.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.
In our continued discussion on “The Shape of Things to Come”, we have so far discussed the following.
We now proceed further….
Naavi.org has been speculating many times that the opposition to the passage of Data Protection legislation in India mainly comes from those companies which are interested in “Data Laundering”. They are afraid that if the law comes in, they will be finding it difficult to continue their present practice of transferring data abroad for their commercial benefit.
This opposition is
a) Against Data Localization or even keeping a copy locally
b) Ensuring absence of malware in data processing devices and software
c) Maintaining KYC of subscribers to VPN kind of services
The Policy Bazaar data breach as reported at the 420.in highlights why all the above three requirements have a national security implications.
The policybazaar data breach is reported to have exposed the data of 50 million customers and the data involves sensitive and super sensitive data.
Some of the data exposed include
customers’ photo, full name, date of birth, complete residential address, email address, mobile number, credit report, PAN number, policy details including nominee details, family members’ policies details, bank account statements, income tax returns, Passport, immigration visa, records of country entry and exit, Aadhaar card (both sides), driving license, health records, payslips.
– sensitive details of defense personal who are Policybazaar customers
– copies of customers past policy documents
– copies of customers birth certificate
– copies of customers vehicle registration certificate
In case of the defence personnel, the data breach may include data of the following kind.
– Details of which specific branch of Indian defense forces someone is in like Indian Army, Navy, Air force, and even specifics if someone is in one of the Indian special forces like SPG, Black Cat commando, CoBRA, Anti Terrorist Squad.
– Current rank and designation in that defense force
– Current location of posting (which is very confidential many times)
– Details if someone is engaged in any hazardous activities, e.g. aviation, diving, parachuting, bomb disposal or special service groups, and length of service in those roles.
– Specific nature of role
– Details if someone in Indian defense is currently serving in or is under orders to proceed to any troubled area, or around border areas of India
– Details if someone handles weapons or explosives. If yes, details of such weapons and explosives.
It is needless to say that the data breach has a national security angle particularly the company is funded by Chinese investors and this information is of interest to the Chinese Government.
We had earlier pointed out “Data Laundering” arising out of Acquisition of CIBIL by TransUnion. The present data breach in Policybazaar is another instance where data laundering might have occurred through a deliberate back door. We have pointed out earlier also about the China Risk in Telecom sector, Manchurian Chips in POS machines and Mother boards from China etc..
It is now time to check if this Policybazaar data breach is also a case of Data Laundering. If “Data” is money, “Data Laundering” is also “Money Laundering”. We need stringent provisions in our Data Protection law to prevent such occurences and to take stringent action if such incidents take place.
In the light of the new Data Protection Act being designed, the incident indicates that the following provisions should be considered.
a) The provision for Data Processing devices and software to carry assurance certificate that they donot contain any malware (Refer Section 49(2)(o) of PDPB 2019) should not be withdrawn as demanded by some Big Tech Companies
b) Disclosure of the estimated value of data assets of an organization being acquired in a process of merger or acquisition must be disclosed to the authorities including DPA.
c) While processing of personal data during mergers and acquisitions may be exempt from consent as provided under Section 14 of PDPB 2019 (now withdrawn), the continuation of the processing by the merged entity must require a notification to the data principal and an option for opting out.
d) Failure to inform the data principals of the transfer of beneficial ownership of the Data Fiduciary to a new entity must be considered as an attempt for Data Laundering and it should be one of the criminal offences that should be recognized under the Act.
P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi. Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.