全球智库信息集成服务系统

Contributing to the confusion is the lack of statutory or regulatory clarity on data protection. India’s own data protection rules offer wide latitude to technology companies to determine their own practices, which encourage irregular and poorly enforced privacy policies. If regulatory ambiguity has opened the door for conflicting data protection guidelines, the problem is compounded by India’s heavy reliance on foreign devices and applications, many of which transfer data of Indian users outside India’s borders and base their privacy policies on their home jurisdictions. This system of “last mile” data protection significantly diminishes the state’s ability to protect the privacy of its citizens, a right that was recently confirmed as “inalienable” by the Supreme Court of India.

This paper highlights “last mile” protection through an analysis of policies at the app, OS and device layer — using the examples of the Google Play Developer Distribution Agreement, Google Developer Policy, the India-specific privacy policies of smartphone manufacturers Huawei, Vivo and Xiaomi, as well as the privacy policy of WhatsApp. While acknowledging that such policies are here to stay and that it may not be feasible to craft statutory guidelines that comprehensively address every dimension of data sharing and collection, given the diversity in technological platforms, the paper makes the case for a self-regulating, autonomous and multi-stakeholder agency for protecting the integrity of user data.