1. Introduction.

The data protection regime in India is in a state of flux. The year of 2017 has been a humdinger of a year for data privacy laws. On August 24, 2017 the constitutional bench of Supreme Court1 decided that the right to privacy was, after all, a fundamental right.2 The Supreme Court also noted in the matter that “the government has initiated the process of reviewing the entire area of data protection, it would be appropriate to leave the matter for expert determination so that a robust regime for the protection of data is put into place. We expect that the Union government shall follow up on its decision by taking all necessary and proper steps.” Following the judgment in re Puttuswamy, the Committee of Experts on a Data Protection Framework for India chaired by Justice B. N. Srikrishna released a white paper on November 27, 2017.3 The Ministry of Electronics & Information Technology (MeitY) issued a press release on December 28, 2017 seeking public comments on the whitepaper by the end of January 31, 2018.

While the country is waiting for the government to issue new laws on data protection and privacy, the popular question right now seems to be what should be included in a privacy policy today.

2. Present position of law.

The extant law on privacy and data protection is very clear. Section 43A of the Information Technology Act, 2000 read with the Information Technology (reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Sensitive Information Rules“) requires every business in India, which collects, receives, possesses, stores, transmits, processes or can associate pretty much any other verb with ‘personal information’ directly under a contractual obligation with the provider of information4, to have a privacy policy5. Such privacy policy must provide the following6:

  1. clear and easily accessible statements of its practices and policies;
  2. type of personal and sensitive personal data or information collected by it;
  3. purpose of collection and usage of such information;
  4. disclosure of information including sensitive personal data or information collected;
  5. reasonable security practices and procedures adopted by it.

The general trend, unfortunately, has been to (i) use the privacy policy and terms of use provided by the website designer as a package, or borrow one from a competitor, or a friend and in one instance a neighbouring aunty’s son’s good friend, (ii) hide it at the bottom of the website in smallest font possible, and fill it with incomprehensible legalese with mountain-high clauses. Such lack of thought and casual handling has allowed Indian digital land to become lit with data and identity theft issues. The potential for mischief and crime are indeed very ripe.

3. Elements of privacy policy.

Privacy policy is akin to a pre-nuptial agreement. A one-size fits all privacy policy may not be sufficient. A privacy policy should be crafted with purpose and consideration. The essential elements of a privacy policy as per the extant data protection laws of India