The consumer electronics giant Apple recently withdrew over 250 apps from its App Store on the grounds that these were collecting personal data about iPhone users. The alleged culprit was a Chinese company, Youmi, which had released a Software Development Kit (SDK), which secretly collected user-data. Every app developed with that SDK was tainted. This is only the latest high-profile event to prompt a focus not only on data security, but also on the broader issue of privacy of individual data. Online, every browser generates data and metadata, collected and stored in various private and public databases. Such data may include usernames, passwords, details of passports and credit cards, digital signatures, biometric information, financial records, surfing history, location, emails, instant messages, and more. Every telecom service provider, bank, insurer, healthcare provider, etc, possesses some of the above data. Apple, for example, has credit card numbers, biometric data, physical location data and online browsing records of iPhone users.
Digitisation enables the delivery of many new services, unimaginable even five years ago. But if such data are hacked, great damage is caused. So, strong protections must be in place. Practical considerations aside, the storage, collection, protection and utilisation of such data must also be governed by laws based on an understanding of the right to privacy. The laws must define what degree of explicit consent is required to collect data and how such data may be shared. They must spell out the degree of control and oversight an individual is entitled to possess over her own data. Different jurisdictions treat privacy differently. For instance, the European Union lays more emphasis on privacy than the United States. The Court of Justice of the European Union recently ruled that US-based corporations could no longer hold the data of EU citizens in servers outside Europe. This was prompted by a suit filed by an EU citizen, who cited the revelations by Edward Snowden, and claimed to be worried about surveillance by US intelligence. The EU court ruled that US servers were not "safe harbours". This ruling impacts multinationals operating in the EU, including giants like Google, Facebook and Apple. It would also affect Indian businesses with EU exposure. Data pertaining to EU citizens and entities would have to be migrated to servers in the EU. There could be a significant shift in the operations of the global data-storage industry, as a result of that ruling.
India may be badly hit by this shift, since it lacks an explicit privacy law. The Indian government has even argued that privacy is not a fundamental right, which clashes with the EU's stance on this issue. The lack of a privacy law has also impeded the Aadhaar rollout. It is a major reason why advocates of civil liberties are hesitant to endorse the Digital India initiative. There is no transparent, robust oversight mechanism to control data gathering by government agencies, or by private players. There is open, quasi-legal trade in the data of individual Indians. Legislation on this front is vital. The reluctance to draft privacy legislation is also strange, since the Justice A P Shah Commission made comprehensive recommendations three years ago. Perhaps Indian companies operating in the EU can now add their voices to the many groups already advocating privacy legislation.
