Customer Education , Governance , Legislation

Mobile Apps Come Under Lens for Violating Data Privacy

TRAI to Work on Privacy Guidelines for Telecom Sector
Mobile Apps Come Under Lens for Violating Data Privacy

With increased incidents of cyber breaches and cry for data privacy gaining momentum in the country, mobile applications in India seeking blanket access to phone users' information have come under the lens of the Telecom Regulatory Authority of India. Since so many Indian companies are rushing their mobile app roll outs, breaches are always a concern. Furthermore, breaches and misuse of information may post serious threat to government's Digital India movement. The regulatory body will begin consultation on data privacy and security in the telecom sector. (See: Meru Cabs: Mobile Security Lessons)

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The development comes at a time when a debate is on about the right to privacy. On July 21, the Centre told the Supreme Court, the apex court of India, that data of users are integral to the right of life and personal liberty guaranteed under the Constitution and it would come out with regulations to protect the same.

TRAI emphasized that information asked by mobile apps to users should be relevant to its purpose. "There should be a minimal information principle. If an app has nothing to do with your gender or age, it should not seek such information," says R.S. Sharma, chairman, TRAI.

Since mobile apps capture all user data, there needs to be a privacy law protecting the interest of users. However, security practitioners say that in India there are no strong implementation of laws around data privacy, more so for the telecom sector.

"Mobile applications are mainly software installed on hardware. Therefore, they are governed by the IT Act 2000/8 and other laws of the country. However, there are no specific laws made for the telecom sector," says Prashant Mali, advocate, Supreme Court and a cyber law expert.

TRAI's Stand

Sharma noted that discussions are on internally to look at data privacy and security in the telecom sector. Practitioners hope this will ensure that companies take data privacy as a top priority.

TRAI states that any policy can only take shape after discussions with various stakeholders and it's too early to comment on the same.

"In case I am downloading an app and it asks for 20 [personal] information, completely irrelevant and if I don't provide that information, it [the app] does not download...then there should some basis for information that an application can ask for," Sharma recently stated at a symposium.

Privacy Challenges

An app owner is intermediary under the IT Act 2000/8 and is subjected to liabilities and responsibilities under Section 79 of the Act and rules there under. This requires understanding of all privacy protection principles, including privacy policy notification, disclosure of what is collected, how it is stored or processed. Moreover, the law states that if a consent is obtained on a contract, then it is compliant with law.

"If the app owner makes it conditional that the app can be used only if certain information is provided, then it cannot be faulted for collecting the information. However, the disclosure should state that the information collected has to be used for the requirements of the services and not for marketing," says Na. Vijayashankar, a cyber law expert.

However, in reality, information collected by app makers are used for marketing various other products. Many of these companies do not have their own data centers, IT teams or InfoSec specialists, resulting in data travelling to a third party without proper security in place. "Most companies don't even have security clauses in their agreement while sharing data with a third party which is resulting in data leakage," says Ritesh Bhatia, cybersecurity and cybercrime investigations consultant.

Understanding the Law

If users find any fault, they can register a case of cheating under Indian Penal Code leading to seven-year imprisonment to the app owner along with other charges.

Since awareness in India around data privacy is low, Bhatia says, companies and mobile apps take the leeway to collect user information, even if it's not needed. "In most cases the apps track you even after you have uninstalled them," Bhatia says.

Some say the IT Act hasn't gone in the direction of stipulating parameters of due diligence to be done by mobile app service providers.

Practitioners observe discrepancy in the data collection methods by these mobile app companies.

Privacy Guidelines Required

As TRAI works on privacy guidelines for the sector, practitioners say it is not required to re-invent the wheel, but make some amendments to the existing data privacy law.

"I am not in favor of complicating the compliance issues by introducing multiple laws. Objective of creating a deterrence can be done by proper use of ITA 2008 and if required bring some new notification under rules can do the trick," Vijajashankar says.

Bhatia says some ingredients that needs to be part of the privacy law that can help users protect their privacy should include:

  • Advance notice about data being collected;
  • Users to be provided the choice of sharing the data;
  • Applying restraint on the information solicited confining it to the function or use of the app;
  • Use/Purpose Limitation - use the info collected only what the sole purpose was while collecting;
  • Allowing users to access and correct info collected by the app developers;
  • Transparency/Openness on the use of information gathered;
  • Disclosure - give to third parties with consent of individual;
  • Security;
  • Accountability.

"The proposed guidelines should prescribe a clause around legal action taken against the organization which has leaked customer data and not following best security practices," says Mali.


About the Author

Suparna Goswami

Suparna Goswami

Principal Correspondent, Information Security Media Group

Suparna Goswami is principal correspondent at ISMG Asia and has more than 10 years of experience in the field of journalism. She has covered a variety of beats ranging from global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine, and leading Indian newspapers like DNA and Times of India.




Around the Network