I own my Data… Processor owns only the device!

In discussions on “Privacy” we often debate how can the service provider use my data for purposes which are commercially beneficial to him but I am neither aware nor benefiting from such usage.

The general principle of all Privacy legislations is that the “Data shall not be used nor disclosed by the processor except as authorized by the data owner or otherwise provided under law”. Data owner often signs a contract with the data collector in which the data collector discloses his privacy policy detailing why he is collecting the information, what he will do with it etc. Once this contract is accepted by the data owner by say “Clicking on the I accept button”, it is deemed to be a consent and it will determine all further rights and liabilities.

In India “Click Wrap” contract through an “I Accept button” is not recognized in law and hence all such consents only become “Deemed consent” which is “Voidable” at the option of the customer at least as to some fine print clauses of the standard contract.

Under these circumstances, if the data user had over stepped the consent terms and used the data for commercial exploitation, the data owner normally could only grumble without a proper legal remedy.

It appears that now there is a new door being opened in the Privacy legislation in India applicable to “Health information” which is also a “Sensitive Personal Information” under ITA 2008.

The recently amended EHR guidelines released by the Ministry of Health and Family Welfare which is a pre-cursor to the Health Care Data Privacy and Security Act make a categorical statement that

  1. The contained data which are the sensitive personal data of the patient is owned by the patient.
  2. The medium of storage or transmission of such electronic medical record will be owned by the healthcare provider.
  3. The physical or electronic records, which are generated by the healthcare provider, are held in trust by them on behalf of the patient

This provision actually lends substantial strength to the “Consent” by not only making it a part of a Contract under the Indian Contracts Act but also introduces the element of possibility of “Breach of Trust” if the data user uses the data other than as provided for in the consent.

Though the EHR does recognize the national interests in denying some privacy rights (which we shall discuss in a subsequent article), the use of the term “Data is owned by the patient” makes a strong case for legal interpretation of “Data” as “Property” and all the rights associated with it including the right of the data owner to place a price on it. If the data user makes any substantial profit out of aggregation of individual data, it would therefore be reasonable to expect that part of the commercial benefit arising thereof should go to the data owner.

This concept though laid out specifically in the case of health data, should be extendable to all types of data including financial data.

It would require some time for understanding the full implications of this concept in the era of data analytics and data aggregation over IoT devices and a multitude of platforms.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.