Vantage 2022 - Cyber frauds, data leaks and non-existent data privacy laws in India

Vantage 2022

India needs strong data protection laws / Photograph by Nick Youngson

Cyber frauds, data leaks and non-existent privacy laws in India

Even as internet users have grown exponentially in India, digital privacy is still a far cry because of the lack of data protection laws.

By Koona Abhishek

Jangili Praveen, a 35-year-old farmer, used to enjoy browsing YouTube on his three-year-old smartphone in his ready-to-be-harvested groundnut field in Veldanda, Nagar Kurnool district of Telangana.

He had always found Facebook exciting, where he could follow his friends and share his daily activities until the day his account got hacked. Messages were sent to several people on his friends’ list asking for money, citing an emergency.

“The police had asked me to either change my password or delete my Facebook account,” he says, staring into the skies. “I have deleted my Facebook account with the help of my niece as I was afraid that the incident might recur,” he says.

In this digital age, various platforms on the internet collect the personal data of individuals. However, there are no specific laws in India that regulate this data being shared with others by these platforms. Digital privacy activists call for a robust framework to ensure the protection of citizens’ data. The proposed Data Protection Bill (DPB), 2021, is the only hope that Indians have in terms of data privacy.

Data breaches and cyber frauds

According to a report from Surfshark, a cybersecurity company based in the Netherlands, data of 86.63 million Indians was breached in 2021. India ranks fifth among countries experiencing data breaches.

Praveen is not the only one who has been a victim of cyber fraud due to leaked personal data. Both under-educated and well-educated Indians fall prey to cyber scams.

“It surprises me how my bank details were available with people outside the bank and how easily one can be cheated online,” says K. Janardhan, lecturer at Telangana Social Welfare Junior College, Chilkur in Hyderabad. He had been a victim of One Time Password-based fraud.

"Government institutions like State Bank of India outsource the issuing of credit cards and debit cards to private companies who have complete information about them, which can be sold to different agencies."

G. Sridhar, Assistant Commissioner of Police, Station House Officer of Cyber Crimes in Hyderabad, believes that there are laws to provide justice to cybercrime victims, but there are no laws preventing data-sharing companies from jeopardising a citizen’s data privacy.

He says, “Government institutions like State Bank of India outsource the issuing of credit cards and debit cards to private companies who have complete information about them, which can be sold to different agencies.”

“There is a dire need for stringent laws through DPB that prevent such data sharing to ensure data privacy of people,” he states.

Data Protection Bill and privacy concerns

Ministry of Electronics and Information Technology had tabled the Personal Data Protection Bill (PDPB) in Parliament in 2019. Following the Joint Parliamentary Committee’s recommendation, it was renamed as Data Protection Bill, 2021, which puts the security interests of the State before citizens’ privacy.

The PDPB facilitates "necessary" personal data processing by internet applications without the consent of users. DPB further adds that “quasi-judicial authorities” including Reserve Bank of India and Securities and Exchange Board of India can process such data. Instead of adding safeguards, this move proves detrimental to an individual’s data privacy.

“We are in an uncontrollable data sharing loop,” says Koneti Naveen Kumar Yadav, senior data analyst at Evoke Technologies, Hyderabad, a global Information Technology (IT) solutions company. It provides big data analytics and data science artificial intelligence solutions to various business organisations.

“There must be an opt-out mechanism from these policy terms of apps when the customer wants to leave,” he says.

According to the 2021 State of Data Privacy of Indian Mobile Apps & Websites study conducted by Arrka Privacy, “Google (42%) is the leading recipient of your data with Facebook (25%) coming a distant second,” in terms of data collected by Android apps. In terms of data collected by websites, “Google (52%) is the leading recipient of your data with Facebook (10%) coming a distant second.” Arrka Privacy is a a privacy management platform.

“User data is collected in multiple ways by apps to develop ‘predictive models’ based on user behavioural patterns. It is shared with third parties to push content onto user’s devices based on these models,” Yadav says.

“The data shared with authorised third parties is used in advertising analytics, though it can be used for more nefarious purposes as well,” says Rohin Garg, Associate Policy Counsel at Internet Freedom Foundation.

“User data is sold through millions of auctions by machine learning algorithms to highest bidders. Even losing bidders in the auctions get to see some of the data, which could be misused in committing cyber frauds by manipulating social security numbers etc.,” Garg elaborates on nefarious purposes.

"The data shared with authorised third parties is used in advertising analytics, though it can be used for more nefarious purposes as well."

Privacy as a fundamental right is often ignored in India / Photograph by Jason Dent

"It is not just about the loss of personal data but the concern that someone we don’t want to know about it, knowing it."

Weakened autonomy of Data Protection Authority

The Data Protection Authority (DPA) is an autonomous body that oversees data protection enforcement in India. The DPB increases the control of the central government over DPA, which is a matter of concern for digital privacy advocates.

The usage of Pegasus software to spy over journalists and activists is a classic example of the central government having access to an individual’s privacy.

“Wouldn’t WhatsApp share your conversations if asked by the central government on security concerns? Where does data privacy exist in such a case?” questions Paduri Anwesh Reddy, senior data scientist at Great Learning, Hyderabad, a global professional learning platform.

“It is not just about the loss of personal data but the concern that someone we don’t want to know about it, knowing it,” he says.

Document verification on social media

The Bill also provides for account verification of users with necessary documents. As welcoming as it may appear, it facilitates increased user data storage, making it prone to data breaches.

“The lack of gender bifurcation in online spaces makes women more vulnerable to harassment. Laws are required for such bifurcation so that women need not share their complete personal information with any app. Refusal of services in such cases must be punished,” says Sunitha Surve, Inspector at She Teams Admin, Cyberabad Police Commissionerate.

General Data Protection Regulation of the European Union

General Data Protection Regulation (GDPR), the Data Protection Law Enforcement Directive of the European Union, is considered the gold standard for maintaining digital privacy globally.

GDPR requires the supervisory authority to be notified within 72 hours of the breach, the same in DPB. However, DPA decides whether the users are to be informed about the breach or not.

“Breaches in security can happen anytime, and not informing users means lack of accountability,” says Garg, “There are more rights given to users, and stronger compliance burdens exist in the European Union than in India.”

There are some advantages for the end user in the Data Protection Bill. For example, GDPR allows data storage by internet applications for a specific period in accessible form. There are some exceptions that allow for an extension of that period. Under DPB, however, internet companies can store data only for that time until the purpose is served, after which it has to be deleted.

Rajeev Chandrasekhar, Minister of State for IT, at the National Informatics Centre Tech Conclave 2022 event in New Delhi, specified that the ministry is studying all the inputs, and the government is clear and steadfast about passing the bill.

“If India introduces either the 2019 Bill or 2021 Bill, or a revamped version of either of the bills, it is still an improvement over the present situation since India has no data privacy laws at present. However, the fact remains that these bills still contain significant issues, which are yet to be addressed,” adds Garg.

With data being collected with or without informed consent by different entities, the new law must limit the collection of citizens' data and plug its sale through robust privacy frameworks.

Also read:

Lesser-known hazards, unaware stakeholders, and orthodox authorities: Online dating is a risky affair for women

Innovations in plant-based food technology in India

Indian documentary filmmakers and their struggle for funding

Google Sites

Report abuse