After more than two years of deliberations, India’s Personal Data Protection Bill was tabled in parliament in December 2021. However, the bill has yet to come into force and for many has been judged disappointing and inadequate. New rumors also indicate that the PDP bill, which has been in the works for five years now, is being shelved and a new bill is being drafted from scratch.
Data is the engine of today’s world. With countless organizations and portals built on and using user data, having strong regulations to protect personal information has become more urgent and critical than ever. United Nations (UN) statistics show that 128 out of 194 countries have legislation guaranteeing data protection. After the EU GDPR came into effect in 2019, countries around the world were inspired to create similar frameworks. US states, Thailand, Brazil, UK and South Korea now have bills and laws regarding data subject rights, controller duties, supervisory authorities, remedies, responsibilities and sanctions, transfer of personal data to third parties, etc. Thanks to an airtight GDPR, WhatsApp’s policy changes were not applicable in the European Union. But they are applicable in India, along with several other companies taking advantage of the lack of structure preventing them from using personal data.
Truecaller thrives on India’s missing PDP bill
The Caravan recently reported on Truecaller’s excessive use of Indian data. Truecaller is notorious for data and privacy breaches. In 2016, it was listed by the BBC as a major insecure app because it allegedly asks users to download contact lists from their phone upon installation. Developed by a Swedish company, True Software Scandinavia, in 2009, Truecaller now has more than 300 million monthly active users worldwide. Truecaller users are starting to realize that beyond preventing unwanted calls, they are only getting more and more unknown calls marked in red. But this was warned by India Today in 2017, asking users to “have mercy on others and STOP using Truecaller”. The article noted Truecaller as a dangerous app, especially in India, where privacy is at the bottom of the pyramid of importance and data is often leaked.
A detailed investigation by The Caravan revealed that India’s lax laws and lack of privacy awareness among citizens were the reasons for Truecaller’s major success in the country. Truecaller’s contact datasets consist of information about people who have never even downloaded the app or registered on it, information collected without their consent. The database was built from four main sources: app downloads, partnerships with social media platforms that publicly display numbers, free app programming interface authentication, and toolkits. software development. “According to a former employee, the number of users who gave their consent to have their phone numbers identified and added to the Truecaller database is negligible compared to those who were added without their consent,” says The Caravan .
Nigeria-based technology platform Techcabal calls it “permission-based crowdsourcing”, where Truecaller registrants are asked to access their phone books and contact list before they can take advantage of the service. In a country like India, where the concept of data privacy is extremely unknown, people agreeing to this condition are not even aware of their actions. Additionally, asking users for permission regarding their contact list prevents Truecaller from facing serious legal action. And without a legal structure to frame the do’s and don’ts, companies like Truecaller can continue to find loopholes as such.
By definition, the Personal Data Protection Bill of India identifies an individual and their details including names, addresses, financial information, IP addresses, cookies, device identifiers as part. It also requires notice and consent to the use of such individual data. Truecaller highlighted this bill as one of the risk factors for its business in the IPO prospectus.
Truecaller isn’t the only company exploiting this, and until we have a framework, there will be more. One of India’s biggest privacy scandals was reported by The Wire in July 2021 regarding the leak of the global 50,000 number list. As part of the leak, the international collaborative project Pegasus consisted of at least 300 Indian phone numbers, including those of human rights defenders, journalists, lawyers, government officials and opposition politicians. Pegasus is spyware developed by the Israeli cyberarmament company NSO Group. As of 2022, the spyware can read text messages, track calls, collect passwords, track locations, access microphones and cameras, and collect information from apps. While the government has claimed it has enough safeguards to prevent such unauthorized surveillance, eleven groups, including the Center for Democracy and Technology, Civicus, Freedom House and Privacy International, which call for independent monitoring, refute that claim.
The past few years have also seen several major data breaches. In 2020, the IRCTC data leak exposed the personal information of millions of Indian citizens on the dark web. The information included their full names, mobile phone numbers, email ids, dates of birth, marital status and cities of residence. Likewise, data of 45 lakh passengers was leaked on Air India’s passenger system service provider SITA, including information on passport and credit card details. Outlook India reported data localization issues, given that SITA is based in Geneva, an aspect that the PDP bill would raise. An 8.2TB data leak also revealed such sensitive information at MobiKwik, with KYC documents, Aadhar card and passport details of 10 million people for sale on the dark web. In an even worse twist, the Domino’s India data leak led to the information being on the surface web, accessible to anyone with a search engine.
What can the PDP bill do?
Companies like Amazon and Zoom have been hit with hefty fines ($850.6 million and $85 million, respectively) for their violations of EU GDPR and US data protection laws. But, unfortunately, little action has been taken by the Indian government. A data protection bill can ensure the privacy of Indian citizens.