A visibly agitated man once entered the American retail giant Target to inquire why his teenage daughter had been receiving coupons of baby products. A few days later, when the manager of the store called up the man to apologize to him, the father replied that his daughter was infact pregnant. Following the incident,  New York Times reported that Target assigns each shopper a unique code, internally known as the Guest ID number which is connected to e-mails sent by the store to its customers, and the store further tracks website visits by its customers. Target, like several shopping portals customarily analyzes data, alongwith demographic information and maps out behaviour information of its customers. Customized services and tailormade offers to customers are  definitely a few benefits of  rigorous data mining mechanisms, and clicks with many as a successful marketing strategy.

Commercial Value in Transfer of Data

Neil Robinson describes personal data as the lifeblood of information economy. Collecting personal data of consumers and trading it for commercial purposes, is a common practice amongst  companies, as was observed by the Data Security Council of India. Uber, Google, Twitter, Facebook and Zomato, independently engage in customized data collection at the time of installation of these applications. These platforms have notoriously been in news for flouting data protection standards. Consumer privacy has been central to the debate on using information as a currency of exchange. Commercial relationships between Google and several companies such as Amazon, Flipkart exist in the name of tailoring better and personal services to customers. It is relevant to note that processing and collection of the data is admittedly easier when services are accessed through applications on mobile phones. Twitter  for instance, demands at the time of installation, information ranging from details of the contacts enlisted on the phone to permission to access photos/media/files saved on the external storage the device id and call information.

 Jane Bambaueur refers to data as ‘speech since it carries informational value, and on the basis of this notion, she argues that transfer of data should be protected under commercial speech. This notion has found favour with the Courts. The Supreme Court of the United States in 2011, held that the sale of personal data is protected within the ambit of first amendment, and is commercial speech. The Court invalidated a statute that prohibited pharmaceutical stores and companies from selling data obtained through prescriptions of individual doctors. Extending the First Amendment protection to such transfers, the Court reasoned that government agencies collect and store data and this practice cannot be deemed illegal when applied to pharmaceutical companies only on the grounds that the latter have vested commercial interests. The statute in question banned prescription drug companies from obtaining patients’ personal information for marketing purposes without the prescribing physician’s consent. What remained on either side of the battle was the right of the companies to privately sell the data against the State’s claim that data of such nature is not speech. The decision was a victorious one for first Amendment rights but disrupted the notion of medical and consumer privacy.

Commercial Transfer of Data in the India

In India, the judicial development of commercial speech under article 19(1), is yet to touch upon commercial transfer of data. The Delhi High Court dealt with disclosure and publication of confidential information while deciding on Petronet in 2009,however,  sale of personal information is yet to be explored in India.

That being said, the IT Act has made scattered but able attempts at securing data by formulation of rules on principles of consent and purpose limitation at the time of collection of data. Rule 4 of the IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 provides that:

“The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract.”

Rule 3 enlists information which could be constituted as sensitive personal data and attaches an exception that it ceases to remain sensitive if the information in question is already in public domain or can be furnished under the Right to Information Act, 2005.

All privacy policies provide disclaimers stating that they will or will not extract personally identifiable information such as health records and sexual preferences or gender specific information, and a few provide disclaimers about dispatching cookies for collection of nuanced data. The policy statements are almost always drawn up on accepted privacy standards under the Information Technology Act, 2000 since there is no well laid regulatory framework to monitor the free flowing data.

Scattered provisions on data protection visibly exist in India and can be worked with temporarily. The issues on transfer of data however, do not necessarily end on commercial contours. Sharing of collected information with government agencies and procurement of data upon request by the government have found their way in the IT Act and are prescribed as clauses to be included in a company’s privacy policy. Such related concerns are by no means secondary, and the need of the hour dictates that concrete and formalized regulatory structures are put in place.