CASE STUDY: A CRITICAL ANALYSIS OF NETFLIX ENTERTAINMENT SERVICES INDIA LLP FROM A DATA PROTECTION PERSCPECTIVE

Author name: Aastha Bhandari 

Year of study: 4th

Institute of Affiliation: Jindal Global Law School 

Abstract:

This article presents a case study through the course of analyzing the Privacy Policy of Netflix India, one of the biggest OTT platforms operational in India. The subject-matter of  this analysis extends to mapping this Privacy Policy against the requirements of data protection in the Draft Personal Data Protection Bill of 2019, along with the Report of the Joint Parliamentary Committee on the same. Through the detailed analysis in this post, it is evident that companies operational in India must significantly change their practices to 1 the bare minimum thresholds of data protection. This analysis serves as a practical guide for bringing about the necessary changes.

Keywords – Data protection, personal data, data fiduciary, Privacy Policy

I. Introduction: Understanding the Scope of this Study

The present post aims to analyse the Privacy Policy of Netflix Entertainment Services India LLP (hereinafter referred to as “Data Fiduciary/DF”) in light of the data protection principles/requirements envisaged under the Draft Personal Data Protection Bill of 2019 (hereinafter referred to as “PDP Bill/the Bill”) and the Report of the Joint Parliamentary Committee on the Bill of 2021. (hereinafter referred to as “the Report”) The Privacy Report aims to provide a detailed answer to the question of: whether the DF’s Policy is: a) below the threshold of requirements of the Indian law (score=0); b) meets the thresholds adequately (score=1) or c) goes over and beyond the threshold (score=1.5). In this endeavour, the post also aims to give a trust score/privacy score to the DF. 

II. Analysing Whether Netflix India Meets the Standards of Data Protection as envisaged in the PDP Bill, 2019 and the JPC Report, 2021

a) Consent/Consent Manager:

It is to be noted that Clause 11(2) of the Bill talks about the requirement of obtaining valid consent from the data principals, where valid consent is characterised by : (a) free; (b) informed; (c) specific; (d) clear; (e) capable of being withdrawn and (f) explicit consent in the case of sensitive personal data. In order to understand whether the DF ensures that consent is being collected at every stage, an attempt was made to sign up for a membership with the DF. Now, it is to be noted that there are three steps to opening an account: (i) enter your email and assign a password to it; (ii) choose the plan you wish to take (this page mentions the Terms of Use in a very minute text but surprisingly does not mention/provide a link to the Privacy Policy at all.) and (iii) the DF takes your payment details. Once you have paid and start your Account with the DF, there is not really an explicit and clear method of providing consent or understanding their privacy policy (for example a pop-up notification). This highlights a significant breach of the consent principle because the DF has failed to provide a clear and genuine opportunity to the data principals to really provide consent. It also fails on the grounds of providing notice to the data principal for collecting and processing personal data as mandated under Clause 7 of the Bill.

– The Report recommended the creation of Consent Managers as part of Clause 3(11) of the Bill whose function would be to enable data principals to give, withdraw, review and manage consent through an accessible, transparent and interoperable manner. However, the DF does not mention the existence/contact of the same as part of its Privacy Policy.

b) Fair and Reasonable Processing/Purpose Limitation: The DF has failed to meet the requirements under this part of the Report on account of the facts and reasoning relied upon in (a). 

c) Mapping Transparency: Clause 23 of the Bill mandates that the DF shall take necessary steps to maintain transparency in processing personal data and shall make certain information available to the data subjects. The following are a few observations with regard to transparency requirements:

  • The Privacy Policy talks about four categories of personal information collected by the DF: (a)Information you provide to us; (b) Information we collect automatically; (c) Information from Partners and; (d) Information from Other Sources. Firstly, with respect to (d) the DF mentions that these sources vary from time to time and are not fixed. Although this seems reasonable since these sources include security providers and payment service providers which cannot be expected to be definite throughout the lifetime of the DF, it is unclear how consent is taken from data principals when the DF changes these sources. Secondly, with respect to (c), the DF mentions that they collect information from Partners (Eg: TV or internet service providers) with whom the data principals have a relationship. This again brings in the concern of whether consent for such collection has previously been taken from the data principal. Also, does the data principal have the option to refuse to give consent for such collection or withdraw consent? The Privacy Policy does not address any of these concerns. (b) gives rise to similar consent concerns since the information is being collected automatically. Lastly, the Privacy Policy has not adequately explained the purpose for so much collection of personal data.
  • Although, the manner of collection of personal data has been provided, the DF states that “we collect in a number of ways.” This aspect is inadequate and can be improved upon by providing a detailed explanation of how the data is collected. 
  • The DF mentions certain rights of the data principal including: (a) requesting access to personal information; (b) updating inaccurate personal information; and (c) request to delete personal information. But it is highlighted that it is not advised to leave it there. It is recommended to list all of the rights available to the data principal in the form of a list or a box. Further, there is no mention of a detailed procedure for exercising said rights, and only the contact of the DPO has been provided for any queries. Therefore, while rights have been demarcated, they have not been made accessible and convenient. This must also be improved upon and can be done, for example, by providing an application form to put in a request for the erasure of data. 
  • Lastly, there is no mention of the very significant right of the data principal to file a complaint against the DF.

d) Service/Marketing Communications: It is to be noted that consent can never be presumed on the part of the data principal. Clause 11 of the Bill mentions that consent must be given at the commencement of processing. Now, the Privacy Policy of the DF states that “If you no longer want to receive certain communications from us via email or text message, simply access the “Communications Settings” option in the “Account” section of our website and uncheck those items to unsubscribe.” It is unclear whether they have given the opportunity to the data principal to give consent for marketing communications at the first instance or not. This may, thus, become a problem as they may be in breach on account of unsolicited communications and overprocessing.

e) Transfer of Data: The DF mentions that it will transfer the personal information of data principals in connection with mergers/sales or any other sort of restructuring. The Privacy Policy states that “information will be transferred provided that the receiving party agrees to respect your information.” It also mentions that it will share the personal data of data principals with the Netflix Group of companies. The following are a few ambiguities that arise from such phrasing and clauses: 

  • Is this transfer for the purpose of mergers within and/or outside India?
  • Does the standard of “we will share if the other party respects your information” meet the threshold of data protection principles under the Bill & Report?
  • Has a mechanism been put in place to obtain consent from the data principals with respect to sharing their data with Netflix family companies? If not, the DF could be in a breach as, without consent, there is no lawful basis for processing. 
  • Most importantly, the statement of the DF does not go into the nitty-gritties of the transfer of sensitive personal data and critical personal data. Clause 34 of the Bill talks about the concept of explicit consent from the data principal when it comes to the transfer of sensitive personal data outside India. Now the means to obtain this explicit consent is largely missing on the website of the DF. When one opens up the website to view a TV show/movie, there is no pop-up mentioning the privacy policy, terms of use, and Cookie Settings. Only, at the time of opening your account with the DF, they ask you to agree with the terms and conditions. Therefore, there is no mechanism to establish a clear and affirmative act showing free and informed consent on the part of the data principal. Secondly, Recommendation No. 54 of the Report complicates matters further. It recommends that sensitive personal data cannot be transferred unless the Central Government approves it. As such, I conclude by stating that the Privacy Policy in its current state does not fulfil the requirements of data protection as the proposed Indian law strongly advocates for data localisation. 

f) Data Protection Officer/Data Auditor: The DF has made a mention of a Data Protection Officer (“DPO”) in its Privacy Policy. This is in compliance with Clause 30 of the Bill. However, this mention is insufficient as:

  • The contact information of the DPO has been given as “please contact our Data Protection Officer/Privacy Office by email at privacy@netflix.com.” Clause 2.136 of the Report discusses the significant role that DPOs play in the data economy. As such, it recommended that the DPO should be key managerial personnel of the Company. Here we see that the contact of the DPO is conflated with the DF’s contact. This is a problem as the DPO is distinct and independent from the DF. The mention of the DPO should also have been accompanied by their name, address, and a distinct contact number.
  • Further, the Privacy Policy does not make mention of a Data Auditor as envisaged under Clause 29 of the Bill. The Bill as well as the Report talk about a data score/rating that may be given by the auditor. As such, it is suggested that Netflix India display this score on its website in order to enhance the trust of the data principals. 

g) Processing of Children’s personal data: The DF has mentioned the requirement of the consent of a parent or a legal guardian in the case of minors (individuals below the age of 18 years) using their service. It is to be noted that said statement showcases compliance with Clause 16(2) of the Bill, which posits the parental consent requirement. However, the DF does not fulfil a bunch of requirements in this regard:

  • There is no mention of a procedure for the verification of the age of the child as mandated under section 16(3) of the Bill. 
  • There is no mention of a consent option in order to enable the child to give a fresh consent on attaining majority. The Report has highlighted the significance of this consent option and recommended that the DF should inform the child for providing consent for processing their personal data once again, on the date of attaining majority.

h) Grievance Redressal Mechanism: Clause 32 of the Bill states that every DF shall have a procedure and effective mechanisms to redress the grievances of data principals efficiently and in a speedy manner. The DF could do better in this aspect by starting off with making a separate contact for the DPO. Further, it is suggested that they mention a time period within which they will get in touch regarding grievances, in their Privacy Policy,,  which shall not be later than 30 days as mentioned in Clause 32(3). 

i) Reasonable Security Procedures: The DF mentions using “reasonable administrative, logical, physical and managerial measures to safeguard your personal information against loss, theft and unauthorized access, use and modification.”  However, there is no mention or detailed account of what security safeguards they have in place. It is suggested that details related to end-to-end encryption and de-identification of data be explained in the Privacy Policy as it would enhance transparency. This is significant in interest of the trust and rights of the data principals.

j) Privacy by Design Policy: Clause 22 of the Bill states that every DF shall create a privacy by design policy, which shall be certified by the Data Protection Authority and published on the DF website post-certification. However, in the present case, there has been no publication of this policy by the DF. 

III. Concluding Remarks and the Way Forward

The DF has complied with Bill’s provisions to some extent. Although there are many areas in which it could improve. Some of the requirements have been met inadequately and do not agree with the spirit and principles of the data protection bill, 2019. The DF fails to meet the most significant data protection principles including fair and reasonable processing, obtaining consent and even purpose limitation. Without these, a DF cannot function under the provisions of the Bill and the Report envisaged.

This case study represents the position of Indian DF’s as they currently stand. It also goes on to show how unprotected the collection and processing of our personal data currently is and highlights the need for a comprehensive Data Protection Framework within the Indian subcontinent. Indian DF’s will have to substantially change its current practices and comply with many standards to come anywhere near complying with data protection principles. 

REFERENCE

  • Draft Personal Data Protection Bill, 2019.
  • Report of the Joint Parliamentary Committee on the Draft Personal Data Protection Bill, 2021.
  • Indian Contract Act, 1972, s14
  • Draft Personal Data Protection Bill, 2019, Cl11(2).
  • Draft Personal Data Protection Bill, 2019, Cl7
  • Draft Personal Data Protection Bill, 2019, Cl23.
  • Draft Personal Data Protection Bill, 2019, Cl23(a).
  • Draft Personal Data Protection Bill, 2019, Cl23(b).
  • Draft Personal Data Protection Bill, 2019, Cl11
  • Draft Personal Data Protection Bill, 2019, Cl34.
  • Draft Personal Data Protection Bill, 2019, Cl30
  • Draft Personal Data Protection Bill, 2019, Cl30(1).
  • Draft Personal Data Protection Bill, 2019, Cl29
  • Draft Personal Data Protection Bill, 2019, Cl23(f)
  • Draft Personal Data Protection Bill, 2019, Cl16(2).
  • Draft Personal Data Protection Bill, 2019, Cl16(3
  • Draft Personal Data Protection Bill, 2019, Cl32.
  • Draft Personal Data Protection Bill, 2019, Cl32(3).
  • Draft Personal Data Protection Bill, 2019, Cl24(1)

Image Source: https://th.bing.com/th/id/OIP.NTIKNAePNN04a4h3NGBwTQHaEK?w=284&h=180&c=7&r=0&o=5&dpr=1.25&pid=1.7nNetflix data privacy – Bing images

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close