India needs an effective privacy law quickly
Independent cyber-security researchers have claimed that a database containing know-your-customer details of nearly 3.5 million users of fintech service provider MobiKwik is up for sale on the Dark Web. An 8.2 terabyte database was allegedly offered for sale by a pseudonymous hacker for the equivalent of $75,000, payable in cryptocurrency. The hacker even offered a search engine for prospective buyers to check the details. The database had fields such as email IDs, phone numbers, passwords, physical addresses, credit card details, soft copies of identification documents and details of registrations with merchants. The hacker has since stated he has deleted the file, though this is impossible to verify. An India-based cyber-security expert, who initially flagged the breach, was targeted in a vilification campaign and attempts were made to shut down his social media access. On its part, Mobikwik has denied that the database was downloaded from it in February 2021 but has agreed to conduct a third-party forensic audit at the behest of the Reserve Bank of India (RBI). The company has also said that users could have uploaded their data on several platforms and it was incorrect to say the leaked information was accessed from the payments company, adding it takes privacy and security very seriously.
Whatever be the truth, this and several other such cases in the recent past once again highlight the lacunae in India’s legislative regime, and regulatory systems, when it comes to protecting private data. More than three years ago, the Supreme Court declared data privacy was a fundamental right. Draft legislation was penned over two years ago by a committee headed by Justice Srikrishna. That legislation has been redrafted several times, but there is still no specific law dealing with protection of private personal data. There is no legal obligation for a company to disclose if a breach has occurred. The lack of a law also means that there is no redress for citizens whose data is harvested and misused. In jurisdictions where data protection laws exist, a data leak is usually followed both by criminal investigations by the authorities, as well as civil class action suits by affected citizens. Fear of heavy penalties forces corporations to be careful.
In the absence of a specific law, the regulatory authorities can still act proactively. In this case, the RBI has taken some belated action but it is not clear how seriously it will oversee the audit process. The agency, which should be most concerned about this leak is the CERT-In, which has the mandate to deal with cyber-security. CERT-In could have intervened instantly to investigate the incident and take necessary corrective action. This is not the first large data breach that has occurred in India; nor will it be the last. Incidents of this nature occur all the time, though this is the largest on record so far. The breaches are not surprising, given a policy of actively encouraging the provision of digital services, a huge user-base of 500 million Netizens, and the absence of laws to protect the latter’s data. It is high time that an effective law protecting sensitive personal data was passed. Such a law also needs to have provisions to protect whistle-blowers who perform a valuable service. In addition, agencies like the CERT-In need to be more transparent and proactive in their operation when breaches of this nature, which affect a large number of citizens, occur.