Digital risks

India needs appropriate laws to protect data

The alleged leak from the CoWin database is yet another indication of some persistent weaknesses in India’s digital public infrastructure (DPI) and a pointer to the need to overhaul its techno-legal approach to managing the personal data of citizens. According to the government, the details being disseminated from the Telegram bot may be from a prior data leak. The concerns, therefore, extend way beyond this one leak, damaging as that may be. It has been six years since the Supreme Court declared privacy a fundamental right and five years since a committee chaired by Justice (retired) B N Srikrishna prepared the first draft of legislation for personal data protection. But a policy vacuum continues to exist since India still doesn’t have a dedicated law on data protection and privacy. Nor does it have a dedicated law on cybersecurity.

Incidents of this kind will continue to occur because of dissonance between government policy to encourage digitisation, on the one hand, and the absence of legislative support to protect citizens using digitally driven services, on the other. The Digital India policy targets the provision of multiple services, including both government and private-sector services, via digital means. There is also a thrust on developing an increasingly cashless economy by encouraging digital payments. Much of this depends on the use of a single binding identifier, Aadhaar, to authenticate the identity of users and know-your-customer formalities. This DPI and the public and private services built on top of it interface with over 700 million citizens using smartphones. Many, if not most, of those users are not tech-savvy, and the data security of the services they access could vary a lot.

There has been a sharp escalation in ransomware attacks on Indian institutions in the past two years, including a recent attack on the All India Institute of Medical Sciences. There have been leaks from a railway-ticketing database. There have also been leaks from credit-card databases. As the number of service providers proliferates and the number of citizens using digital services increases, there will inevitably be data breaches. Time after time, when such leaks have occurred, the government has insisted Aadhaar is secure. This misses the point. Aadhaar is used to authenticate a multitude of services and some of those may not be secure. If data like telephone numbers, Aadhaar numbers, physical addresses, bank accounts, credit card details, or the UPI addresses of individuals are leaked from some other database, the citizen is just as vulnerable as if the details were leaked from Aadhaar. This compromised data could be used to commit a variety of cybercrimes.

It is true that the Digital India policy offers conveniences, and has enabled an easy provision of multiple services on a huge scale. A number of businesses are riding on this. Banking, investment, and insurance have offered inclusion for many citizens on top of the India Stack, for instance. CoWin and Aarogya Setu were also built on top of this. However, it’s not wise to have an entire economy and the personal data of its citizens riding on technology operating in a legal vacuum. Policymakers must make it a priority to put appropriate data protection and cybersecurity legislation in place as well as investigate incidents like these and plug gaps in the framework.