Unauthorised sale of data to third parties will land developers in trouble.
Alnoor Peermohamed and Kiran Rathee report.
App developers in India could face severe consequences for misusing customer data after a nine-judge Supreme Court Bench ruled that the Right to Privacy was a Fundamental Right of every citizen in the country.
While these developers can continue to collect data from users as long as they have their consent, the latest judgment could set the stage for severe punishment if they are found using customer data for any purpose other than for which it was collected.
"Organisations and people who build these apps will have to ensure very stringent control around what they are using this data for. When they are taking consent from users to collect data, they might even begin disclosing the objective for collecting that data," said Jaspreet Singh, partner-cyber security at EY.
Collection of data to deliver digital services, including using that data to deliver targeted advertising, will not constitute a breach of an individual's privacy as long as customers agree to the company's terms and conditions.
But if it is found there was unauthorised sale of the data to third parties and used for purposes not intended, it will land developers in trouble.
Several apps collect data from customers which is not required to offer their services, but this cannot account as breach of privacy since they ask for the user's consent.
But, going forward, India could put a stop to this arbitrary data collection through its upcoming data protection law.
"The government is aware of the fact that many applications seek unnecessary permission to have access to data, which is not related to it. The data protection law may include all such issues," said an official within the ministry of electronics and information technology, MeitY, who did not want to be named.
"The Srikrishna committee is working on a data protection framework and it is likely to submit its report by end of this year," the official added.
But the combination of Section 43A of the IT laws which speak about data privacy, coupled with the Supreme Court's latest judgment could force developers to disclose their terms more clearly.
"We already have Section 43A which already talks about data privacy and if we couple that with the latest judgment, it becomes a very stringent law today itself. The only thing that's been lacking is enforcement and with last Thursday's ruling, I'm sure the enforcement would be far more," Singh said.
As for data collected by global organisations such as Google, Facebook, Amazon, etc which is stored on servers located outside the country, the current laws get a bit hazy about what is and what isn't allowed.
There are no laws governing what can be considered as misuse of customer data stored outside the country.
With India's fast-growing digital footprint, not addressing this could be a major issue.
But experts are unanimous in agreeing that India will soon draft rules that will curtail the kind of user data that can be taken out of the country.
Last week, MeitY instructed 30 smartphone manufacturers to provide details on the security procedures they had in place following reports of data leakage and data theft.
A majority of the manufacturers were Chinese, and the request came at a time when tensions between India and China are high.