Privacy policy is akin to a pre-nuptial agreement. A one-size fits all privacy policy may not be sufficient. A privacy policy should be crafted with purpose and consideration. The essential elements of a privacy policy as per the extant data protection laws of India are as follows:
Consent: The most crucial component of a privacy policy is 'consent'. In this regard the Supreme Court has in re Puttuswamy7 made the following observations:
"497. It was rightly expressed on behalf of the Petitioners that the technology has made it possible to enter a citizen's house without knocking at his/her door and this is equally possible both by the State and non-State actors. It is an individual's choice as to who enters his house, how he lives and in what relationship. The privacy of the home must protect the family, marriage, procreation and sexual orientation which are all important aspects of dignity. 498. If the individual permits someone to enter the house it does not mean that others can enter the house. The only check and balance is that it should not harm the other individual or affect his or her rights. This applies both to the physical form and to technology."
No information must be used without the consent of provider of information. Normally organizations will make their privacy policy as comprehensive as possible to avoid liability. The privacy policy will be at the bottom of the website in tiny font. Ordinary presumption is that lengthy privacy policies filled with legal jargon make for a sturdy legal document. Once the user has proceeded to use the platform for its services or solutions, the action of the user is deemed as consent to the privacy policy. However, it is crucial to understand that these types of consent are bereft of two crucial components of the concept of 'consent' – notice and choice.
Notice: The manner in which the privacy policy is presented to the user, i.e., not only the placement of privacy policy but also being able to reasonably prove that the user has had a chance to read and understand the terms in the privacy policy is a crucial requirement of consent. If the privacy policy is merely provided as a link at the bottom of the platform in small fonts, it may be argued by a user that he was never given any notice regarding the privacy policy. Thus, data controller must ensure that the privacy policy is provided in an easily accessible manner on the platform.
Choice: The other vital component is choice8. It is not enough that users have been shown to have accepted the privacy policy through a click-wrap mode; they should have the ability to opt-in and/or opt-out of the information sharing requirements of the business. The present laws allow the data controller to withhold the provision of the goods of services for which the information is sought, if the provider of information does not provide or later chooses to withdraw his consent.9 However, if the opt-in opt-out option is not provided to the provider of information in cases where the information has been collected for a specific purpose but is also intended to be used for some other purpose, then there is a risk that the deemed consent of the user to the long-form privacy policy is construed as 'contracts of adhesion'10 and as unconscionable11 by the Indian courts. For e.g., a healthcare platform which seeks to use the medical information of its users for some other purpose like suggesting fitness equipment that may be most suitable for the information provider, then such information provider should be given two options in the privacy policy – one which allows the platform to use the information being collected for other specifically demarcated purposes, other which disallows the platform to use the information being collected for other specifically demarcated purposes. By providing these two options the platform has essentially ensured that the consent obtained from the user was informed and proper and avoid the risk of being construed as a contract of adhesion.
Purpose of information collected12. The privacy policy needs to clearly specify the purpose of collection of the information.13 Only that personal information should be collected from data subjects as is necessary for the purposes identified for such collection, regarding which notice has been provided and consent of the individual taken14. An omnibus purpose which ambiguously refers to future commercial usage may not be favourably viewed by Indian courts, especially if the other elements of the privacy policy have not been met15.
If there is a change of purpose, this must be notified to the individual. The information collected for a specified purpose cannot be retained for longer than it is required of the purposes16. Thus, once the personal information has been used in accordance with the identified purpose it should be destroyed by the data controller. However the privacy policy should clearly specify the manner in which the personal information is intended to be used.
Disclosure of information. The type of information collected must also be clearly informed to the information provider. Technological advancement is not equivalent to technological literacy. It is not audacious to assume that many of the internet users are still unaware of the perils of data divulge. Therefore, it is vital that the information provider be informed about the nature of his personal information that is being collected. The data controller must also permit the providers of information, as and when requested by them, to review the information they had provided17. The other side of this aspect is that the data controller must also obtain prior permission if it intends to disclose the collected information to a third party18 except with government agencies mandated under law.
Security practices. The Sensitive Information Rules19 mandates every data controller to have comprehensively documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of the business. This document is often confused by the business with their privacy policy which is not the case. The international standard IS/ISO/IEC 27001 on "Information Technology – Security Techniques – Information Security Management System – Requirements" is on such standard that may be adopted.