Personal data protection: Firms need to do more

As more Indian organisations move to the cloud, security breaches are likely to become frequent. A lack of legislation protecting personal data allows Indian organisations to collect data as they choose, often needlessly. The data is often sold, or monetised in other ways, and is frequently held in insecure servers. Suitable legislation has not been passed in the five years since the Supreme Court asked for it in a landmark case that upheld privacy as a fundamental right. This is a huge gap, which is at odds with policy initiatives to build Digital India. It opens the door to widespread misuse of data and to cybercrime, potentially targeting every Indian. It is also a barrier hindering efforts to set up data centres for overseas clients. Understandably, potential clients are wary about storing data in such an insecure environment.

Last week, Akasa Air, a new airline, emailed its database of passengers, admitting that it had suffered a breach that exposed private personal data. Further, Vodafone Idea denied that the privacy of 20 million customers had been breached, after reports from a cybersecurity agency alleged this. In June 2022, the French multinational Thales claimed in a Cloud Security Report that 37 per cent of Indian respondents (all large corporations) had experienced a security breach of some nature in the past year. This is a serious problem and is only expected to increase in scale as more segments of the economy get digitised. Therefore, corporations need to invest in cybersecurity to not only protect consumer data but also the business at large. Such threats could undermine and hamper business operations with wider consequences. However, one of the reasons why Indian firms may not be investing enough in this area is because of a lack of regulatory compulsion.

Ideally, a data protection law should cover the following areas. It should lay down clear, broad definitions of what constitutes private data. Those definitions should be open to review and updates as technology develops. There must be norms that data will not be collected needlessly, but only in granular fashion for clearly stated purposes, keeping the data-owner informed and seeking his or her permission at every stage. There should also be clear norms for the security of any data collected and stored, with the collector and storage centre held liable for breaches, with escalating penalties. Victims should be in a position to easily bring class-action civil suits, seeking damages in such cases. Data-owners should also have the “right to forget”. Once the purpose of the data has been served, the data-owner should have the option to ask for deletion.

Further, there should be safeguards against surveillance and overreach. There should be a transparent process for granting clearance to any agency to launch a data collection-cum-surveillance exercise against an individual or organisation. The draft Indian legislation, which has now been withdrawn, offered no protection against government surveillance. Under that draft, any official agency could access any data it chose to, or target any individual for surveillance. Thus, in the absence of legislation offering protection or redress, it’s inevitable that data will be monetised in ways which may expose data-owners to harm. The government should, therefore, plug this gap at the earliest.