Data Protection & PrivacyNews

GoI was selling personal data, and it won’t even ask buyers to delete it

It’s a sale! By none other than your chosen government! They are selling personal data! Looking to buy some? Ah! You’re late. The party has just ended.

What Happened?

In March 2019, the Ministry of Road Transport and Highways (MRTH) issued a ‘Bulk Data Sharing Policy & Procedure’. Under this policy, MRTH laid down the procedure through which corporates, educational institutions, and law enforcement could buy data of driving licenses and vehicle registration certificates. A driving license typically includes name, date of birth, address, contact number, blood group, and a photograph. On the other hand, a vehicle registration certificate includes the vehicle number, mode of payment, AADHAR and PAN Card numbers, dealer’s name and financer’s name, etc. Till date, the VAHAN repository consists of 290,267,302 vehicles and SARATHI is a strong database of 15 crore driver’s licenses. 

As per an answer given to the Parliament, minister Nitin Gadkar divulged that in the last one year, the personal data of VAHAN (vehicle registration database) and SARATHI (driving licenses) databases was sold to 108 private entities apart from enforcement agencies and ministries. This includes Mercedes, Bajaj Allianz, Mercedes Benz India, Allahabad Bank, AU Financer India Ltd., Axis Bank, HDFC Bank Ltd., ICICI Lombard General insurance company ltd. and so on. Through the massive exercise of selling personal data including sensitive personal data, the government has minted Rs. 1,11,38,79,757 (Rs. 111 Crores). In Financial year 2019-20, the database was up for sale at a rate of Rs 3 Crore for companies, and Rs. 5 lakhs for educational institutions. Apart from this, the data was also shared with 66 Central and state government departments which includes Delhi Police, Commission of Transport, Commissioner of Geology and Mining, Gujrat, Indian Ports Association etc. 

It’s Not OK

The policy completely contravened the right to privacy, a fundamental right under the Indian constitution. Further, MRTH did never held any public consultation, let alone the consent of people whose data was sold for monetary gains. On June 26th 2020, MRTH scrapped this policy over privacy concerns. However, it refused to consider any action in regard to deletion of the sold data by private and public organisations. It basically means that these companies can continue to use that personal data and make personalized products for their customers. Also, these companies can conduct marketing research to know their consumers better and tweak their products as such. 

MRTH justified the need of the policy by saying that it is recognised that sharing this data for other purposes in a controlled manner, can support the transport and automobile industry….to benefit the economy of the country. It also added that the ministry cannot ensure the sanctity of the data which would be made available on “as-is-where-is-basis” due to the digital and analog divide of the available data. 

Now is the Time to Contemplate

The public exhibition and sale of personal and sensitive personal data is no curious case for the Government of India, and only adds more to the already tarnished history of opaque policies and misguided procedures. Moreover, this also indicates that the right to privacy of citizens is subservient to economic gains of corporates (even the foreign ones).  

The trend doesn’t seem to be stopping. The Personal Data Protection Bill, 2019, goes one step further and suggests that Central government of India holds power to direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign states, public order- a very wide scope which opens ways for exploitation of data. 

I would take my leave with a few questions for our readers. Is our data safe in the hands of the government? Why is the govt. not directing corporates and law enforcement to delete the data that it arbitrarily sold? If the govt. chooses to exempt itself from the implications of the data privacy law, why would it safeguard it anyway? Can we stop the govt. from accumulating our data? Isn’t it a very extraordinary state of affairs if the govt. doesn’t facilitate transparency and accountability in favour of the right to privacy of Indian citizens? Does our new Personal Data Protection Bill, 2019 haver any safeguard against misuse of power by the government? 

It’s about time we raise our voices.

Do subscribe to our Telegram channel for more resources and discussions on tech-law. To receive weekly updates, and a massive monthly roundup, don’t forget to subscribe to our Newsletter.

You can also follow us on InstagramFacebookLinkedIn, and Twitter for frequent updates and news flashes about #technologylaw.

Adv. Bhagyashree Swami

Bhagyashree is a qualified advocate practicing in criminal/ cyber law and a certified CIPP/ E data protection professional. She has a great academic record with a LLM degree in Computer and Communication Laws from Queen Mary University of London. She also holds technical expertise in the area of digital forensics and investigation.

Share your thoughts!

This site uses Akismet to reduce spam. Learn how your comment data is processed.