“Personal Information” belongs to the “Person” who is the data subject. The essential aspect of Privacy protection is to recognize the primacy of the individual to determine what he can do with his personal information. Once the personal information is handed over by the individual to an entity in return of some benefit, a contract gets established. Further handling of this contractual obligation depends on the terms of this “Personal Information Collection Contract”. (PICC).
This PICC needs to define what the parties consider as “Personal Information” and everything about it such as why it is collected, how it is used etc., which are all the principles of Privacy protection.
Since there are multiple frameworks and different norms for recognition of what is “Personal” and “How a Personal Information needs to be protected”, it is essential that the parties to the PICC contract are clear about what they agree upon and what they are not.
Most of the time such Policies are worded as one sided declarations, presented in a manner in which it does not get the right attention of the data subject, unclear,complicated,notice is not effectively communicated and consent is only “implied”.
As regards personal information of the employees, there could be an overriding employee contract that binds the employee and hence it is necessary that “Personal Information of employees” are considered as a different class of data from the “Personal Information of the Public”. The privacy obligations that we normally discuss under different frameworks are to be applied for the personal information of the public and not for the employees.
“Implied Contracts” are not good for the organizations since Courts tend to interpret them in favour of the individuals who are the weaker party to the contract.
Since interpretations and understandings differ from framework to framework, country to country, culture to culture, it is prudent for data collectors to indicate in their PICC that it adopts the general principles of a particular framework.
When an organization adopts a framework promoted by a “Non Legal Entity”, it is deemed as a “Voluntary Best Practice” and can be over ridden by a statutory law that may overlap.
In such cases, judiciary may try to interpret the “Stronger of the two” as the applicable criteria for protecting the privacy rights of the individual. It is open to the Judiciary to ignore the “Best Practice” and consider the “Law on Privacy” as applicable to the individual as the basis to determine if the level pf protection provided was adequate or not. It is not conceivable for a Court to over ride the applicable law and adopt a “Voluntary Best Practice” to resolve a conflict.
For Business Managers, the first target should therefore be the norms prescribed in law. For this purpose the PICC should be drafted as a “Contract” which is “Enforceable” in the “Jurisdiction” that the organization prefers. Some times the organization and the individual may be in different jurisdictions and this could lead to multiple jurisdictions to apply.
The best option for dispute resolution is to chose an applicable law of the individual’s jurisdiction and provide an online platform for redressal.
In many jurisdictions including India, “Click Wrap Contracts” are not recognized and are not compliant with the law and hence a judicially supported PICC contract cannot be formed by a web site notice with an “I Accept Button”. When it comes to Mobile Apps it is even more clear that the terms of the PICC contract need to be presented with sufficient clarity that the small screen can accommodate.
The “Privacy By Design” effort should therefore start with the simple first step of how to build a PICC contract into the current Privacy Policies.
I look forward to comments in this regard.