After more than two years of deliberation, The Indian Personal Data Protection Bill was tabled in the parliament in December 2021. However, the bill is yet to come into force and, for many, has been noted as underwhelming and inadequate. New rumours also point to the PDP bill, which has been in the works for five years now, being put aside and a new bill being drafted from scratch.
Data is driving the world today. In the presence of countless organisations and portals created on and using user data, having strict regulations to protect personal information has become more urgent and critical than ever. United Nations (UN) statics show 128 out of 194 countries have legislation to ensure data protection. After the EU’s GDPR came into force in 201, countries worldwide, have been inspired to create similar frameworks. US states, Thailand, Brazil, the UK, and South Korea now have bills and laws concerning data subject’s rights, duties of data controllers, supervisory authorities, remedies, liabilities and penalties, transfer of personal data to third parties, etc. Thanks to an airtight GDPR, WhatsApp’s policy changes were not applicable in the European Union. But they are applicable in India, along with several other companies taking advantage of the lack of a structure preventing them from using personal data.
Truecaller is thriving on India’s absent PDP bill
The Caravan recently reported on Truecaller’s overbearing use of Indian data. Truecaller is notorious for its data and privacy breaches. In 2016, it was listed by BBC as a major unsafe app, given it would ask users to upload their phone’s contact lists upon installation. Developed by a Swedish company, True Software Scandinavia, in 2009, Truecaller has over 300 million monthly active users around the world today. Truecaller users are starting to realise that in the offside of preventing spam calls, they are only ever getting more unknown calls tagged in red. But this was warned of by India Today in 2017, asking users to “have mercy on others and STOP using Truecaller”. The article noted Truecaller as a dangerous app, especially in India, where privacy is at the bottom of the importance pyramid and is commonly leaked data.
A detailed investigation by The Caravan revealed India’s lax laws and the lack of privacy awareness among the citizens to be the reasons behind Truecaller’s major success in the country. Truecaller’s contact datasets are made up of information of individuals that have never even downloaded the app or registered on it—information collected without their consent. The database has been built through four major sources: downloads of the app, partnerships with social media platforms that publicly display numbers, free authentication of application-programming interfaces, and software development kits. “According to a former employee, the number of users who have given consent for their phone numbers to be identified and added to the Truecaller database is negligible compared to those who have been added without their consent”, The Caravan states.
Nigeria-based tech platform, Techcabal, calls this ‘permission-based crowdsourcing’, where Truecaller registrants are asked for access to their phonebooks and contact list before they can leverage the service. In a country like India, where the concept of data privacy is hugely unheard of, individuals agreeing to this condition are not even aware of their actions. Moreover, seeking permission from users regarding their contact list prevents Truecaller from facing serious legal charges. And in the absence of a legal structure to frame dos and can’t dos, companies like Truecaller can keep finding loopholes as such.
By definition, India’s personal data protection bill identifies an individual and their details, including names, addresses, financial information, IP addresses, cookies, device IDs under the framework. It also requires prior notice and consent to use this individual data. Truecaller highlighted this bill as one of the risk factors to its business in the IPO prospectus.
Truecaller is not the only company exploiting this, and until we have a framework, there will be more. One of the biggest privacy scandals in India was reported by The Wire in July 2021 regarding the leaked global list of 50,000 numbers. Within the leak, the international collaborative Pegasus project consisted of at least 300 Indian phone numbers, including those of human rights defenders, journalists, lawyers, government officials, and opposition politicians. Pegasus is spyware developed by the Israeli cyber-arms company NSO Group. As of 2022, the spyware can read text messages, track calls, collect passwords, track locations, access microphones and cameras and collect information from apps. While the government has claimed they have enough safeguards to prevent such unauthorised surveillance, eleven groups, including the Center for Democracy and Technology, Civicus, Freedom House and Privacy International that are calling for independent oversight, refute this.
The past few years have also been victims of several major data leaks. In 2020, IRCTC’s data leak revealed the personal information of millions of Indian citizens on the dark web. The information included their full names, mobile numbers, e-mail IDs, dates of birth, marital statuses and cities of residence. Similarly, the data of 45 lakh passengers was leaked on Air India’s passenger system service provider SITA, including information about the passport and credit card details. Outlook India reported data localisation issues, given SITA is based out of Geneva—an aspect PDP bill would raise. An 8.2 TB data leak also revealed such sensitive information at MobiKwik, with the KYC documents, Aadhar card and passport details of 10 crore people on sale on the dark web. In an even worse turn, Domino’s India’s data leak led to the information being on the surface web, accessible to anyone with a search engine.
What can the PDP Bill do?
Companies like Amazon and Zoom have been fined heavily ($850.6 million and $85 million, respectively) for their violations of EU’s GDPR and US data protection laws. But, unfortunately not many actions have been taken by the Indian government. A data protection bill can ensure the privacy of Indian citizens.