INTRODUCTION
Data privacy means the ability of a person to determine for themselves when, how, and to what extent, their private information is shared with or communicated to a third party. This private information can be one’s name, location, contact information, or online or real-world behaviour, or any tender information that may raise concerns if leaked online or even offline to a third party.
As of today, the usage of the Internet has increased over the years, and so has the importance of data privacy. Websites, applications, and social media platforms, online shopping websites or online gaming often demand to gather and store personal data about users in order to provide services.
However, some applications and platforms may surpass user’s expectations for data collection and its usage, leaving users with less privacy than they realized. Other applications and platforms may not place adequate safety measures around the data they collect, which can result in a breach of data that ultimately compromises user privacy and personal information.
BRIEF OF THE DATA BREACH
India Railway Catering and Tourism Corporation (hereinafter referred to as “IRCTC”) has taken down the services of Bajaj Allianz General Insurance and Liberty General Insurance (hereinafter referred to as “Bajaj Allianz” and “Liberty General” respectively) temporarily from its online platform after noticing a vulnerability on the insurer’s website that put the personal data of travellers, at risk.
As we know that IRCTC is the country’s one of the largest platforms that is used to book railway and airline tickets via its e-ticketing platform, and we can even say that, to some extent, it has a monopoly over train ticket booking in the country.
On the other hand, Bajaj Allianz provides travel insurance to the traveller who books tickets from the e-ticketing platform of the IRCTC.
Certain researchers, working on data privacy, drew the attention of authorities on the issue of vulnerability in the Bajaj Allianz servers. According to one of the researchers, the data privacy loophole herein was, Insurance Direct Operate Reference (hereinafter referred to as “IDOR”), which allowed anyone to extract traveller’s private information which includes: – their name, journey details, phone number., gender, age and the nominee of the traveller’s insurance pay-out.
As stated by one such researcher,“within few minutes hundreds of traveller’s details were on the display of my laptop, the simplicity of this vulnerability and its impact makes it extremely perilous. We got access to lacs of passenger’s private information in an hour.”
According to the authorities the website of Bajaj Allianz and Liberty General were allowing access to third parties of traveller’s private information to anyone having access to Passenger Name Records (hereinafter referred to as “PNR”), details and there were no checks in place to verify the backgrounds of the person accessing traveller or nominee data.
LAWS RELATING TO DATA PROTECTION IN INDIA
The Constitution of India does not grant the fundamental Right to Privacy in an absolute manner. However, the Courts have read the Right to Privacy with the other existing fundamental rights, i.e., the Right to Freedom of Speech and Expression under Article 19(1)(a) and the Right to Life and Personal Liberty under Article 21 of the Constitution of India (hereinafter referred to as “the Constitution”).
Nevertheless, these fundamental rights under the Constitution are subject to sensible restrictions given under Art 19(2) that may be imposed by the State.
India, presently does not have any express legislation governing data protection or privacy. However, the relevant laws in India dealing with data protection are the Information Technology Act, 2000 (hereinafter referred to as “IT Act”) and the Indian Contract Act, 1872 (hereinafter referred to as “Contracts Act”).
Under Section 43A of the IT Act, a body corporate who is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected. It is important to note that there is no upper limit specified for the compensation that can be claimed by the affected party in such circumstances.
Section 72A of the IT Act covers the crime of intentionally disclosing the information of a person without his/her consent but the provision primarily focuses on the breach of a lawful contract. However, the same is insufficient to govern the general disclosure of sensitive personal information without the owner’s consent.
REMEDIAL ACTIONS
As we know, India does not have any dedicated legislation for data protection and breach, as of now, the relevant laws in India dealing with data protection are the IT Act and the Contracts Act. A codified law on the subject of data protection is likely to be introduced in India in the near future, which is the Data Protection Bill, 2021 (hereinafter referred to as “DP Bill”).
The General Data Protection Regulation (hereinafter referred to as “GDPR”) is the most comprehensive data privacy and security regulation around the world. Though it was drafted and passed by the European Union (hereinafter referred to as “EU”), it imposes obligations on organizations across the borders, so long as they target or collect data of citizens or people within the EU.
Having the support of GDPR, Europe is signaling its firm posture on data privacy and security at a period when more people are trusting their personal data with cloud services and on the other hand, breaches are a daily incidence. The regulation itself is huge, across-the-board, and fairly light on specifics, which makes GDPR compliance an unnerving prospect.
Furthermore, India is a signatory to several International Conventions and Declarations such as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, which recognise the Right to Privacy as an important part of human existence. However, the absence of any specific law enforcing the Right to Privacy in India, leaves a huge void to be filled and leaves a lot of room for the possibility that the efforts being made for the increased and better protection of personal data would be nullified.
AMLEGALS REMARKS
India has made considerable progress in terms of cybersecurity, but there is still much to be done. The Government is expected to enact the DP Bill and put in place measures to boost cyber governance. Passing the data protection and cybersecurity legislation will go a long way toward securing the country from both internal and external cyber-attacks. To protect key systems, the Government should also invest in digital infrastructure and create awareness among the general public.
India is on a fast track to digitalization and in the light of the same, individuals and businesses are more vulnerable to cyber threats, whether through e-commerce websites or Government based Aadhaar or unique health ID schemes. It is critical that this data be stored and processed within a secure infrastructure that protects it from both external and internal hostile actors.
This will need to be supplemented by measures to raise awareness about the dangers of social engineering attacks. Investing in capabilities to adapt to the aforementioned trends will aid in the protection of sensitive data and vital systems, as well as enhance India’s ranking on the Global Cybersecurity Index.
Team AMLEGALS, assisted by Mr. Varil Sheth (Interns)
For any query or feedback, please feel free to connect with chaitali.sadayet@amlegals.com or mridusha.guha@amlegals.com
Leave a Reply