The New Tiger Roaring in

(This article was adapted from an old article I wrote and represents my views only and not that of any organisation I am or was linked to in the past. Sharing because still seems relevant to recent discussion with friends and old colleagues)

When I first worked with a team to put out an application (app) on app stores and made it available in multiple countries in 2017, the terms and conditions, data protection, and privacy requirements we looked at seemed much more lean.

As it is with any socio-demographic change that impacts technology, and vice versa, the changes in regulation across jurisdictions means making tweaks to the way information, content, paid content, is presented and the way information, data, consent is managed. There’s been much written in this area for me to go into a full-fledged sharing on how we handled regulations and compliance in multiple regions, but as the Indian Data Protection Bills powers to the fore (could not help the Tiger, India’s national animal, inspired terminology) here are some considerations for software teams that are also based out of India.

Under the new proposed regulation even brick-and-mortar businesses are said to have to comply with the privacy and confidentiality requirements. Typically in working with brick-and-mortar businesses, our observation is that the type of personal information they store is transient. If they ask for an ID before selling alcohol, details of the ID are often not captured on paper. If they enter a mobile phone number for mobile phone top-ups, the mobile phone number is often stored by the telecommunications service provider’s system for verification. If they accept mobile banking, the data is stored by the mobile banking providers and their affiliate payment system partners. Yet even brick and mortar businesses would now have to think about consumer and business information storage. The Bill largely seeks to exempt small business that store information manually. But it still poses questions about information stored in both forms, say electronically and with a written/manual backup or otherwise. There is room for clarification on information about suppliers, distributors, wholesalers that they work with, including phone numbers, names, delivery and logistics would have to be managed. This information stored via the said app met the information collection, storage, management, and disposal requirements, as is required under other jurisdictions, for instance GDPR in UK and EU and PDPA in Singapore, Japan’s APPI and several provisions under the US FTC. Yet, we have to be aware of any nuanced requirements that may come out in secondary legislation or administrative guidance notes.

The notice and consent requirement in the Bill is synonymous with requirements in other jurisdictions, and is already dealt with in apps during account sign-ups when users are given notice of how their data would be managed, and seek express consent, and any subsequent changes are reflected under a specific panel on conditions within the app. However, the data localisation requirement in the Bill where sensitive personal data must be stored in India presents some interesting changes to work through. Would it mean localised servers for storing personal data captured by platforms and applications? Would it mean putting in place data audits and data protection teams focusing on this requirement?

The Indian Bill also draws some comparisons with PDPA in Singapore in requesting access to the stored data and largely exempting government agencies from the legislation (which is also to some extent applicable for EU government under GDPR). When some members of the app team were involved in personal data protection regulation frontiers in its early days in our previous roles, a notable element was that there were other checks and balances in place to prevent instances of abuse data, for example the process of judicial review. With new data laws in other jurisdictions such as Personal Information Protection Law in China coming into effect in 2021, it will be a roaring (running out of tiger-puns) new landscape to watch for app developers, people in the tech landscape, legal professionals and adjacent sector stakeholders alike.?