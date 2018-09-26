Private entities might now have to delete data they have collected, but ensuring they actually do so is going to be an uphill task, experts claim.

With a lack of data protection laws in India, there is no entity to audit whether or not private companies are actually deleting personal data of customers.

Senior lawyer Pavan Duggal said it was going to open "a Pandora's box".

“Even as we speak, much of the data could have already been migrated to other territories. So, who will conduct the audit to see the whole data is deleted within the time frame stipulated by the SC?,” he asked.

Telecom companies such as Reliance Jio, exclusively signed up users through the e-Know Your Customer process. Other telecom companies also pushed customers to link their numbers in order to continue to use their service, before the SC in an interim verdict said any such data collection should be put on hold.

Cyber experts said getting private firms to delete this data will certainly remove any chance of it being misused. They, however, added that with the lack of any data localisation or data privacy laws in India, there's no way to ensure this.

ALSO READ: Govt hints at amendments to Aadhaar Act to accommodate SC verdict

They also said the government and the regulators would face challenges in ascertaining that the SC’s judgment was actually followed as none of these firms were incentivised to delete this data.

“We have seen instances of data breaches in the recent past. There were also reports suggesting data was easily available in the black market for a price,” Duggal said.

The SC also said that if data was collected for authentication, it could not be stored for more than six months. Earlier, it could be stored for five years.

ALSO READ: SC verdict historic; Aadhaar helps govt save Rs 900 bn annually: FM Jaitley

Experts said even this period was not necessary. Once authenticated, these entities had no need for this data.

“These entities don’t even require six months to delete the data that they have collected and stored. The only issue is that there needs to be some due-diligence on the part of the data regulator to ensure these entities delete it,” said A P Hota, former chairman of the Payments Commission of India.