Being one of the cheapest providers of internet and smartphones, and with a population that is more than 1.3 billion, India is bound to become a host to massive data collection and storage.
- Manish Sehgal
Today’s technologies have brought ease and speed to data circulation; hence, allowing users to circulate large amounts of data on shared networks, private networks etc. For example, earlier, people were required to go to the banks and put in a request to create a bank account or to transfer money. But today, everything can be done using internet banking or online services through smart devices such as computers and smartphones.
Localisation of data is increasingly benefiting many industries and firms wherein data localisation gives these firms the opportunity to increase their business by saving cost on maintaining data centres in other countries and, also, by providing their users with better service experience as transactional efficiency gets higher. Therefore, due to data
localisation, both personal and sensitive personal 1 data, will have to be stored domestically; and hence, there is an urgent need for regulatory requirements to maintain the sanctity of an individual’s right to privacy.
Being one of the cheapest providers of internet and smartphones, and with a population that is more than 1.3 billion, India is bound to become a host to massive data collection and storage. According to a blog report by Cushman & Wakefield, India data centre market is poised to reach $7 billion by 2020. Consequently, the storage of personal and sensitive personal data puts the users and owners of the information at great risk.
The functionalities in a smartphone may be expanded by the installation of various applications. While such applications may allow the users the privilege to customise their smartphones according to their requirements and ease, they also put the users at risk because these applications may have access to the user’s location, text messages, contacts, etc. This collected information may be used maliciously by the application owners, or, in the absence of proper digital embankments, the information may get leaked to other third parties.
Even mobile vendors may put the user’s data under privacy risk. For example, a case study of one of the top Canadian telecommunication provider recently revealed a data breach which may have exposed sensitive data information belonging to thousands of users. Some VPN vendors reported that they were accessible to a database which was unprotected and unencrypted. The database contained the email addresses of customers, their phone
numbers, home addresses, dates of birth, customer types, and IP addresses linked to the payment methods they had used. Over and above, the users’ unencrypted financial data was exposed, which included information about their credit cards, security codes, etc. Because of this data breach, 15000 users were affected.
With incidents happening on scales as huge as these, privacy laws should become enforced within the geographical domain of the countries. In India, a privacy bill, draft Personal Data Protection (PDP) bill, is due to come into force which promises to protect the Indian users from these risks. The provisions under the draft bill apply to the processing of personal data within the territory of India, by the state, any Indian Company, any Indian citizen, or any person or body of people incorporated under the Indian law. Under the proposed law, the restrictions on cross-border data transfer include provisions such as:
- Data fiduciaries transferring data outside the territory of India are required to maintain a serving copy of the data within the territory of India.
- Categories of personal data that are notified as critical personal data by the Central Government can be processed only within the territory of India.
- The data principal’s consent is needed in addition to the adequacy decision by the Central Government or the approved standard contractual clauses.
Thus, the processing of personal data is permitted if it satisfies one of the six grounds for processing data provided under various privacy laws across the jurisdictions, them being: Consent of the data subject; In lieu of a legal obligation; Contractual obligations; Vital interest of the data subjects; Public interests and Legitimate interest. With a continuous rise in the sale of smartphones, and the speed and scale at which data is being collected through the use of these smartphones by the people, maintaining data security is one of the primary concerns for the government. If the draft bill comes into force, this will create an environment wherein the users would be able to exercise greater ownership over the management and security of their data. With digital information transmissions and transactions increasing rapidly over smartphones, the bill would ensure that personal and sensitive personal information remains fortified. The organisations managing the data of their consumers and customers would have to comply with the national mandates, thus, securing the digital landscape of data. Hence, draft PDP bill would
become an essential component of the Indian cyber law framework.
- Manish Sehgal is Partner, Deloitte India. Views are the author’s own.