You can be among the most powerful businessmen in India, but when it comes to receiving justice from the courts you could be left as high and dry as the average citizen. In 2010, Ratan Tata filed a case in the Supreme Court alleging that his privacy had been violated by the leak of the Niira Radia tapes. But he died two weeks ago without finding closure.
Radia, who had several high-profile corporate clients at that time, including the Tatas and the Ambanis, was being investigated by the tax department, which obtained legal permission to tap her phones. But the recordings, which ought to have remained secret and used only to prosecute Radia, if the evidence so warranted, were leaked. And all her private conversations with Ratan Tata and many others were suddenly out in the public domain. No one has been held guilty for the leak so far, even though it is likely that only a few officials and private players could have had access to those tapes.
While the case led to some landmark verdicts by the highest court (in 2017, a nine-judge bench held that privacy was a fundamental right), in September 2022, the Central Bureau of Investigation said it had found nothing culpable in Radia’s conversations, and recommended closure. The only person who got no closure was Tata, whose plea for privacy died with him.
The purpose of this article is not to discuss the Radia case, but to raise a more fundamental question: has the cause of privacy already been lost by default? What chance does the common man have if a Tata doesn’t?
Also read: Data sharing policies can’t be one size fits all. Crucial to address privacy, ownership
Invasion of privacy epidemic
A few weeks ago, I got a WhatsApp message from a purported acquaintance who addressed me by the name my friends usually do. He (or she) also wanted to know if I was free to meet up in the city I was then staying for a while. My suspicions are usually raised when I get messages from people who aren’t there in my address book, but the familiarity with which I was addressed made me consider replying. But a warning bell rang inside my head, and I checked to see where the message was sent from and I found it was from Uzbekistan. I blocked and reported the messenger, possibly a scamster, for I was sure I had no pal anywhere in Central Asia.
This could not have happened unless the messenger had scraped personal details from my social media haunts or somehow accessed personal details from tele-callers or the dark web. What is clear is this: even while the provisions of the much-ballyhooed Digital Personal Data Protection Act 2023 (DPDP Act), have begun to operate, privacy seems like a lost cause. The personal data of millions of Indians are already out there for someone to access, either for free or for a fee.
Not a day passes when we do not read about someone being scammed for money using digital ruses or receiving spam calls from known and unknown tele-callers. You only have to give your personal details (phone number, address) to one entity, and suddenly it is everywhere, available to whoever wants it. You can block tele-callers endlessly—and I have blocked nothing less than 50+ such numbers so far this year—but the same tele-caller manages to get through using another line. On the day I was writing this piece, five of the 10 calls received were labelled junk or spam by the telecom service provider.
The invasion of privacy is now an epidemic, and there is little that the DPDP Act can do, since most of the personal data is already shared, and will remain in unsafe hands unless you change addresses and phone numbers regularly. Which is not feasible for most people.
Also read: Why India should sync up its data protection law with the EU’s GDPR
How they get your data
One has a gloomy view of privacy protection because the regulators have been lax on several fronts.
First, long before the Unique Identification Authority of India (UIDAI) told us to use masked Aadhaar numbers, millions of us had already given businesses and state agencies our full Aadhaar details, and these continue to remain with them. From state registrars to real estate agents, banks, insurance companies and telecom companies themselves, these details are already “privatised” and fully shared to our detriment.
Second, banks, especially profit-chasing private banks, are some of the worst defenders of privacy because they think they can share your personal details with their “relationship managers” or even ordinary employees who are incentivised to ask you to renew a maturing fixed deposit or to buy a mutual fund they happen to be selling. Since “relationship managers” tend to move from bank to bank, or even to other finance companies, they tend to carry your financial details with them—a clearly unwarranted and illegal activity.
Third, businesses that tend to operate as a “biradiri”, where customer information is shared even between competitors, are some of the most inimical to the idea of data privacy. I was horrified earlier this year when a real estate company where I had gone to enquire about a property asked for my phone number, which I gave since I wanted some information. Within two days, scores of realtors began calling me. No amount of blocking prevented more such callers from contacting me. The same with property search apps. In one case, even when I was looking into some information on the site, the website’s salesperson called me offering to help.
Fourth, WhatsApp and social media sites leak information like crazy. Even since WhatsApp opened itself up to business clients, information has been shared with many of their customers. And even though blocking them is easy, there is no end to such unwanted messaging.
Fifth, rogue countries like China, Pakistan and North Korea—not to speak of some of the non-rogue countries in central Asia—allow scamsters to operate from their soil for political and commercial reasons. Since none of them will stop this, the danger thus gets compounded. As for Uncle Sam, the less said the better. If Angela Merkel’s privacy cannot be respected by the US, will my data and yours be safe for the superpower’s agencies?
Sixth, the easy availability of artificial intelligence (AI) tools and software means that long before they bring productivity benefits to us, scamsters will use them to their advantage.
Also read: How safe is your private life? Your SIM can be cloned, phone number spoofed & WhatsApp hacked
Regulations and restrictions
This is a multi-front threat and it cannot be fought only by passing a law on personal data protection, which anyway is yet to kick in. While we need not be entirely dismissive of the DPDP Act’s future efficacy, there is no reason why India’s many regulators cannot do more since the data has already gone into the hands of entities regulated by them. They have the power to regulate and prevent access to unauthorised persons, DPDP Act or no DPDP Act.
For example, there is no reason why the Reserve Bank or the Insurance Regulatory and Development Authority of India, the income-tax department, the stock exchanges or SEBI cannot direct their regulated entities to take specific (and one-time) permissions from customers before giving data access to relationship managers or direct selling agents and employees. If credit card data can be tokenised, why can’t the data made available to these entities? Why can’t the Telecom Regulatory Authority of India or the state-level real estate regulators tell their regulated entities that they cannot store or share data without express (and one-time only) permission from customers? The permissions must be for limited purposes and automatically expire in a few days. These regulatory powers can easily be invoked even before the DPDP Act comes into effective force. The Union and state governments can on their own ask state entities and registrars to gather less data than they now collect, and destroy what is not required. Destruction of data that the customer specifically wants destroyed must be verifiable by third-party data fiduciaries. Private data access to high officials must be digitally tagged, so that leakages can be traced. This is the lesson we must learn from the Radia tape leaks.
And last, the government must simply mandate that all data of Indian citizens must be stored in India, and even if they are stored abroad, they must either bring it back or be legally forbidden from sharing it with any entity, including foreign governments. Since no foreign government is going to allow companies domiciled in their territories to block their courts from accessing this data for legal (or less than legal purposes), the only logical way to ensure this happens is by storing the data in India.
If we do all this and more, maybe, just maybe, privacy and data protection will not be a completely lost cause.
R Jagannathan is editorial director at Swarajya magazine. Views are personal.
(Edited by Theres Sudeep)