussed earlier). However, unlike most other countries with sophisticated data protection legislation in place, crucial categories of information (mentioned above) are not even categorized as sensitive personal information – such as one’s political or religious beliefs, genetic data, ethnic origin, caste or tribe, intersex or transgender status, or information generally relating to one’s sex life.
What does this mean for our privacy? Since the introduction of the Privacy Rules, despite an exponential and unparalleled increase in the number of online users in India, online platforms do not even legally require the permission or consent of Indian users to collect their personal information.
To contrast this with international best practices on data protection, most developed countries require consent for the collection of personal information, while also creating a bundle of enforceable rights in relation to that data. For instance, the GDPR in the European Union (as discussed earlier, in the context of Grindr) includes the right to be forgotten, right to erasure, right to restrict processing as well as the right to data portability (each of these rights is discussed in detail in Chapter X). However, the Privacy Rules create only a few, limited number of rights, including the right to access and correct any deficiencies or inaccuracies in relation to our personal information, and the right to withdraw one’s consent albeit only in relation to sensitive personal information. Compared with the rest of world, this puts us far behind in terms of sophistication in data protection law.
In fact, since the introduction of the Privacy Rules in 2011, there have hardly been any noticeable instances where online businesses have been held adequately accountable for violating user privacy.
Further, countries with sophisticated data protection laws prescribe penalties for failing to comply with security protocols to protect user privacy. For instance, under the EU GDPR, data protection authorities can issue fines up to 20 million or 4 per cent of the global turnover of the previous financial year of a business, whichever is higher. To explain how high the stakes are in the EU to violate someone’s privacy, let’s look at the figures – Facebook’s annual turnover in 2018 was $55 billion, 4 per cent of which could, for instance, mean a fine of $2.2 billion. In fact, the Federal Trade Commission (an independent agency of the United States Government for consumer protection) recently imposed a fine of $5 billion on Facebook for allowing Cambridge Analytica to collect data from its platform, which was approximately 9 per cent of Facebook’s worldwide turnover.
In India, however, the maximum penalty under law for failing to comply with several obligations under the Privacy Rules relating to personal data and sensitive personal data, for which no penalty is separately prescribed, can only be `25,000 ($350 approx.). It is probably a lot more expensive to comply with data security norms for big technology companies with billions of dollars than to pay the penalty in the first place; given on balance, it is perhaps far more profitable to disregard privacy in India as a consideration. Consequently, many big tech companies have thinner privacy policies in India as compared to Europe and the United States.
The absence of a framework that holds platforms adequately accountable for failure to respect privacy norms results in the absence of incentives for businesses to adopt privacy-respecting practices.
This excerpt from ‘What Privacy Means’ by Siddharth Sonkar has been published with permission from Hachette India.
Source: The Print
