App developers in India could face severe consequences for misusing customer data
after a nine-judge Supreme Court Bench ruled that the right to privacy
was a fundamental right of every citizen in the country.
While these developers can continue to collect data from users as long as they have their consent, the latest judgment could set the stage for severe punishment if they are found using customer data for any purpose other than for which it was collected.
“Organisations and people who build these apps will have to ensure very stringent control around what they are using this data for. When they are taking consent from users to collect data, they might even begin disclosing the objective for collecting that data,” said Jaspreet Singh, partner-cyber security at EY.
Collection of data to deliver digital services, including using that data to deliver targeted advertising, will not constitute a breach of an individual’s privacy as long as customers agree to the company’s terms and conditions. But, if it is found there was unauthorised sale of the data to third parties and used for purposes not intended, it will land developers in trouble.
Several apps collect data from customers which is not required to offer their services, but this cannot account as breach of privacy since they ask for the user’s consent. But, going forward, India could put a stop to this arbitrary data collection through its upcoming data protection law.
“The government is aware of the fact that many applications seek unnecessary permission to have access to data, which is not related to it. The data protection law may include all such issues. The Srikrishna committee is working on a data protection framework and it is likely to submit its report by end of this year,” said an official within the Ministry of Electronics and Information Technology (MeitY) who did not want to be named.
“We already have Section 43A which already talks about data privacy and if we couple that with the latest judgment, it becomes a very stringent law today itself. The only thing that’s been lacking is the enforcement and with Thursday’s ruling, I’m sure the enforcement would be far more,” Singh said.
As for data collected by global organisations such as Google, Facebook, Amazon, etc. which is stored on servers located outside the country, the current laws get a bit hazy about what is and what isn’t allowed. There are no laws governing what can be considered as misuse of customer data stored outside the country.
With India’s fast-growing digital footprint, not addressing this could be a major issue. But, experts are unanimous in agreeing that India will soon draft rules that will curtail the kind of user data that can be taken out of the country.
Last week, MeitY instructed 30 smartphone manufacturers to provide details on the security procedures they had in place, following reports of data leakage and data theft. A majority of the manufacturers were Chinese, and the request came at a time when tensions between India and China are high.