Tag: Data Privacy

Delhi High Court disposes of PIL against sharing of citizens’ data collected by MakeMyTrip, Goibibo, SkyScanner

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

The Delhi High Court, on Wednesday, disposed of a public interest litigation (PIL) against the sharing of citizens’ data collected by travel platforms MakeMyTrip, Goibibo, and SkyScanner.

The PIL had sought the intervention to ensure that foreign travel companies do not share user data like name, Aadhar number, passport details, etc., during ticket bookings.

According to a LiveLaw report, dismissing the plea filed by BJP leader and lawyer Ashwini Kumar Upadhyay, the court asked him to approach the government by way of a representation. The HC noted that Upadhyay can not take the matter to a court unless a representation is made with the government.

The court said if a representation is filed with the government, it should be decided by way of a reasoned order in accordance with the law “as expeditiously as possible”.

The petitioner articulated grave concerns over the practices of various travel companies in collecting sensitive personal information from their users. These companies, including major players such as MakeMyTrip (MMT), GoIbibo, and SkyScanner, allegedly gather data such as names, phone numbers, Aadhaar, and passport details, potentially compromising users’ privacy.

The purported monetisation of this sensitive data is of particular concern, which the petitioner contends could have far-reaching implications. It was highlighted that these travel companies, some of which are wholly or partially owned by Chinese entities, are accused of exploiting users’ personal data for financial gain.

Furthermore, the PIL underscored the alarming revelation that such data collection extends beyond ordinary citizens to include lawmakers, ministers, and even judges. This revelation amplifies the gravity of the situation, indicating a potential breach of trust and privacy affecting individuals in influential positions.

The petitioner sought directions from the Delhi High Court to restrain travel companies from sharing customers’ personal data, encompassing crucial identifiers such as names, addresses, phone numbers, Aadhaar, and passport details. The PIL also referenced recent legislative measures such as the Data Protection and Privacy Bill (DPDP Act), as well as a Supreme Court judgment affirming privacy as a fundamental right.

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow

CBI Raising Day: Chief Justice calls out CBI over ‘unwarranted confiscation of personal devices’

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

The Chief Justice of India, DY Chandrachud, reignited the issue of illegal confiscation of electronic devices by law enforcement agencies while speaking at the CBI Raising Day on Monday.

The Chief Justice remarked that incidents of “unwarranted confiscation of personal devices” have highlighted a “pressing need” to balance investigation imperative with the individual right to privacy.

The CJI was speaking at the DP Kohli Memorial Lecture, marking the CBI Raising Day. The theme of the lecture was “Adopting Technology to Advance Criminal Justice”.

Interestingly, he raised the red flag in direct reference to powers of seizure available under the new criminal laws. The CJI noted that Section 94 of Bharatiya Nagarik Suraksha Sanhita (BNSS) and Section 185 of BSA grant law enforcement agencies the authority to summon documents, including digital evidence.

It is in reference to these new powers under the new criminal laws that he stressed the need for upholding the due process of law.

In his lecture, Justice DY Chandrachud said, “In the realm of criminal justice, a delicate balance between search and seizure powers and privacy rights, stands at the cornerstone of a fair and just society.”

In a rare move, he also referenced a case on illegal seizures, still pending before the Supreme Court. He was referring to the plea filed by the Foundation for Media Professionals in Oct 2022. In the plea, the petitioners had flagged the absence of any guidelines on electronic device seizure.

The CJI, in reference to this case, had noted how in December the Supreme Court had directed the CBI to follow its Crime Manual, till the guidelines have been framed.

On December 14, The Centre had undertaken before the top court that the CBI would follow the Crime Manual on Digital Evidence till the guidelines were framed. The Centre is yet to formalise guidelines on the seizure of electronic devices.

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow

X says Indian govt asked to shut down specific handles

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

In a move to regulate online content, the Indian government has issued executive orders directing social media platform X, formerly known as Twitter, to take action on specific accounts and posts. Failure to comply could result in severe penalties, including hefty fines and imprisonment.

According to a PTI report quoting sources, the Ministry of Electronics and IT ordered social media platforms to temporarily block 177 accounts that were linked to farmers’ protests at the request of the Ministry of Home Affairs.

In response, X has announced its compliance with the orders, confirming that it will withhold the specified accounts and posts within India. However, the platform maintains its stance on the importance of freedom of expression, asserting that it does not agree with these actions.

The Indian government has issued executive orders requiring X to act on specific accounts and posts, subject to potential penalties including significant fines and imprisonment.

In compliance with the orders, we will withhold these accounts and posts in India alone; however,…

— Global Government Affairs (@GlobalAffairs) February 21, 2024

X, however, has filed a writ appeal contesting the blocking orders, signalling its commitment to defending users’ rights. Additionally, the platform has ensured that affected users are notified of these actions in line with its policies.

The microblogging site also noted that despite calls for transparency, legal constraints prevent the publication of the executive orders. X said it advocates for their public disclosure, arguing that the absence of transparency could foster arbitrary decision-making and undermine accountability.

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow

Microsoft Build 2023 showcases the latest features of Windows 11

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

Windows 11 is the latest iteration of Microsoft’s near-ubiquitous personal computing operating system. On Tuesday, May 23, Microsoft, at its annual Build developers’ conference, showcased some of the new features Windows 11 will sport, starting May 24.

Microsoft said, “Windows 11 has garnered unprecedented engagement, boasting the highest customer satisfaction rates compared to any previous version of Windows in the United States. The commercial adoption of Windows 11 has also witnessed remarkable growth, with over 90 percent of Fortune 500 companies currently exploring or implementing the platform.”

The company said the new features further emphasise Windows 11’s focus on catering to business needs, including security, IT management, and enhanced usability for professionals and individuals.

Also read: Microsoft Build 2023: Here are all the new features coming to Edge

Enhancing privacy, security, and accessibility

As per Microsoft, Windows 11 aims to provide new and improved features that simplify the management and security of organisations. “Privacy is of paramount concern, and Windows 11 addresses this by introducing app privacy settings. These settings empower customers to control access to ‘presence sensor’ information and enable or disable features such as wake on approach and lock on leave,” Microsoft said.

Additionally, the taskbar now offers glanceable VPN status, ensuring that users are securely connected with a simple glance at the shield icon. This feature becomes available on May 24 and can be toggled on or off through ‘Quick Settings.’

Windows 11 continues to prioritise security, Microsoft said, collaborating closely with partners to offer PCs equipped with the Microsoft Pluton security processor. Pluton provides built-in protection from chip to cloud, enhancing resilience against malware, hardware attacks, and credential breaches. Pluton will be extended to more AMD systems from Wednesday (May 24), Microsoft said.

Also read: Microsoft Build 2023: How Jugalbandi, an AI-driven multilingual chatbot, helps rural India

“Windows 11 is committed to expanding language support, making audio content more accessible. Last year, live captions were introduced, and now they will be available in 10 additional languages across 21 regions. These live captions offer real-time transcription of audio, benefitting users during audio playback and video calls,” the company added.

Bluetooth Low Energy Audio

Microsoft said Windows 11 brings a new and sustainable way to utilise Bluetooth®Audio on PCs, spearheading “the next generation of wireless audio.” Bluetooth Low Energy Audio, in collaboration with Samsung Galaxy and Intel, allows for high-quality audio experiences with minimal power consumption, enhancing the audio quality of calls, videos, and music, especially when using compatible devices.

Staying informed with widgets

Widgets have become an essential resource for staying updated on relevant information in our daily lives, Microsoft said. In response to user feedback, Windows 11 enhances the layout and functionality of the widget board. The default panel view now offers a larger layout, allowing for user-pinned apps and a personalised feed for efficient discovery. This personalised feed will showcase news and your collection of widgets, ensuring quick glances to stay up-to-date, as per Microsoft.

Also read: Microsoft Build 2023 lays out framework for building AI apps, expanding Copilot ecosystem

Reinforcing security

Windows 11 already incorporates several baseline security features enabled by default, and to further strengthen hardware and software protection, Microsoft is introducing new security features. One such feature is the Sign-In Session Token Protection Policy, which Microsoft said cryptographically binds security tokens to devices, restricting attackers from impersonating users on different devices. This feature minimises the impact of token theft on user security, it added.

Furthermore, Windows 365 Boot optimises the Windows 365 Cloud PC experience on Windows 11 devices, streamlining the login process and establishing a secure connection directly to the Cloud PC. This solution is particularly useful for shared devices, allowing users to access their personalised and secure Cloud PC effortlessly, Microsoft added.

Also read: Microsoft Build 2023: Bing search engine to be built into ChatGPT and much more

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow

Data Privacy Day 2023: Experts talk about why data protection is important among other things

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

On Data Privacy Day, leaders in the tech industry are speaking out about the importance of data protection and information security. Vindhya Vishwanath Kudva, Data Protection, and Information Security Officer at Bosch Global Software Technologies (BGSW), emphasises the importance of a holistic approach to data privacy. “Safeguarding the privacy of our stakeholders by safeguarding their personal data is a key focus area and is achieved by a data privacy strategy that is holistic, proactive and risk-based,” she says.

Raymond Velez, Global Chief Technology Officer at Publicis Sapient, highlights the need for consent and security in data privacy strategies. He advises organisations to “earn trust with consumers and ensure compliance” through progressive consent management and to leverage modern privacy-enhancing technologies such as cleanrooms.

Ramesh Jampula, Vice President of IT at Dell Technologies, stresses the role of a robust IT infrastructure in maintaining data privacy. He states that modernising IT infrastructure is key to driving innovation, improving customer experiences, boosting reliability and security, and staying competitive.

Anitha Scaria George, Vice President of India COE and Country Leader at Celonis, echoes this sentiment, emphasising the importance of building privacy and security into everything the organisation does.

Brian Gin, Chief Privacy Officer at Trellix, reminds us that privacy is a responsibility shared by all. He encourages companies to empower all employees to be responsible for protecting data and to view privacy as a fundamental human right.

ALSO READ: Data Privacy Day 2023: Top 5 data risks every business should address

Pankit Desai, CEO & Co-founder of Sequretek, suggests that the first step for companies is to figure out their data life cycle. This includes understanding how data gets created, processed, stored, and discarded, and ensuring that at each point of this cycle, access is controlled and the data is protected. Desai also stresses the importance of identifying who the custodian of the data is within the company and understanding the security elements of each part of the data life cycle.

Anitha Scaria George emphasised the need for organisations to recognise that security and privacy are not just priorities, but necessities. She recommended building privacy by design across the entire organisation, ensuring access controls are advanced and up to date, taking precautions to reduce the risk of improper access, and encrypting all sensitive data, both at rest and in transit. She also suggested that organisations should continuously educate themselves and their employees on proper data handling, and consider the long-term management of their privacy programme.

Overall, these industry leaders stress the importance of a holistic approach to data privacy, including consent management, security, and robust IT infrastructure, as well as the role of every employee in protecting data. As we celebrate Data Privacy Day, it is important to remember that safeguarding personal data is essential for both individuals and organisations.

ALSO READ: Data Privacy Day 2023: 10 ways to protect your personal information

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow

Data Privacy Day 2023: Top 5 data risks every business should address

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

Data Privacy Day is observed on January 28 all around the world. Sensitising people and spreading information about privacy practices and principles are the day’s goals. In order to foster a culture of privacy, it encourages everyone to take ownership of their privacy obligations.

This year’s theme is ‘Privacy Matters.’ It fosters a sense of responsibility by demonstrating the importance of privacy for both individuals and organisations. But more so for the latter as businesses hold several datasets. It is important for them to understand data risks and always be a step ahead of any potentially malicious activity.

Here are the top five data risks every organisation should be aware of:

Loss of data

A data-centric strategy is necessary to keep pace with innovation, data accessibility, and compliance monitoring, along with data loss protection. In order to protect and maintain the privacy of a business’s most valuable resource, data loss prevention (DLP) is essential. By using this method, data owners and security teams can safely recommend DLP within their organisation.

Also Read: Python-based attack campaign targeting healthcare and finance industries discovered

Inadequate knowledge of data loss

The biggest threat to the cloud security of a business may be data leaks. A growing number of firms are discovering that their cloud computing capabilities are vulnerable to reputational and financial penalties arising from the regulatory and legal fallout that follows data breaches.

Insider threats

Protecting the perimeter is insufficient because the real threat can be lurking within the organisation. Businesses need to pay close attention to anyone who has access to their internal information, including partners, employees, third parties, and others. It’s crucial to ensure that they won’t abuse their access rights because they have access to your company’s trade secrets and could have an impact on your operations.

Social engineering vulnerabilities

Luring employees into disclosing credentials or downloading malware is a relatively typical method for data breaches. Every employee needs to learn how to recognise phishing, malware, and other social engineering problems. IT must keep up with current trends, watch out for targeted assaults, and ensure that staff members are informed about what to look for and how to respond.

Also Read: View | High awareness, low preparedness — The state of cybersecurity in healthcare

Ransomware attacks

Ransomware attacks are among the few cyber threats that receive a lot of public attention and general concern. Small-to-midsize businesses (SMBs), as well as local governments, are targets of these more common and expensive online cash grabs, which are driving up the number of these cyber threats. Additionally, many ransomware threats occur at the user level because phishing techniques and other harmful communications enable these major cyber threats.

Cyber risks are also shifting as businesses move toward a digital strategy while balancing a hybrid work structure and pushing every aspect of their operations to the cloud. As per recent reports, cyber threats are growing, spilling into the mainstream.

The year 2023 will see leading organisations investing heavily in updating or establishing more robust cybersecurity policies and procedures, monitoring attack surfaces, and enabling security automation. They will team up with incident response, digital forensics, and data restoration groups to proactively identify and eliminate threats in networks, reduce the attack surface, close security breaches, and recover critical data.

Also Read: As businesses shift to cloud, CEOs need to prioritise cybersecurity: PwC

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow

Data Privacy Day 2023: 10 ways to protect your personal information

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

The 17th Data Protection Day will be celebrated globally on January 28. The celebrations are aimed at raising awareness about the right to data protection and various ways in which people can keep their data safe. This important celebration was initiated by the Council of Europe.

History & Significance

The Committee of Ministers of the Council of Europe decided to launch Data Protection Day in 2006. January 28 was chosen for the annual celebrations.

Data Protection Day marks the anniversary of the opening of the global data protection Convention, Convention 108. For over 40 years, Convention 108 has influenced and shaped privacy and data protection. Data Protection Day is now celebrated globally and it is also known as ‘Privacy Day’ in some parts of the world.

This day raises one of the most important issues of the digitally advancing world. The main goal of the day is to educate people on data protection challenges and inform them about their rights to privacy and how to exercise them.

ALSO READ: Data Protection Bill: Companies may be fined Rs 200 crore for failing to safeguard data

10 Ways to Protect Your Personal Information and Data

1. Always use storage with data protection with built-in disk clustering and redundancy.

2. Always create copies of data and store them separately, to be able to restore data in case of loss or modification.

3. Always review data privacy settings on digital, and social media accounts and apps you use.

4. Regularly change passwords to keep hackers away and use passwords that are 10 characters long with complex combinations.

5. Make sure to only use devices with the latest firewalls and anti-virus software.

ALSO READ: MeitY extends deadline for public comment on revised draft of data protection bill to Jan 2

6. Turn off Bluetooth devices when not in use as Bluetooth devices can also leave personal data vulnerable which could be accessed by hackers in several ways.

7. Always keep your operating system updated to ensure that they have the latest performance and security updates.

8. Avoid using unsecured public networks as they may be vulnerable to breach and in some cases, they may be imposter networks waiting to steal your data.

9. Always secure personal info offline on a device that doesn’t connect to the internet to make sure it is safe and away from the reach of hackers.

10 . Make sure to set up Two-Factor Authentication on all your financial and email accounts.

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow

Apple should face 6 million euro fine, adviser to French privacy watchdog says

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

Apple should face a six million euro ($6.3 million) fine for breach of privacy rules, the top adviser to the French data protection authority’s sanction body recommended on Monday.

Commission Nationale de l’Informatique et des Libertes’ (CNIL) sanction body is free to ignore the rapporteur’s recommendations, but these typically carry a lot of weight regarding the watchdog’s final decision.

The rapporteur, Francois Pellegrini, made his recommendation after an investigation by the authority, itself triggered by a complaint filed last year by lobby group France Digitale.

Also Read: Explained: Audius, the crypto-powered music streaming app that’s giving power back to artists

In the complaint, the lobby, which represents the bulk of France’s digital entrepreneurs and venture capitalists, alleged that iPhone maker Apple’s former operating software, iOS 14, did not comply with EU privacy requirements.

France Digitale argued then that while iPhone owners were asked under iOS 14 whether they were ready to allow installed mobile apps to gather a key identifier used to define campaign ads and send targeted ads, default settings allowed Apple to carry its own targeted ad campaigns without clearly asking iPhone users for their prior consent.

Apple’s privacy updates, called App Tracking Transparency, give users the option to block apps from tracking activity across apps and websites owned by other companies.

In his remarks, Pellegrini said Apple’s previous operating system version iOS 14.6 failed to ask users properly for their prior consent for the collection of personal data, thus constituting a breach of privacy rules under the European Union’s ePrivacy directive.

Also Read: Karnataka BJP MLA urges Finance Minister to prohibit marketing of online gaming companies

He added that changes made under a subsequent version of Apple’s operating system, iOS 15, allowed for such prior consent.

Gary Davis, Apple’s head of privacy, contested the rapporteur’s conclusions at the hearing, saying the U.S. firm was committed to the protection of users’ privacy.

“The absence of any seriousness to the breach … means that the amount of the fine should be decreased,” he said, requesting that the amount of any fine should not be made public.

CNIL’s sanction body did not say when it would reach a decision.

Also Read: Reliance Jio joins OnePlus to bring ‘True 5G’ tech ecosystem to India

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow

VIEW | Data privacy in the contours of the virtual world: Complexities of the metaverse

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

Stepping towards a digital revolution, the ‘metaverse’ brings a new world into existence through augmented or virtual reality technology. It creates a unique virtual experience for users to immerse themselves in the digital world through a myriad of services like virtual gaming, digital asset creation, real-time virtual markets, etc.

In this world of virtual realism, data fuels the eco-system as real-time data from the users (user behaviour and preferences, physiological responses, etc.) is collected to enable this experience. Since metaverse seeks to create this one-of-a-kind immersive digital world or virtual experience, processing of users’ data will be at the forefront to facilitate a seamless experience.

With the proliferation of 5G processing capabilities and Internet-of-Things (IoT) technologies, extensive data collection from one’s surroundings, and the planet at large, can be expected. As the law lags behind and tries to catch up, the entire concept of data protection might need to be reimagined in the context of the metaverse.

Re-imagining the concept of data protection in the metaverse

Metaverse’s extended reality aims to merge the boundaries of the physical world and digital world through data collection and processing at a tremendously granular level.

Such technologies depend upon not only just tangible data (whether personal or non-personal) fed by the users, but also the users’ surroundings, reflexes, responses, inhibitions, and other physiological indicators which may not even be visible to the user itself.

At present, although things like user profiling and targeted advertising are commonplace, user profiling contains less intrusive data such as digital content watch time, likes and dislikes, age, gender, name, activity across social media platforms, etc.

Thus, while entities can track behavioural patterns to create user profiles, the scope of profiling in the metaverse may multiply manifold with newer forms of personal data collected. However, the metaverse will lead to unprecedented amalgamation between individuals’ data and technology, which will include novel methods of obtaining user profiling information such as iris, facial movement and audio response tracking.

Another interesting aspect is the creation of ‘avatars’ on metaverse and the profiling of such avatars. Analysis of users’ avatar activity may also reveal critical information about users’ behaviour.

Accordingly, the profiling of users will become more precise. This would certainly open new avenues for companies with increased adoption of metaverse-based services. In the metaverse, such new forms of data will be collected and processed in real time with the aid of smart machines and mixed reality (virtual reality or augmented reality) equipment.

This could give rise to new types of personal data collected by the industry in a way never done before and add new dimensions to the regulation of personal and non-personal data. Therefore, in an environment where tracking and profiling of users would become so effortless, ensuring the privacy of users will be paramount.

Separately, with regard to the identification of a user, metaverses based on certain technologies (such as blockchain) may give users the autonomy over their identity, i.e. to be a ‘self-sovereign identity’ as a distinct identifier for that user, which according to experts might supplant the reliance on any central entity for identity verification.

In addition to having a self-sovereign identity, users might also be in full control of their personal information and may create, sign and verify claims using their self-sovereign identities.

However, no policies surrounding creation, verification, authorization or authentication relating to self-sovereign identities in the metaverse exist at present. Thus, we will have to see how accountability relating to profiling, consent, and privacy is attributed to individuals and platforms in the metaverse.

With the amount of attention that the metaverse space has gained in the past few months, and with the kind of involvement by large players and capital that is flowing into metaverse projects, it is quite possible that cybercriminals are attracted to this space.

Thus, the personal data of individuals, virtual property, tokens, avatars, and other metaverse assets may be at risk due to meta-criminals. The issue becomes more complex as data in the metaverse may be stored on a decentralised blockchain. Due to lack of clarity on the regulation of blockchain-based systems (which may be located abroad), law enforcement becomes a challenge.

In addition to grave cybersecurity implications, there will also be crucial look-out areas in the domain of intellectual property (such as copyright concerns with avatars) and enforcement by judicial or regulatory authorities. The legal system at large (including criminal laws) will need to adapt to the unique and novel challenges posed by the metaverse.

With billions of monthly active users of the Meta platforms, it is a Herculean task to ensure that the cybersecurity practices and user rights (in respect of their personal data) are not diluted. Such mass extrapolation of data, intrusive data collection practices and large-scale data analytics yield new potential harms and threats, and the law must keep up with these perils.

The current data protection law in India, enacted over two decades ago, is limited in its scope. Although there is a more comprehensive proposed law in the pipeline, many aspects are yet to be crystallised.

This begs the burning question – can the current and forthcoming law adequately address the challenges and risks surrounding data protection in the metaverse?

Importantly, since the metaverse will depend on free flow of information across platforms and boundaries of the physical world, this dilemma is only enhanced with restrictions on cross-border data transfers under local data protection laws.

Also Read: Instagram fined 405 million euros by Irish regulators for data breach

Current regime for cross-border data transfers and issues concerning data localisation

The metaverse seeks to bridge the gap between the real and the virtual. This will require seamless exchange of data across different platforms and across borders, e.g., users will be able to virtually visit, experience and transact at virtual shops located abroad through AR or VR devices, this would lead to transfer user information (including payment data, real-time physiological reactions, behavioural data, personal identifiers)

Transactions in the metaverse may also be carried out through cryptocurrencies and virtual digital assets (like NFTs). Further, to ensure easy access globally, it is speculated that the entire ecosystem of metaverse might run on the blockchain.

Thus, data may be stored on computers and nodes located across the globe (irrespective of national boundaries). Since data on the blockchain may be stored across nodes located abroad, it would be nearly impossible to expect entities that control such data to comply with data localisation requirements.

Stakeholders suggest that the government may carve out an exception to data localization for compatibility with blockchain-based models. The Indian government has also recognised data localisation as a challenge to adoption of blockchain technology.

The data localisation requirements in several jurisdictions like India, China, and effectively the EU, might create hindrances to cross-border data flows. Thus, there is a need for a global rethink to strike a balance between facilitating cross-border data flows and protecting national interests.

In India, although cross-border transfers of ‘sensitive personal data or information are regulated by the IT Act, there are no explicit restrictions. However, sectoral regulators like the Reserve Bank of India, impose data localisation for certain kinds of data.

The proposed law on data protection will require user consent for the transfer of ‘personal data’ and ‘sensitive personal data’ (the latter will have to be mirrored in India). Notably, ‘critical personal data’ (to be notified by the government) will have to be localised unless specific conditions are met.

Similarly, the recent Schrems II judgment (2020) in the EU, which struck down the EU-US privacy shield, effectively paves way for data localisation.

As per this judgment, GDPR-protected data may only be transferred abroad if certain stringent conditions are satisfied, this severely impacts the outsourcing industry, which may be detrimental to both European and other businesses. For instance, a European organisation may hesitate in onboarding an Indian metaverse-based HR service in light of Schrems II requirements.

Thus, free flow of data would become critical to ensure that cross-border communication and transactions in the metaverse are not restricted or delayed due to local storage norms or additional permissions required for such exchange.

There is a need to identify or recognize types of personal data to which no data localisation restrictions apply. The metaverse may add fuel to the ongoing debate between data localisation and the free flow of data. It will be interesting to see whether national interests will prevail over globalisation.

Way forward

In the absence of a global overarching framework for cross-border exchange of personal data and usage of user profiling information, stakeholders including developers, organisations, and industry bodies may come together to agree on a self-regulatory framework for ensuring protection of personal data in the metaverse and to facilitate the free flow of data. At the same time, an enabling regulatory framework may provide a fillip to the industry.

The article is authored by Abhinav Chandan, Harsh Walia and Supratim Chakraborty of Khaitan & Co. The views expressed are personal

Also Read: India needs common set of standards for data privacy regulation, says IPG officer

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow

Instagram fined 405 million euros by Irish regulators for data breach

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

Irish regulators are slapping Instagram with a big fine after an investigation found the social media platform mishandled teenagers’ personal data. Ireland’s Data Protection Commission said by email Monday that it made a final decision last week to fine the company 405 million euros ($402 million), though the full details won’t be released until next week.

The penalty is the second-biggest issued under the European Union’s stringent privacy rules, after Luxembourg’s regulators fined Amazon 746 million euros last year. Instagram parent Meta, which also owns Facebook and can appeal the decision, didn’t respond to a request for comment.

The Irish watchdog’s investigation is centered on how Instagram exposed the personal details of users ages 13 to 17, including email addresses and phone numbers. The minimum age for Instagram users is 13. Under the EU’s data privacy rules, the Irish watchdog is the lead regulator for many US tech companies with European headquarters in Dublin.

The watchdog has a raft of other inquiries into Meta-owned companies. Last year, it fined WhatsApp 225 million euros for breaching rules on transparency about sharing people’s data with other Meta companies.

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow