The recent spate of data breaches happening across various digital platforms in India is worrisome. While every leak exposes thousands of consumers to hackers and scammers, what is more troubling is that in most cases the companies involved are not proactively informing users of the possible data breach. Customers get to know only when an ethical hacker or an Internet rights activist publishes a report. Take the alleged data breach at MobiKwik which came to light after an internet security researcher posted his findings on social media. The researcher claimed that 3.5 million individuals’ KYC documents were exposed through 37 million files. Apart from that, 100 million phone numbers, email ids, passwords, bank account details and credit card data were reportedly leaked. Instead of coming clean on claims, the company continues to deny the breach and even tried to blame users initially. Data leaks at popular pizza brand Dominos and online grocer Bigbasket were made public by cyber intelligence firms.
Globally, companies operating in the US and Europe are required under law to inform users when data breaches occur. In many cases, companies have had to pay a hefty fine. Facebook had to pay a $5 billion fine to the US regulator after a year-long investigation into the Cambridge Analytica data breach. In India, Facebook has not been put under any scrutiny for the same data leak. In contrast to the laws adopted by the US and EU on privacy and data protection, India’s data privacy law remains an eternal work in progress. This is even as there are already 700 million Internet users in the country, financial transactions on digital platforms are growing exponentially and millions of devices and machines have been connected. New technologies such as AI and ML depend heavily on collecting user data. Law enforcement agencies also use data analytics to keep a tab on people for national security purposes.
In view of the frenzy to mine private data — for business and trade purposes as well as for political reasons — the Joint Select Committee on the Personal Data Protection Bill has suggested certain strictures. It believes that if the ‘data principal’ i.e. the consumer is affected by a breach and the ‘data fiduciary’ i.e. the service provider is unable to locate and identify its source, then the ‘data fiduciary’ should be held liable. The panel is still interacting with the IT Ministry to fine-tune the provisions in this aspect. There is a divergence of views between the Government and the MPs on the oversight mechanism in case of grant of exceptions to the law. The consensus within the committee is that if government agencies are to avail of exceptions to the law, they must do so through written orders so that they are subject to judicial review and RTI scrutiny. The Government should hasten to address such issues so that the report is adopted and the Bill is tabled in the upcoming winter session of Parliament.