 "Online food-ordering site Foodpanda lays off 300 employees in India")
Indian start-ups are increasingly drawing public ire for failing to put in privacy and security practice of personal data of consumers. There have been dozens of reported cases of harassment due to the lack of security measures adopted by these new-age firms.
Last month in Bengaluru, a female customer who ordered a meal via popular food ordering app FoodPanda became a victim of sexual harassment due to a disagreement with the delivery agent. Customer’s mobile number was shared with the agent.
While FoodPanda says it is working on ways to mask customer phone numbers, its hands are tied when restaurants utilise third-party delivery services who would require customer details. Indian laws, however, say entities collecting sensitive data are duty bound to maintain reasonable security practices.
“Majority of these companies in India are oblivious to the requirements under the IT Act, so they keep on breaking it actively. What they don’t understand is that they can be sued for damages by way of compensation,” says Pavan Duggal, an advocate who specialises in cyber law.
India already has laws that are specific to ensuring the security of sensitive data under the IT Act. However, with the lack of a privacy law in the country, it severely restricts their power. Moreover, implementation of cyber law in the country is lax, encouraging those who want to break them to do so freely and fails to educate those who are unaware.
While India hasn’t taken any action against firms that violate norms of handling sensitive user data, the US has rapped Indian firms for misconduct. Last year the Federal Trade Commission in the US warned app developers against using a piece of code called Silverpush that was developed by an Indian firm. According to them, the code would listen in without the knowledge of a user to track their TV viewing habits.
InMobi was recently slapped with a $1 million fine for deceptively tracking the location of users, which the company claimed was, to better serve them with geo-tagged advertising.
“InMobi tracked the locations of hundreds of millions of consumers, including children, without their consent, in many cases totally ignoring consumers’ express privacy preferences,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “This settlement ensures that InMobi will honour consumers’ privacy choices in the future, and will be held accountable for keeping their privacy promises.”
Uber and Ola, which saw drivers harass customers after personal numbers were shared with them, have put in place measures such as number masking to protect privacy of customers.
Apart from failing to comply with the privacy laws, experts have questioned what happens to the data collected once a startup shuts down. It is estimated that only one out of 10 start-ups succeed, so the amount of personal user data that need to go out of circulation is huge and indeed valuable.
Neeraj Bisht, a law graduate turned serial entrepreneur whose logistics venture Delivree King failed, says the sensitive data gathered including customer names, phone numbers, addresses and latitudinal and longitudinal location data, will be destroyed once the company is dissolved - takes about a year in India.
“I’m a law graduate myself so I do understand these things. I’ve been in the startup industry for the past four years and I’ve seen people discussing how to use another company’s data. I feel nine out of ten acquisitions happen for getting their hands on data, it’s so important these days,” adds Bisht, who goes onto calling people like himself a minority in today’s startup industry.
Section 43A of the IT Act, there are three ways in which a company holding sensitive data can share it. The first is with the government who would have followed due process to ask for user data. The second is sharing of data with a processor who is seen differently from a data controller. The third way a company can share data with anyone is after getting due consent from the user.
It’s the third mechanism that’s misused the most, with several startups putting questionable clauses in their privacy statements that users are made to agree before using their services for the first time. The privacy statement of Uber says that user data can be shared “during negotiations” before the sale of its own assets which is pretty standard across the board.
“Sharing your number and other data with say a driver or delivery agent they are allowed to do given they put it in their terms of use. But sharing data with a random third party, for purposes that have nothing to do with the original purpose, that would be illegal unless they’ve managed to put that into the privacy policy too,” says Sunil Abraham, Executive Director of research organisation Centre for Internet and Society (CIS).
CIS is considering to do a study on the content of the usage policies and privacy policies of start-ups in the country, bringing to fore some of the questionable practices they engage in with due user consent. While start-ups might be oblivious about breaking the law, users too are to blame as they don’t educate themselves enough to understand the repercussions of using a particular service.
“The problem is that because the implementation of Indian cyber law is so lax and because there have been not so many convictions, people tend to believe that they can get away with murder,” says Pavan Duggal.
