ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

BENGALURU: The privacy policies of Indian consumer applications like Paytm and Flipkart do not offer the same range of data ownership and user rights as seen in international policies.This may change as the Srikrishna Committee is in the final stages of drafting the data protection bill, which will address a range of issues like consent, data localisation, ownership, purpose restrictions and the like.“I think privacy policies (in India) need to be a lot more descriptive and detailed,” said Sameer Nigam, chief executive of payments company PhonePe . “I think every company should do so and will eventually be required to do so.”An evaluation of the ‘ privacy policy ’ of top consumer applications in India by ET shows that privacy policies are generic, shorter in length, not available in Indian languages, and offer no examples of layered notices.“Most (Indian) privacy policies do not offer too much attention to either detailing rights of users, drawing attention to particularly important portions, or explaining things in an easy to understand way,” said Rishab Bailey, advocate and researcher, who studies privacy policy.For instance, Flipkart’s privacy policy, which runs for about 1,800-odd words, has no mention of data retention or deletion policies.“Flipkart primarily tracks users to find out browsing habits/interests and to market to them,” said a privacy policy researcher, declining to be named. “To this extent, they freely share most information (excluding name, telephone, address) with third parties.” The onus is completely on the user regarding what information to share online and what not to. All data that is shared can be collected and used by Flipkart after taking the consent of the user.Similarly, Paytm’s 642-word privacy policy mentions that user data will not be shared with third parties for unsolicited marketing. But the term “third parties” is undefined.“Does it include only group companies or also corporate partnerships? It doesn’t appear that any specific or special precautions are taken with respect to financial and other sensitive information,” said the researcher quoted above.Flipkart, Amazon India Google and Bigo Live did not respond to queries sent by ET as of press time. Paytm declined comment.Comparing Indian companies privacy policies to that of international companies may not always be fair, as the requirements under the Indian law are significantly less onerous than say under the European law. “Indian companies do not have the same range of rights as seen in international policies because, currently, they are not required by the Indian law,” Bailey said. “For startups, the primary aim of the privacy policy appears to be to ensure compliance with the Indian IT Act and reduce their liability under the law.”International companies do not always have privacy policies tailored to individual countries, and therefore tend to adopt the highest standard as a generic policy. But few believe that the lack of clarity on personal privacy in India arises from the dearth of regulatory clarity.“Customers always ask why can’t you delete the account. We can delete the account, it’s like a bank account. But you can’t instruct the bank, NBFC to vaporise your records.That’s where the whole confusion starts. That’s a big nuance for the entire fintech industry,” Nigam said.Interestingly, foodordering and delivery company Zomato, which runs operations in 23 countries including the US and Australia, has an exhaustive list detailing the kind of information it collects, who it shares with, restriction and explicit mention of how to revoke across or delete data.The firm has a Zomato data protection officer (DPO) to whom users of the service can write to download or delete all information Zomato processes, underscoring the difference of how an India company has drafted the privacy policy as it operates beyond Indian borders.The Srikrishna committee report will in all probability significantly change the legal framework that companies will have to adhere to. There is likely to be a greater emphasis on user rights, together with more robust enforcement mechanisms.“What is expected is some sort of stricter penalties for non-compliance in line with GDPR and a central institutional framework such as a privacy commission,” said Nikhil Narendran, partner at Trilegal, a law firm. The General Data Protection Regulation (GDPR) that was rolled out in the European Union in May punishes noncompliance with penalties of up to 4% of annual turnover.Not just users, even industry players are hoping for a comprehensive data protection bill to cover all the nuances around privacy, consent, localisation and security. “As a banking app, we are mandated to maintain transactions for 10 years under the Prevention of Money Laundering Act (PMLA),” said PhonePe’s Nigam. “I would want to see how the guidelines of the PMLA are going to be after the Srikrishna report comes out.”It is also interesting to note that Indian startups’ approach to privacy policy puts the onus completely on the user regarding privacy updates. In most cases, the “user” is required to check for updates to the privacy statement in case of changes. There is no voluntary notification. This is in direct contrast to the privacy policies of Facebook, Google and WhatsApp that mention that users will be notified before making changes to the privacy policy.“We will notify you before we make changes to this policy and give you the opportunity to review the revised policy before you choose to continue using our products,” Facebook’s privacy policy says.