How can businesses best implement privacy principles? On November 26th, Mozilla hosted its first “Privacy Matters” event in New Delhi, bringing together representatives from some of India’s leading and upcoming online businesses. The session was aimed at driving a practical conversation around how companies can better protect user data, and the multiple incentives to do so.
This conversation is timely. The European GDPR came into force this May and had ripple effects on many Indian companies. India itself is well on its way to having its first comprehensive data protection law. We’ve been vocal in our support for a strong law, see here and here for our submissions to the Indian government. Conducted with Mika Shah, Lead Product and Data Counsel at Mozilla Headquarters in Mountain View, the meeting saw participation from thirteen companies in India, ranging from SMEs to large conglomerates, including Zomato, Ibibo, Dunzo, Practo and Zeotap. There was a mix of representatives across engineering, c-level, and legal/policy teams of these companies. The discussions were divided into three segments as per Mozilla’s Lean Data framework, covering key topics: “Engage users”, “Stay Lean”, and “Build-in Security”.
Engage Users
The first segment of the discussion focussed on how companies can better engage different audiences on issues of privacy. This ranges from making privacy policies more accessible and explaining data collection through “just-in-time” notifications to users to better engaging investors and boards on privacy concerns to gain their support for implementing reforms. Many companies argued that providing more choices to the Indian user base throws up unique challenges, and that often users can be disinterested or careless about their making choices about their personal data. This only reinforces the importance of user-education and companies agreed they could do more to effectively communicate about data collection, use, and sharing.
Stay lean
The second section was on the importance of staying “lean” with personal data rather than collecting, storing, and sharing indiscriminately. Most companies agreed that collecting and storing less personal data mitigates the risk of potential privacy leaks, breaches, and vulnerability to broad law enforcement requests. Staying lean does come with its own challenges, given that deleting data trails often comes at a high cost, or may be technically challenging when data has changed hands across vendors. It was agreed that there is a need for more innovative techniques to help pseudonymize or anonymize such datasets to reduce the risk of identification of end-users while maintaining the value of service. Despite these challenges, responsible companies should do their best to adhere to the principle of deleting data within their control, when no longer required.
Build-in security
The final segment covered key security features that could be built in to the services. For many startups, their emphasis on security practices, especially relating to employee data access controls, have increased as they grew in size. Participants in the event also spoke to concerns around the security practices of their vendors; these corporate partners often resist scrutiny of their security and/or are unwilling to negotiate terms, making it hard for companies to meet their obligations to their users and under the law.
Following the event, all of the participants confirmed that they’re intending to make changes to their privacy practices. It’s great to see such enthusiasm and commitment to protecting user privacy and championing these issues within their respective companies. We look forward to hosting further iterations of this event in India. For more information about the Lean Data Practices, see: https://www.leandatapractices.com/