Data Protection & PrivacyNews

MoRTH sold vehicle data even before the bulk data sharing policy: Report

In March 2019, the Ministry of Road Transport and Highways (MoRTH) issued a ‘Bulk Data Sharing Policy & Procedure’. Under this policy, MoRTH laid down the procedure through which corporates, educational institutions, and law enforcement could buy data of driving licenses and vehicle registration certificates. A driving license typically includes name, date of birth, address, contact number, blood group, and a photograph. On the other hand, a vehicle registration certificate includes the vehicle number, mode of payment, AADHAR and PAN Card numbers, dealer’s name and financer’s name, etc. Till date, the VAHAN repository consists of 290,267,302 vehicles and SARATHI is a strong database of 15 crore driver’s licenses. 

On June 26th 2020, MoRTH scrapped this policy over privacy concerns. However, it refused to consider any action in regard to deletion of the sold data by private and public organisations.

Fast Forward to February, 2021

Nitin Gadkari divulged to the Parliament that the VAHAN (vehicle registration database) and SARATHI (driving licenses) databases were sold to 108 private entities apart from enforcement agencies and ministries. This includes Mercedes, Bajaj Allianz, Mercedes Benz India, Allahabad Bank, AU Financer India Ltd., Axis Bank, HDFC Bank Ltd., ICICI Lombard General insurance company Ltd. and so on. Through the massive exercise of selling personal data including sensitive personal data, the government minted Rs. 1,11,38,79,757 (Rs. 111 Crores). In financial year 2019-20, the database was up for sale at a rate of Rs 3 Crore for companies, and Rs. 5 lakhs for educational institutions. Apart from this, the data was also shared with 66 Central and state government departments which includes Delhi Police, Commission of Transport, Commissioner of Geology and Mining, Gujrat, Indian Ports Association etc.

But..wait a second, read the headline once again?

Yup. That’s the entire point. An investigative report published by The Wire finds that the Union government sold a copy of both the databases to a private Indian company even before it drafted a policy.

Fast Lane Automotive Pvt. Ltd. (Fast Lane), a Delhi based automotive technology firm, proposed to buy the vehicle registration database from the government.  The company was already a part of a similar deal with the UK government.

The CEO of Fast Lane, interacting with The Wire said that “All sophisticated stakeholders in the automotive industry need such ‘anonymised’ vehicular data to have measurement metrics for their production, dealer management, distribution and supply chains so as to make informed, scientific and data-backed decisions, business plans and strategies.”

The government decided to sell the entire database for a price of Rs. 1 crore / year (BDSP set it at 3 crores/ year). However, we must note that there was neither any policy set out for such a sale, nor any official tender or bidding process. Nevertheless, the report maintains, based on documents accessed through RTI, that the same terms would be offered to other interested parties.

The report goes on to show what is totally botched up decision making and ignored security and privacy concerns. Neither was there any rational basis for setting the price at Rs. 1 crore, nor was there any policy incentive for the government to enter into such a deal, risking the security of sensitive data, and privacy of its citizens.

Overlooked security concerns

On June 20, 2014, MoRTH requested the Ministry of Law and Justice to approve a tripartite agreement between itself, Fast Lane, and the National Informatics Centre (NIC). Why NIC? Because it was to ensure secure transfer of data to Fast Lane.

However, NIC raised security and privacy issues and delayed signing of the contract. Not amused by NICs disapprovals, Fast Lane suggested that MoRTH was the owner of the data and NIC was a mere intermediary. And the Ministry concurred with this view. In September, 2014, MoRTH signed a contract with Fast Lane. It later asked NIC to sign the contract and start supplying data to Fast Lane, for it had already deposited the payment in the State Bank of India.

Bypassed Pricing Consultations

MoRTH was in such a hurry to sign the deal that it did not even forward the proposal to its Integrated Finance Division (IFD) for consultation on the contract, and pricing. Officials who reviewed the contract were left to themselves to find out the rationale for fixing the price at Rs. 1 crore/ year. As it turns out however, as per the documents, that MoRTH copy pasted Fast Lane’s sample contract with the UK’s department of transport, which had fixed the price at £ 96,000 plus VAT. It’s a complete coincidence that it translates to roughly Rs. 1 crore! What’s not a coincidence is that the Indian auto sector is at least 155 million larger than the UK, the report finds.

A note by Joint Secretary (Transport), Abhay Damle, dated March 23, 2016, says that the IFD was not consulted for fixing rate. ‘No substantial benefit seems to have accrued to MoRTH for Vahan/ Sarathi data as no reports have been shared by the customer’. And ‘the contract needs to be redrafted to balance it as in the present draft, it is heavily in favour of the customer.’

Later, when the Ministry turned to IFD a year after the deal, to advice on granting a ‘grace period’ (more on that below), the IFD expressed its concerns: “It is presumed that since policy has already been framed, various issues like right to privacy and misuse of data, possibility of floating query/tender in the market for sharing of data in order to appreciate better price have been considered and got approved by competent authority.”

Speaking of favour to the customer..

This policy adventure allowed Fast Lane to bundle databases. The company combined the purchased data with information collected from many additional data sets. It developed a business model offering technological solutions based on these data sets. It served domestic as well as foreign buyers (ahemm!) and within a year of accessing the data, it’s turnover multiplied by 163 times from Rs. 2.25 lakh in 2014-15 to Rs. 3.70 crore in 2015-16.

‘Grace Period’

The contract had a grace period which allowed Fast Lane to access data at no extra cost. Like everything else, this the officials red flagged this too. Fast Lane wrote to MoRTH and requested a seven-month grace period, as it could not access the data of one out of 28 states. NIC officials housed in the MoRTH were against granting the grace period as they were unable to supply the data because of Andhra Pradesh’s bifurcation. They termed it as an ‘unforeseen circumstance’. But Fast Lane persisted that it could not leverage data for commercial use because of gaps in data, and the Ministry overruled its officials. It granted Fast Lane a grace period till 30.11.2015, around 70 more days than what the contract would have allowed.

The fear comes true

What the NIC and MoRTH officials had been red flagging for so long, came true. The report reveals that MoRTH directed NIC to cut off the data supply to Fast Lane over ‘security issues and data leakage possibilities’. Fast Lane had perhaps entered a deal with a German company and shared a sample of the data with it. The ‘heavily in favour of the customer’ contract did not stop it from entering such a transaction. However, the deal fell through and the German company refused to delete the data. Fast Lane informed MoRTH about the issue, and in February, 2016, MoRTH asked NIC to cut off the data supply. A couple of years later, in May 2018, the officials decided to terminate the contract with Fast Lane.

But all of this did not stop MoRTH to come up, yet again, with another brilliant idea! Only a few months later, in January 2019, the it decided to invite other buyers. In March, 2019, it launched the Bulk Data Sharing Policy.

By the way, do you still remember that the government has refused to ask entities such as Fast Lane to delete the shared information? The policy is gone; the data is still very much with them.

Do subscribe to our Telegram channel for more resources and discussions on technology law and news. To receive weekly updates, and a massive monthly roundup, don’t forget to subscribe to our Newsletter.

You can also follow us on InstagramFacebookLinkedIn, and Twitter for frequent updates and news flashes about #technologylaw.

Rohit Ranjan Praveer

Rohit is a practicing advocate at Delhi. Beginning as a tech enthusiast, Rohit always had a keen interest in computer forensics and information security. Building upon these fundamentals, he has undertaken extensive research on various techno-legal topics and continues his pursuit pass on valuable information to the masses, with a zeal to build something that outlasts him.​

Share your thoughts!

This site uses Akismet to reduce spam. Learn how your comment data is processed.