Information safety regulation – future of information safety in India and globally
Data protection has come into focus for enterprises globally, with more and more companies building their fortune off data processing, one way or another. Even with known legislative attempts, protecting consumer data is a worldwide concern, especially in countries growing faster than the government can keep up, such as here in India. Two key threats in data protection must be overcome to protect users’ data efficiently and safely.
Existing legislation, even in developed regions such as Europe, falls behind tech progress levels, no longer adequately responding to modern data threats. Organizations such as social media giants make money off users’ personal data, as either primary or supplementary business, with methods such as targeted advertising. One nefarious example of targeted advertising going too far occurred a decade ago when Target figured out a teenage girl was pregnant and began sending coupons for baby clothes to cribs to her house—before her father even knew she was pregnant, prompting the local Target manager to apologize multiple times. Target was able to do this by analyzing data trends and recognizing signs a person might be expecting—such as purchasing supplements and lotion. This is an apt example of how intrusive targeted advertising can be, and why so many users are, understandably, concerned about their data privacy.
The second threat is the one most connected users are afraid of—the threat that personal data can and will be used against you. A recent change in legislation in America overturned the historic Roe v. Wade, which nationally gave people the right to terminate unwanted or unsafe pregnancies. This legislative decision raised national concern about data being used against those affected by the change, with people suggesting others delete period trackers app—a tactic that is, unfortunately, ineffective due to the data being stored in the cloud. In fact, by deleting period tracking apps, the user relinquishes control over their data, giving the app developer complete access and control instead—at least in America. In regions such as Europe, for example, voiding the contract doesn’t equal total loss of control.
India, much like the United States, doesn’t have a mature framework in place to accurately protect data and the rights of its citizens in terms of data privacy. As an example of India’s immaturity in this area, companies are given complete control over user data, lowering their margins, and forcing them to store data. This led to several companies profiteering from analyzing collected data, bringing us back to the threat of personal data being used against users. Recently, in India, VPN providers were forced by the government to store connection logs, completely diminishing their purpose. India will now give VPN providers and cloud service operators an additional three months to comply with new rules requiring these organizations to maintain the name, address, and IP address of their customers. This delivers some relief to firms as many scramble to follow the new guidelines and explore the option of exiting the South Asia market.
Luckily, there are efforts in place to improve legislation in India and protect users’ data. A new data protection bill was drafted in late 2021, which would put in place laws that require reporting data breaches within seventy-two hours, on top of other regulations designed to protect the data of its citizens. This bill was introduced in tandem with other legal efforts in India to combat privacy invasion, such an investigation into antitrust violations with WhatsApp.
Legislation, instead of giving companies complete control over user data, should reflect long-term practices conducive to running businesses within the country. To do this, there are two different ways to safely legislate data protection laws to keep citizens safe. One approach is the European/American way, with legislation demanding rights for personal users regarding their data. This allows users to know who is processing their data and gives them the option of requesting to see what data companies have on them—and having it removed completely, if preferred, with the company forced to comply, legally, or the EU will fine them for non-compliance.
The second legislative approach that would improve data privacy is the eastern approach, with companies mandated to store data within the country of citizenship. For example, in Russia, the government can now collect biometric data from its citizens—an order which cannot be denied, according to the bill recently signed by the Russian president. This brings up the question of what dual citizens would do—such as those with Russian and Chinese citizenship—with no answer so far as to where or how to store your data in these scenarios.
With correct and well-timed legislation, India’s out-of-control data privacy problems could be solved, or at least heavily mitigated. India is already on the path to follow the European/American approach, which will take some control over data away from the government and give it to the people—something that both users and companies should already get ready for. However, I believe the ultimate goal is not to have partial, but complete control over one’s data—and it will be up to citizens to seize it.
New regulations will appear soon enough, and India-based companies will become more transparent about which data they’re keeping, and how they’re using it, but the initiative and the final decision must come from the users, the rightful data owners. The main problem is that users normally can’t be bothered to dive into those details—so they choose to entrust everyone else with their data. Big mistake.
But the change is coming—taking control over own data is becoming a trend, and business owners with clearest vision can already prepare for it, instead of refusing the change and delaying the inevitable.
Those preparations would involve both legal and operational company-wide changes:
Striving for compliance is a cross-team effort which must have the full support of company’s leadership—otherwise, it won’t work;
Review your corporate processes to determine: the sources of data, how it’s being processed and all external parties who have access to that data;
Refresh your policies with regards to both legal contracts and internal trainings, designate roles clearly within your organization. With legal agreements, pay extra attention to the purposes of data processing, and cross-border data transfers outside of India;
Aspire to data minimization—store your data in a “depersonalized” manner, only process data that you absolutely need to. Also make that data easy to “depersonalize” or be removed completely—in case you have to, as one day you will;
Build up a communication process with data subjects—to establish a timely response to their requests: whether it’s updating storage permissions, or removing data completely;
Keep a tight schedule, avoid “retention fines”—a delay in removing data per users request can result in substantial fines for your company;
Review your security protocols—it should be made clear that personal data is one of your most critical assets.
Facebook Twitter Linkedin Email
Views expressed above are the author’s own.