Privacy laws for consideration in building digital products

Reading time : 6 minutes

Abstract

There are many startups and enterprises building products which are used in day-to-day life by millions of people. Whether these products are complied as per the privacy laws is a million-dollar question. It is imperative for the organizations building digital products to understand the implications of privacy laws to be adhered to avoid legal ramifications. As organizations are adopting “privacy by design”, this research paper discusses the tenets of digital products and privacy laws the organizations should keep in consideration while building digital products. The paper also outlines various considerations from product development lifecycle context for product managers or product development community to keep to leverage.

Introduction

Oxford dictionary defines privacy as Seclusion – “the state of being alone and not watched or disturbed by other people”. In today’s world Digital Product can be Mobile App, Physical Product like Alexa, IoT Enabled Washing Machine, Air Conditioners, Enterprise applications used in the organization, etc., The list will keep growing.  Dr. Ann Cavoukian[1] who is recognized as one of the world’s leading privacy experts notes that privacy in product development must be proactive and reactive. We can still see organizations like Google, Twitter and Facebook are managing privacy disputes legally and it’s a costly affair.

Problem Statement

Startup and organizations which are building products should be cognizant of various aspects of privacy while building the product, else could turn costly at later point of time. Amazon gets $888 Million EU for data violations[2], Data of 700 million LinkedIn users exposed[3], 50 million Facebook profiles harvested for Cambridge Analytica. The following aspects has to be considered prima facie in designing digital products.

  • Product distribution aspects in specific regions
  • Data collected from the product
  • Data collected during signup
  • Data Life cycle with respect to the product
  • Integration of data collection from Embedded components of the device.
  • Establishing granular level of data access controls to enforce Zero Trust
  • Managing the regulations and standards expectations for privacy
  • Perimeter and attack vectors of the target product in the context of privacy

Being responsible for the produce development life cycle these enterprise needs to be cognizant of the privacy laws and ensure their adherence to avoid any legal disputes and hefty fines from legal authorities. Adoption of right privacy practices also increases the trust of the product in the market places resulting in higher sales.

Product Development Context

For addressing this kind of privacy concerns during the product development life cycle, the enterprises should adopt “Privacy by design”[4] (PbD) aspects as per ISO 29100[5]. The continuous monitoring of the privacy practices and adopting the same at the product level is essential. This can be done with the help of Privacy by Engineering practices standard recommended by NIST.[6]

In this context the enterprise which develops the application or digital product would be a fiduciary which will be responsible to abide by the laws in which they operate within the context of privacy laws. These organizations have an inherent challenge to sell the product or customize the behavior of the product or support the customer without collecting specific information without the consent of the customer or individual.

Privacy Law considerations across the globe

The Supreme Court of India overruling the 1961 Kharak Singh verdict, held that the right to privacy is a fundamental right and is an integral part of the right to life and liberty. In a 547-page judgement by 9 judges of the supreme court declared that privacy is a constitutionally protected value on 24th August 2017.[7]  The verdict looked at various privacy doctrines, India’s commitment under international law, comparison of privacy laws in countries like UK, US, South Africa, Canada, European Union, etc., Even countries like Netherlands has Privacy as a fundamental right included in the constitution. Every individual has right to privacy including mail and telephone.

Personal Data Protection Bill 2019[8], focuses on the data fiduciary which processes the personal data. It clearly outlines that it’s the responsibility of the fiduciaries to encrypt data at rest, prevent misuse of data, established grievance redressal mechanism for complaints of individuals etc., It also protects the rights of the individuals including confirmation on the personal data processed, correction of inaccurate or incomplete data, data exchange to other fiduciary, etc., All this is only upon receiving the consent from the individual. The bill also communicates that violation of bill punishable upto Rs.15 crore or 4%turnover of the fiduciary. Non personal data or anonymized personal data can be provided to government.

Surveillance Context: Surveillance may be intrusive and it may so seriously encroach on the privacy of a citizen as to infringe his fundamental right to personal liberty guaranteed by Article 21 of the Constitution and the freedom of movement guaranteed by Article 19(1)(d). That cannot be permitted. The Privacy Rules, which took effect in 2011, require corporate entities collecting, processing and storing personal information, including sensitive personal information, to comply with certain procedures. 

GDPR is adopted in European Union countries which mandates the adoption of Data protection impact assessment (DPIA)[9] and perform actions based on DPIA Report. This DPIA process helps in Analyzing, identify and minimize the data protection related risk in product. The implementation should take into account the nature, scope, context and purpose of processing data[10]. Failure to carry out DPIA might open your exposure for enforcement action, up to £8.7 million, or 2% global annual turnover if higher.

United States does not have a central federal law such as European Union’s GDPR. They have several privacy laws which are based on the US Privacy Act, 1974. 1974 act focused upon the potential misuse of data held by the government agencies. If you are dealing with the product related healthcare addressing the US Healthcare systems or even any healthcare systems HIPAA (Health Insurance Portability and Accountability Act) legislation would be essential to cover. This HIPAA[11] regulations focus on the PII (Personally Identifiable Information) and PHI (Protected Health Information) etc., Processing of personal information in the United States is also regulated by the Federal Trade Commission (FTC)[12]. Specifically, it focusses on the unfair and deceptive business practices laid down in Section 5. It is the primary enforcement authority for federal privacy laws such as GLBA (Gramm-Leach-Bliley Act), FCRA (Fair Credit Reporting Act), and COPPA (Children’s Online Privacy Protection Act).

Impact of privacy breach through laws in India

Information Technology Act, Section 72. Any breach of privacy without the consent of the individual concerned shall be punished with imprisonment upto 2 year and fine of 1 lakh rupees or both. Section 66E. Any intentionally captures, publishes or transmits image of private area of a person without his/her consent considered to be violates the privacy and this offence is punishable up to to 3 years with fine not exceeding 2 lakhs or both.

Indian Penal Code 1860, Section 354C penalizes for Voyeurism, Section 354D for Cyberstalking, Section 228A for Disclosure of Identity, Section 499 causing Defamation are serious offences.

As per the section 5 of the Indian Telegraph Act 1885, Government can take possession of telegraphs and order interception of message in the public interest. Even retaining a message delivered by mistake by willful means or fraudulently retains as per section 30 shall be punished up to 2 years. Product development companies must keep in mind that the application you design or build should consider these aspects.

From an intelligence services standpoint Intelligence Services Bill, 2011 section 4(a), Second 5 (2a), Section 7(2a) represents that R&AW has to ensure that it should collect information only what is necessary for discharge of its functions.

Considerations for product companies

When building digital products the product development life cycle might involve different processes, stages and stakeholders. There might be triage sessions, user research interviews, data collection session, beta testing etc., the privacy aspect should be considered in all across the life cycle of digital product development. So, privacy protection should be considered for communication and information gathering, user research methods, due diligence exercises, contextual concerns, distribution strategy, training and documentation, evaluation, revision, etc., of the product development life cycle. When we are building products for global audience understanding the legal implications of privacy and data protection laws is imperative.

Assessment of privacy

Its important as an organization to leverage some level of self-assessment[13] to understand the current level of privacy adoption. Generally Accepted Privacy Principles (GAAP) based 10 principles can be used to understand where are they with respect to adoption of privacy principles which could be a good starting point.  American Institute of Certified Public Accountants (AICPA) or the Canadian Institute of Chartered Accountants (CICA) together put a Privacy Maturity Model[14] which helps to self-assess the current maturity level from the GAAP context this was released in 2011. Similarly there is also another maturity model such as De-Identification maturity model[15] is also available to evaluate built by company called privacyanalytics.

FIPPS: FAIR INFORMATION PRACTICE PRINCIPLES

FIPPS[16] can be one strategy to adopt privacy practices with which focuses on Collection of Data, Quality of Data, Purpose Specification, Use Limitation, Security, Openness, Individual participation and accountability. These helps to understand the aspects like limit to collect information what is only needed, ensure accurate collection data, get permissions to use the data, explicit outline what is the purpose of collecting the data and how the application or product is going to use it. As a fiduciary its their responsibility to protect the data by all means either through encryption at rest or transit. It must have the ability to understand what the application or fiduciary know about the individual and they are held accountable for responsibly handling the information.

Identification of privacy concerns

In the digital product you build its important to understand the features which are being build and how it might have impact on privacy. While listing these features, these features could be explicit to all and perform intended function and some features could be planned for future use or intended for different purpose which is not explicit. So, all of that has to be listed from an openness standpoint. So, coming up with some kind of table[17] (Representative example. Table 1) like the one given below would help to identify the concerns and its relationship with the potential law and its impact.

Table 1

Sno#Product Feature (Intended/Unintended)Privacy concernLegal concerns
1Feature 1 – Sign up for the servicesWhat data is collected during signupIs the form is GDPR Compliant?
2Feature 2 – Upload photoStoring photos of the employeesGDPR – Article 17 – the Right to Erasure

Establishing mitigation approach for concerns

We can consolidate (Table 1) and understand the various legal concerns across the product features. The solution or mitigation strategy to address these legal concerns can be categorized into Technical, Human managed Policy rollout and process changes. Technical mitigations could be rollout of new tools, technology implementation, implementation of coding changes, rollout of security components, etc., This exercise could also help in identify potential risk mitigation strategies for Go to market strategy as well. When we are adopting non-technical mitigation strategies such as roll out of newer processes, policies it needs to be in plain English and simple to understand.

General best practices

  • Restrict access data assets through principles of lease privilege
  • Establish strong Access control lists for access to data
  • Restrict data access by asset and function upon the asset
  • Certification of access to the data assets
  • Strong Identity and Governance practices
  • Better privileged access management practices
  • UI/UX design to be explicit about what is happening to here data and why
  • UI/UX to be explicit about the choices made and its implications during navigation
  • Scrutiny of 3rd party integration via API based on privacy aspects and its integrity
  • Data quality assurance measure through appropriate data validation practices
  • Establishment of privacy settings and preferences
  • Establishment of data erasure and destruction
  • Ability to anonymize data upon request by government agencies
  • No bias to features based on the privacy settings
  • Consistent update to the end users on any privacy policy changes
  • Consistent update on any local storage strategies such as cookies to the individuals
  • Minimalist approach towards the personal data collected as much as possible

Compliance

Organizations can consider leveraging the any of the certifications for compliance of the product and ensuring trust among the customer base AICPA SOC 2 Type 2, ISAE 3402, FISMA, TRUST eCertified Privacy, Swiss-U.S. Privacy Shield, and EU-U.S. Privacy Shield.

Conclusion

Organizations which are building digital products should get into various context and consider the legal aspects and make sure that the product creates trust for their customer base. The paper outlined various key laws across Europe, USA and India which needs to be kept in mind during the development. The article also touched upon the key considerations for the product development community with respect to privacy. This would be good starting point for some one who is looking for where do I look when I’m building a digital product which takes care of the broader aspects of privacy. In the future there is potential opportunity to expand the scope on specific cases and judgements which has decided the course of the product design and development. Such effort would help lot of aspiring product developers to learn from the failures and take cautious efforts to minimize legal impact and huge cost run during the development. Key focus for the future leaders should be is to leverage privacy by design concepts and increase the maturity of the product as it grows.


[1] “Ann Cavoukian,” Wikipedia, 2021.

[2] “Amazon Gets Record $888 Million EU Fine Over Data Violations,” Bloomberg.com, 30 July 2021.

[3] Sarthak Dogra Noida June 29, 2021UPDATED: July 1 and 2021 12:25 Ist, “Data of over 700 million LinkedIn users exposed, it includes numbers, addresses and salary details” India Todayavailable at: https://www.indiatoday.in/technology/news/story/linkedin-breach-said-to-expose-data-of-700-million-users-globally-including-number-address-and-salary-details-1820843-2021-06-29 (last visited August 15, 2021).

[4] “Privacy by design,” Wikipedia, 2021.

[5] 14:00-17:00, “ISO/IEC 29100:2011” ISOavailable at: https://www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/04/51/45123.html (last visited August 15, 2021).

[6] Sean Brooks et al., An Introduction to Privacy Engineering and Risk Management in Federal Systems (National Institute of Standards and Technology, 4 January 2017).

[7] “Justice K.S.Puttaswamy(Retd)& … vs Union Of India & Ors on 11 August, 2015,”available at: https://indiankanoon.org/doc/116396036/ (last visited August 15, 2021).

[8] “The Personal Data Protection Bill, 2019,” PRS Legislative Research available at: https://prsindia.org/billtrack/the-personal-data-protection-bill-2019 (last visited August 17, 2021).

[9] “What is a DPIA?,” (ICO, 2021)available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/what-is-a-dpia/ (last visited August 15, 2021).

[10] “Art. 35 GDPR – Data protection impact assessment,” General Data Protection Regulation (GDPR)available at: https://gdpr-info.eu/art-35-gdpr/ (last visited August 15, 2021).

[11] “What Healthcare Startups Should Know About HIPAA Compliance,” MindSea Development, 2019available at: https://mindsea.com/hipaa-compliance/ (last visited August 16, 2021).

[12] Chris Jay Hoofnagle, Federal Trade Commission Privacy Law and Policy (Introduction and Excerpt) (Social Science Research Network, Rochester, NY, 5 February 2016).

[13] “Privacy Law Self-Audit: Protecting and Managing Personal Data,” Privacy Policies available at: https://www.privacypolicies.com/blog/privacy-law-self-audit/ (last visited August 17, 2021).

[14] “AICPA/CICA Privacy Maturity Model,”available at: https://iapp.org/resources/article/2012-06-01-aicpa-cica-privacy-maturity-model/ (last visited August 17, 2021).

[15] “The De-identification Maturity Model,”available at: https://iapp.org/resources/article/the-de-identification-maturity-model/ (last visited August 17, 2021).

[16] “Fair Information Practice Principles, “available at: https://iapp.org/resources/article/fair-information-practices/ (last visited August 17, 2021).

[17] “The Architecture of Privacy [Book],” available at: https://www.oreilly.com/library/view/the-architecture-of/9781491904503/ (last visited August 17, 2021).

Author: Siva Karthikeyan Krishnan and Dr. Pon Meenakshi

Editor: Kanishka VaishSenior Editor, LexLife India.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s