The rate at which we have been uploading the internet with our data has gone exponential so painlessly that it takes the shock of a massive online leak for us to sit up and wonder if we have exposed ourselves as sitting ducks for hackers. Last August, news broke of a data heist when Bengaluru-based Juspay, which processes digital payments for the likes of Amazon, Swiggy and MakeMyTrip, admitted a major database breach. This year, the efforts of online sleuths have revealed the extent of it. Credit and debit card transaction details of about 100 million Indians were found being hawked on the dark web, a stealthy part of the internet designed to stay off search-engine radars, and the details on sale suggest Juspay’s hacked servers as their source. Confidential card details of at least 20 million cardholders are reportedly up for grabs, putting them at risk of not just swipe fraud, but other financial swindles as well. As online payments rise, the dark web expands and hackers upgrade their skills, this menace is likely to multiply. Our data urgently needs protection by way of legislation as much as advanced security software systems.
It is no exaggeration that the success of India’s digital economy depends on popular perceptions of online data security. If people’s confidence in the ecosystem of e-transactions begins to fall, it would be a setback in a sphere that has won the country global admiration. There are other big threats that lurk online, too. Cyber terrorists, for example, could wreak havoc by breaking into computer systems that control weaponizable objects. While these worries are valid, we must resist the urge to rush a data-protection law through Parliament without wide and deep deliberations on what is the best way to fortify India online. Since data misuse is a global problem, and it is not only about egregious forms of theft, the steps taken by private companies and regulatory regimes elsewhere should be instructive. Apple Inc, for example, has sought to safeguard the privacy of its iPhone users from apps that track them online by putting explicit prior-consent protocols in place for data usage. Too many apps, after all, get us to casually sign our data rights away through the simple device of an ‘agree’ button. The EU, meanwhile, has formulated rules that aim to grant people legal control of their own data.
What approach should we take? Legislation on data was virtually ordained by a worthy 2017 Supreme Court ruling that held privacy to be a fundamental right. India’s Personal Data Protection Bill, introduced in the Lok Sabha in late 2019 and referred to a joint parliamentary panel, slots data into categories defined by sensitivity and proposes penalties for company executives found guilty of failing to secure sensitive data. This would push data handlers to double down on safety. While this focus on hackers and extreme events is welcome, the Bill in its current form lacks the underpinning of a clear principle. In proposing a central authority with excessive sway over entities that deal with data, it empowers the state over the individual. Unless judicial warrants are made mandatory for all data demands, organs of the state could use it for invasive ends. Instead of state pre-eminence, what should underpin our data law is the principle of personal data ownership. We should have the legal right to our own data. To use it, others must ask. If law enforcers want it, they should establish why.
Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.