Few years ago, I used to carefully note down the date for my vehicle insurance renewal and kept reminding myself to renew the insurance before the policy expiry date. I used to think how nice it would be if someone reminds me before the policy expiry date instead of me having to worry about missing the date. Apparently, the technology companies and telemarketers heard me and granted my ‘wish’. These days I get at least a dozen calls every week, reminding me to renew my policy at least 3 months before the policy. To my surprise I get calls from various other insurance companies with whom I never dealt with. This made me to realise that is there is no such thing called ‘my personal data’ anymore. Dominos knows what kind of pizza and quantity I ordered from Pizza Hut last time, Facebook shows what product I searched for in Amazon, my browser has a link to my personal DHL package delivery, etc. I am not that kind of individual who fills up random surveys or fills up personal details for a gift coupon or surprize gift in the malls and used to believe that my personal data is safe with me. But still there are many people & companies out there who know my personal information that they conveniently use for their own benefit.
With this scary thought, I searched online to see if there are any prevailing rules that prevents companies to use private & personal information for their marketing/business building purposes without consent of the individuals. I stumbled upon Section 43A in The Information Technology Act, 2000, which talks about protection of data.
What is Section 43A? Section 43A of Information Technology Act, 2000 [1] that deals with compensation for failure to protect data, states “Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.” Section 43A further explains:
(i) “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
(ii) “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;
(iii) “sensitive personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
I felt a sense of relief noting that there is actually a ‘law’ that addresses my concern. However, given my experience, I believe either the companies are unaware of this rule or pretty lax about it. The law is worded to sound more like a ‘warning in the cigarette pack’ than imploring the dire consequences of the breach.
Being in the IT industry and dealing with customers in Europe, I keep an eye on their regional regulations, standards and policies. One of the regulations that EU Parliament came up with is the GDPR that has global level impact.
What is GDPR? After several years of debate and deliberations the General Data Protection Regulation or GDPR [2] was finally approved by the EU Parliament on 14 April 2016 and was enforced on 25 May 2018. The regulation has designed & drafted to fundamentally change the way in which personal data of EU citizens; including the residents in EU, is handled by the companies across every sector; including healthcare, banking, etc. GDPR replaces the Data Protection Directive that was in existence since 1996. GDPR regulates how personal data of EU citizens & residents is managed & processed not just within the boundaries of Europe but across the world. This effectively means that if a company has even one EU individual’s data, they it needs to comply with GDPR. The fine for failing to comply or breach is as high as – 20 Million Euros or 4% of the total worldwide annual turnover of the company pertaining to the preceding financial year, whichever is higher.
What makes GDPR special? Amongst several changes that GDPR has come up with, I think the jurisdiction i.e. applicability of the regulation and empowering consumers are the two major changes that has created ripples across the world.
- Jurisdiction – One of the biggest changes to the regulatory landscape of data privacy is extended jurisdiction where GDPR is applicable. Regardless of the company’s location of operations, GDPR applies to all companies processing the personal data of data subjects residing in the EU.
- Explicit Consent – GDPR also has directed the companies to set higher standard for data consent in the first place. As per GDPR, businesses now must ensure that their customers giving consent is an affirmative & unambiguous action and are for specific processing operations only. This also means that businesses will no longer be able to use their existing customer data and get away from getting explicit consent from their customers. Silence, pre-ticked boxes or inactivity will not constitute consent for digital marketers.
Indian companies dealing with data subjects of EU citizens need to comply with GDPR or pay hefty fines. Indian companies have been spending loads of money to implement controls, introduce stringent processes and increased governance around data privacy. According to Vishak Raman – Director, Security at Cisco [3] – “India has greatly improved upon its GDPR readiness with its fast-evolving data privacy ecosystem, which is primarily because of a collaborative approach by the government and private organisations”. It is reported that GDPR compliant organizations have reported lower number of data breaches and reduced number of data security incidents. Directed by Supreme Court of India, Justice Srikrishna Committee [4] was formed with an objective of drafting a data privacy and protection bill. The committee has drafted the bill and submitted to the union minister for electronics and IT, law and justice. The bill is yet to be passed, but once passed is expected to bring much required control over how companies use the personal data in India.
Resources:
[1] https://meity.gov.in/content/information-technology-act-2000-2
[3] https://inc42.com/buzz/nearly-65-of-indian-companies-ready-for-gdpr-compliance-cisco/
Business Management 