Are Online Companies Compromising User Privacy?
A look at the recent ruling against Monster.com and implications for other Internet giants…Not long after a nine-judge bench of the Supreme Court headed by former Chief Justice of India, J.S. Khehar, unanimously ruled that Right to Privacy is part of Right to Life and Liberty enshrined under Article 21 of the Indian Constitution, reports surfaced that a trial court had ordered an...
A look at the recent ruling against Monster.com and implications for other Internet giants…
Not long after a nine-judge bench of the Supreme Court headed by former Chief Justice of India, J.S. Khehar, unanimously ruled that Right to Privacy is part of Right to Life and Liberty enshrined under Article 21 of the Indian Constitution, reports surfaced that a trial court had ordered an investigation into online job portal Monster.com’s alleged sale of user data to third parties.
Chief Metropolitan Magistrate (CMM) Naresh Kumar Laka reportedly said, “It is common knowledge that when a person applies for a job on the Internet, s/he feeds personal information which includes name, address and mobile number. In my opinion, the said data being personal information cannot be transferred/shared/sold to some third person without the consent of the said person.”
According to Laka, just because users agreed to the portal’s terms of use and privacy policy, it did not automatically mean that the portal could share or sell their information. Qualifying it further, Laka said that online companies could not share users’ personal information with third parties without the users’ informed consent.
“At the time of entering personal information or data, jobseekers are not aware that the said data can be sold to any third person or that it can be misused. Accordingly, the said ostensible consent of the said applicant/individual cannot be said to be a free, voluntary or informed consent,” Laka said.
Citing the historic Supreme Court judgment, the CMM directed the police to conduct a probe into Monster.com’s alleged sale of user data and nab the culprits who were involved. The CMM went on to say that such fake job rackets were proliferating across the country, and needed to be checked with a firm hand.
Monster.com, on its part, claimed that it had entered into a lawful contract for selling user data. The online jobs’ portal said that it depended on the agreement between job-seekers and itself, terms of which were tantamount to Monster.com taking consent of users for sharing their data.
In a statement issued on its website, Monster.com said, “By registering or by using this site, you explicitly accept, without limitation or qualification, the collection, use and transfer of personal information provided by you in the manner described in this statement. Please read this statement carefully as it affects your rights and liabilities under law. If you do not accept the privacy statement stated herein or disagree with the way we collect and process personal information collected on the website, please do not use it.”
Monster.com released a separate statement which read: “Monster.com is currently awaiting a copy of the court’s order and direction to understand the specifics of this matter. We will fully cooperate with the regulatory authorities and comply with all processes laid down by them to take necessary action against errant parties.”
“At the outset, we would like to officially state that Monster. com is a fully compliant organization in all its transactions with its customers, job-seekers, and all other related stakeholders. We encourage all our stakeholders, including our customers and associates, to comply with the terms of use and privacy norms of Monster.com websites as per applicable laws. Ethics, transparency, and ensuring data privacy and integrity is of the utmost importance to Monster.com,” the statement read.
Monster.com maintained that users, while signing up for its service, gave their consent to the company to collect personal, demographic, behavioral, and indirect information. Personal information comprised users’ names, addresses including email addresses, contact information including telephone numbers, and billing information.
Demographic information referred to users’ ZIP or postal code, age, preference, gender, race/ethnicity, occupation, career history, interests and favorites. Whereas behavioral information included how users used the site, areas of the site they visited, services they accessed, and computer hardware and software information.
Monster Impact
Popular perception of portals such as Monster.com has so far been that these are authentic repositories of accurate data of users actively looking for jobs. However, the trial court’s order strikes at the very heart of this conception. Not surprisingly, other Internet giants too have been feeling the heat of the court’s decision ever since.
In one of the cases following the trial court’s ruling, the Supreme Court issued notices to Google and Twitter in connection with a PIL filed against them, voicing concerns over privacy of data shared across borders. The petition reportedly stated, “Privacy rules do not apply to body corporates like Facebook, Twitter and Google outside India.
The situation is alarming because Indian arms of these body corporates have stated that they have no control over content/data/information generated from India and pertaining to Indian users. The content, website and data/information generated on facebook.com, twitter.com, and Google.com is controlled by Facebook Inc., Twitter Inc. and Google Inc., respectively, all of which are body corporates outside India exempt from Privacy Rules, 2011.”
In another instance, a five-member bench of the Supreme Court directed Facebook and WhatsApp to file sworn declarations as to whether they had indulged in any kind of data-sharing activity with third-parties. The order came after two students approached the court over changes made in WhatsApp’s privacy policy following its acquisition by Facebook. The petitioners alleged that post the merger, WhatsApp was sharing all its user data with Facebook, thereby violating users’ Right to Privacy.
When a leading publication quizzed a Bombay High Court lawyer, who specializes in data theft, on the matter, he explained that while data sharing depended on mutual agreements between users and online portals, the latter needed to take permission from users before sharing sensitive data such as financial and health information and passwords. In the event, online portals were sharing such data without an explicit agreement, they were committing data theft as per Section 43(b), read along with Section 66 of the Information Technology Act, 2000. In such cases, users could simultaneously resort to civil and criminal remedies.
About Laka’s ruling, the lawyer said that Right to Privacy came into the picture only when users had not already surrendered their rights by signing agreements or accepting conditions that explicitly allowed online portals to sell their data. He cited the example of professional networking website, LinkedIn, which, on June 7, 2017, updated its terms of service, privacy policy and user agreement. The new terms explicitly stated that LinkedIn, would allow certain third-parties to view user profiles so that users could get more opportunities to connect with people. However, the site also gave users the option of not going for such broader distribution of their profiles.
Disclaimer – Statements and opinions expressed in this article are those from the editorial and are well researched from various sources. The content in the article is purely informative in nature.