Page 305 - DMGT308_CUSTOMER_RELATIONSHIP

Page 305 - DMGT308_CUSTOMER_RELATIONSHIP_MANAGEMENT

P. 305

Customer Relationship Management

Notes 3. It also extensively takes into consideration Indian context – “Aadhar” program that uses
biometric information
4. Explicit consent or even approval from a regulatory authority may be required to be
obtained to collect sensitive personal data.
5. Processing of data in an automated manner must be avoided when it affects the vital
interests of the data subject.
6. The data once collected must be deleted after achieving the purpose for which it was
collected.

7. Privacy impact assessments to be conducted by independent authorities in the form of
transparent audits, for the protection of personal data.
8. Appropriate measures to protect the data of Indian citizens that are processed outside the
country.

12.1.4 Need for such Legislation

Notwithstanding the concerns around the risks posed by this vast interconnected public
information database, there are issues being raised about the need to even have legislation in
the first place. The argument being made is that given the technical and highly dynamic nature
of personal data, a heavy legislative approach is probably unwarranted. Instead, industry self
certification could achieve the same results without the downsides of putting in place a legislative
and regulatory framework.
In order to implement this, various industry verticals would need to appoint independent
certifying agencies to prescribe data standards and to overlook compliance with data protection
principles. The system is voluntary but relies on peer pressure to ensure that conscientious
corporations remain compliant with their obligations in order to continue to be accepted by
their customers and business ecosystem.
While this suggestion does offer a lighter touch, it does not give the individuals, whose data is
at risk, any form of legal remedy in case of a breach of their personal privacy by the self
certifying organizations. In the event any such organization commits a data breach, the individual
whose data has been lost will have no legal recourse. Data protection can only be ensured under
a formal legal system that prescribes the rights of the individuals and the remedies available
against the organization that breaches these rights. It is imperative, if the aim is to create a
regime where data is protected in this country, that a clear legislation is drafted that spells out
the nature of the rights available to individuals and the consequences that an organization will
suffer if it breaches these rights.
It is possible to develop a hybrid approach where a statute is enacted to provide the contours
within which all organizations, private and public, are to conduct them with regard to personal
information that they collect. Industry associations could then define more detailed guidelines
and practices that member organizations would need to follow with specific reference to the
specific issues of that industry.

12.1.5 Legislative Competence

Before embarking on the exercise to prepare data protection legislation, it is important to
ascertain whether the Centre has the legislative competence to enact such a law. Article 246(1) of
the Constitution of India grants the Parliament the power to legislate on matters set out in
List I of the Seventh Schedule of the Constitution. This list does not specifically contain an entry
under which data protection laws may be classified. However, entry 97 provides the Parliament

300 LOVELY PROFESSIONAL UNIVERSITY

300 301 302 303 304 305 306 307 308 309 310