Delhi rioters' alleged misuse of personal particulars highlights flaws in India's proposed data protection law

A photo taken on Feb 26, 2020 shows a burnt car overturned at a damaged fuel station after it was set on fire by a mob in a riot-affected area in New Delhi. PHOTO: REUTERS

BANGALORE - On Thursday (Feb 27), Supreme Court lawyer Prasanna S. tweeted about how, in the course of the worst riots in Delhi in decades, a mob reportedly targeted Muslim-owned vehicles for arson by first looking up their licence plate numbers on a government database.

Curious to see if personal data could be traced so easily, this reporter found the vehicle registration database online and keyed in my car's plate number. A second later, my name popped up. Searches of three other number plates also revealed the owners' names.

Last July, India's Road Transport Minister Nitin Gadkari said in Parliament that the government had sold access to information about vehicle registration and driving licences to 87 private and 32 government entities for about 650 million rupees (S$ 12.7 million).

It is not clear if or how many rioters used the vehicle database to target vehicles, or whether they used the government website or other private apps that hold the data. But it is clear that this state-held personal data is easily accessible, underscoring India's critical need for a data protection law.

"India is building several national databases and registers which are collecting citizens' information without any safeguards… As a country which upholds constitutional democracy, we urgently need a data protection law to uphold the right to privacy," said Mr Srinivas Kodali, a data security expert based in Hyderabad.

India has been discussing such a law since 2017, when the Supreme Court declared that privacy was a fundamental right and told the government to set up a data protection regime.

The Ministry of Information Technology set up a committee to draft a data protection Bill, and in December 2019, the government introduced a version of this Bill in Parliament. It is now being reviewed by a parliamentary committee.

On Tuesday (Feb 25), as some parts of Delhi were engulfed in flames amid religious violence over changes to the law that clears the path to citizenship for non-Muslim migrants, the deadline for public feedback on the draft data protection law expired.

The draft law seeks to regulate how the data of Indian users is collected, stored and used by private companies and the government. For the first time, Indian law would require technology companies to seek permission from their users to collect personal data.

Remote video URL

However, both privacy advocates and companies say the draft has serious shortcomings.

One concern is a provision that allows the government to exempt any of its agencies from following the law for reasons including "the interest of sovereignty and integrity of India" and "friendly relations with foreign states".

Mozilla, which operates the popular Web browser Firefox, has said that this provision "leaves the current legal vacuum around India's surveillance and intelligence services intact, which is fundamentally incompatible with effective privacy protection".

The draft law would also allow the government to process a person's individual data without their consent for "reasonable purposes" such as credit-scoring, and even during "any breakdown of public order".

Access Now, a US-based digital rights advocacy group that has researchers in India, cautioned: "Such broad, undefined language, especially in the background of deployment of mass facial recognition and other technologies, creates concern, and may lead to the mass surveillance of users."

The law also requires companies that hold sensitive personal data of its users - biometrics, health and financial data and details such as caste, religion, gender identity and sexual orientation, among others - to store a copy of the data in India. Critical personal data, a term that is not yet defined, is required to be stored only inside the country.

BSA, also known as the Software Alliance, is an industry group that includes companies such as Microsoft and IBM. It says that the use of these terms could confuse consumers and businesses, "disrupt companies' operations and increase the costs of providing services in India".

Companies and activists say the proposed data protection authority does not seem independent enough from the government. A rule that requires social media companies to do "voluntary identity verification" of their users, they say, needs more blocks to prevent misuse of such data.

They also fear that while companies have to hand over "anonymised" personal data to the government when asked, there aren't enough protections against possible leaks, creation of super-databases or possible surveillance.

Mr Apar Gupta, the director of the Internet Freedom Foundation, a Delhi-based advocacy group, said that the draft law reflects the Indian government's desire to put security and fiscal interests over individual privacy.

The law "will refine, store and then trade the personal information of Indians without their control; (this data is) open for sale or open for appropriation to the interests of securitisation or revenue maximisation, with minimal levels of protection," said Mr Gupta.

On Wednesday, following fears of rioters tracking car number plates to owners, Mr Gupta's organisation wrote to the Ministry of Road Transport asking it to restrict public and private access to its vehicle registration database. It also asked the Ministry to stop setting up databases which could share personal information without any meaningful consent. The ministry has yet to respond.

Join ST's Telegram channel and get the latest breaking news delivered to you.