Microblogging platform Twitter on Thursday told its users in India that the data collected from them could be moved outside the country and were within the purview of using its service.
This comes as the government is considering making it mandatory for internet and mobile companies to store user data locally. Global internet giants such as Google, Facebook and Twitter aggressively use user data they gather for targeted advertising.
This is in the wake of the Supreme Court issuing notices to Twitter and Google on Wednesday seeking their legal views on a petition drawing the court's attention to the lack of control over data-sharing with cross-border corporate entities in violation of a citizen's right to privacy. The Bench also asked WhatsApp and Facebook to file sworn statements on whether they shared any data collected from users with third parties.
India provides the highest number of active daily users for Twitter, which told them on Thursday that its updated terms of service, effective October 2, allowed user data to be moved overseas and shared with affiliates. Twitter did not respond immediately to an email.
"If private data is located in servers outside India, it will be a violation of privacy," said Pavan Duggal, cybersecurity expert and lawyer, adding, "India needs to quickly come up with privacy legislation. Data localisation is a distinct option that India should look at."
Internet firms collect personal information, contacts and location, apart from activities users share. In India, it is also critical as most users access these platforms on their smartphones, which they also use to do financial transactions with banks and the government.
The government last month asked 21 smartphone handset makers, the majority of them Chinese, to declare whether the data they collected from users were hosted on servers outside India.
"The government can come up with rules under Section 83 of the Information Technology Act, mandating steps needed to protect data generated by computers in India. This should be a priority," Duggal said.
Not all concur with data localisation. "One of the oft-quoted reasons for data localisation is security, but it doesn't help improve security at all. The idea that the data taken out of the country somehow become insecure is wrong. It is very easy to copy the data in India as well. It's not going to help reduce snooping in any way," said Pranesh Prakash, policy director at the Centre for Internet and Society.
Instead he advocates India to frame laws similar to that of the European Union (EU), which mandates its laws apply to any data collected of an EU citizen.
"The question is not about whether your data is in India or not; it is about whether India's laws are applicable to the data. This is the way laws in the EU work, by insisting on it wherever an EU citizen data is taken," Prakash added.
"That's what is most important when one is looking at security and privacy rather than where the data is stored. As long as they have a presence in the country, India should be able to take action against them if they're breaking any Indian laws. With the internet, you can't be sure of where the data is saved, and really, it shouldn't matter," Prakash said.
Privacy vs policing: Who's watching you?
• India is looking at getting global internet and mobile companies to store customer data locally
• The Supreme Court's (SC's) right to privacy judgment touched upon privacy in a digitally connected world
• A case against WhatsApp over the user data it shares with parent Facebook is ongoing in the SC