Why Is the Government Selling Citizens’ Data to Private Entities? Are Our Taxes Not Enough?

There is a question every Indian who has registered a new company, opened a demat account, applied for a PAN, filed an income tax return, enrolled for Aadhaar, or done any of the dozens of other mandatory interactions the State demands of him in his economic life, is now entitled to ask out loud.

Why is the personal data I was forced to hand over to the government — under threat of penalty, under cover of statutory compulsion, under the assurance of digital trust — turning up the next morning in the hands of private banks, marketing firms, compliance vendors, rubber-stamp makers and door-to-door salesmen?

Are the taxes I paid to build, run, and secure that infrastructure not sufficient? Does the State require, in addition to my income tax, my GST, my professional tax, my property tax, my road tax, my cess upon cess, the supplementary income of trading away my Aadhaar copy and my mobile number to whichever private bank is willing to pay for it?

This is not a hypothetical grievance. It is the documented experience of every entrepreneur who has incorporated a company or a Limited Liability Partnership in India in the recent past. And it is the clearest available indictment of a regulatory architecture that, after a decade of articulation about privacy, the Digital Personal Data Protection Act of 2023, and ringing speeches about Digital India, has produced a result indistinguishable from the State quietly running a side-business in citizen data.

The transaction the State pretends is not happening

The pattern is, by now, monotonous. A founder completes his incorporation filings on the Ministry of Corporate Affairs (MCA) V3 portal. He uploads scanned copies of his PAN card. He uploads scanned copies of his Aadhaar. He provides his personal mobile number — the only one he has, because the form will not accept the absence of one. He hits submit.

Within hours, sometimes within minutes, his phone is ringing.

Kotak Mahindra Bank wants to open a current account for the newly minted entity. HDFC Bank wants the same. ICICI Bank, IDFC First Bank, Federal Bank, Axis Bank, IndusInd Bank, South Indian Bank, Deutsche Bank — the same tight roster, the same script, the same speed. None of these institutions has any prior relationship with the founder. All of them know his name, his email, his mobile, and increasingly often, his uploaded PAN and Aadhaar. In one documented instance, a bank employee arrived in person at the founder’s home the morning after registration with the founder’s KYC documents visibly displayed on his mobile phone.

The official confirmation from the MCA — the certificate of incorporation — arrives one or two days after the spam tsunami has begun. When the Moneylife financial publication investigated this in detail and published its findings, the giveaway was a bank marketer’s casual admission: “We receive this information from the back-end.”

When the World Cyber Security Forum filed a Right to Information application with the Ministry of Corporate Affairs asking whether the Ministry shared corporate registration data with banks and other institutions, the Ministry replied that it publishes some data publicly — through a Monthly Information Bulletin and through the MCA Master Data Service. On examination, the Bulletin turned out to be a statistical e-magazine containing no personal data, and the Master Data Service was found to contain director names and director email addresses, but explicitly not director phone numbers.

And yet every harassed founder is being called on the very mobile number he entered into the e-forms.

This is not a debatable inference. It is arithmetic. If the data is not in the public channels the Ministry officially admits to maintaining, but is reliably appearing in the hands of private banks within hours of submission, then it is leaving the system through a channel the Ministry has not disclosed. Whether that channel is a corrupt insider, a vendor employee, a customer-support contractor, or a deliberate back-door, the practical result is the same: the State’s data infrastructure is functioning, today, as a wholesale supplier to a retail market in personal information.

Selling, stealing, leaking: the semantic argument that does not matter to the citizen

Senior officials at the MCA, when confronted with this evidence, have reportedly initiated an “internal investigation” and characterised the loss of data as theft rather than authorised sale. The distinction is meant to be exculpatory. We did not sell it; someone took it. The Moneylife column took care to use the word “steal” for the same reason — to acknowledge that no formal Ministry sanction permits the release of this data.

For the citizen on the receiving end, the distinction is academic and the consolation is hollow. The State operates the only system in which his data exists in the form it is being misused. The State designed the inputs that mandate the data’s surrender. The State selected and procured the vendors. The State drafted the contracts. The State established — or failed to establish — the access controls. The State conducted — or failed to conduct — the audits. The State has been on notice of the leakage pattern for years.

When an institution which controls every variable of a system insists that it cannot stop a recurring failure within that system, the citizen is entitled to draw one of two conclusions. Either the institution is incompetent at the scale of the failure, in which case it has no business operating the system at all. Or the institution is being compensated, in some form, by the perpetuation of the failure, in which case it is — in substance if not in legal form — a participant in the transaction.

There is no third explanation that does not insult the intelligence of the person whose phone is ringing.

The Moneylife column observed, correctly, that “there is a fat pipeline stealing all your personal and corporate data, directly from MCA and it is being retailed to hundreds of business entities who see you as their target customer.” Whether the cash from that retail trade flows back into the Ministry, into a contractor, into an individual official’s pocket, or merely into the operational margins of the private banks at the receiving end, is a matter for an investigation that the Ministry, on the public record, is not pursuing with any visible vigour. What is not in dispute is that the pipeline exists, that it is profitable to someone, and that the taxpayer who funded the upstream end is paying twice — once to build the pipe, and again in the form of the privacy he loses when it leaks.

The DPDP Act, on paper and in practice

The Digital Personal Data Protection Act, 2023 was sold to the country as the answer to precisely this kind of harm. It is, on paper, the strongest privacy statute India has ever had. It establishes the concept of a Data Fiduciary, imposes consent and purpose-limitation obligations, requires lawful basis for processing, creates the Data Protection Board to adjudicate violations, and carries penalties of up to ₹250 crore per category of failure. Every one of those provisions, read against the MCA pipeline, is on its face implicated.

A private bank that calls a founder within hours of his incorporation, armed with his personal mobile number, his PAN, and in some cases his Aadhaar, has no lawful basis under the Act to process that data. It has not obtained the founder’s consent. It cannot rely on any of the limited statutory exemptions. It has failed the purpose-limitation principle because the data was provided to the State for incorporation, not for marketing acquisition by an unrelated commercial entity. Each of these is, in the language of the Act, an actionable failure that ought to draw, at minimum, an enquiry and a penalty proceeding before the Data Protection Board.

There has been no such proceeding against any of the named banks. There has been no such proceeding, full stop, of any visible significance, against any major regulated entity in connection with this pipeline.

What there has been, instead, is the parallel — and revealing — use of the DPDP Act’s framing to argue for restrictions on the Right to Information Act. The Act’s interaction with RTI, particularly its amendment of Section 8(1)(j) of the RTI Act, has been the subject of legitimate concern from civil society. RTI activists, who have for two decades been the country’s most effective extractors of accountability from government, have noted with alarm that the Act’s expanded definition of personal information and the removal of the public-interest override threaten to shield government officials from disclosure of their own conduct in office.

This is the inversion that should give every taxpayer pause. The DPDP Act has not yet stopped a single major private bank from harassing a single founder with leaked Aadhaar data. But its provisions are, in the same breath, being read in a way that could make it harder for a citizen to find out which government official authorised which vendor contract, which officer signed off on which access permission, which contractor was paid how much to maintain the pipe that is now leaking. A privacy law that protects the powerful from scrutiny while failing to protect the powerless from harvest is not a privacy law. It is an asymmetry.

The Data Protection Board, the institution that is supposed to make the Act bite, has had its operational rules issued in late 2025 and is, as of writing, in early formation. Its first significant adjudications against named private banks have not been delivered. Its independence from the executive — a matter of structural design, since Board members are appointed by and removable by the Central Government — has been criticised by the same civil society voices that warned about the RTI interaction. Until the Board demonstrates, with named respondents and substantial penalties, that the Act applies to the entities that are visibly violating it, the headline ₹250-crore figure is a number on a page.

The Reserve Bank’s seven monkeys

The Reserve Bank of India is the regulator of the banks that are at the visible end of this racket. Its Master Direction on Know Your Customer, 2016, as periodically amended, requires regulated entities to conduct due diligence on every third-party vendor and lead-generation partner. Its Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services impose on banks an explicit obligation to ensure that data they ingest for customer acquisition was lawfully obtained. Its broader supervisory framework requires banks to maintain audit trails, train their direct selling agents, and ensure that customer-facing personnel do not violate privacy law in the course of working for the bank.

Every one of these obligations is, today, being violated by the banks that show up at a founder’s doorstep with his Aadhaar on a mobile phone. The bank ingested data it cannot demonstrate was lawfully sourced. The bank dispatched a representative who carried sensitive personal documents he had no lawful entitlement to hold. The bank’s name appears on call after call, complaint after complaint, founder after founder. The pattern is not hidden. It is reported on social media every week. It has been documented by financial journalism for years.

The Reserve Bank’s response to this has been silence.

There has been no public direction issued to regulated entities specifically prohibiting the use of marketing leads derived from non-public government data. There has been no supervisory action against a named private bank specifically tied to the MCA pipeline. There has been no inclusion, within the Banking Ombudsman framework, of a meaningful complaint category for “a bank with which I have no relationship has my personal data and is harassing me with it.” The Banking Ombudsman scheme continues to treat marketing complaints, where it acknowledges them at all, as account-holder grievances against one’s own bank — a category that does not capture the actual harm, because the actual harm is being inflicted by banks with which the citizen has no banking relationship.

A regulator who cannot see what every citizen with a phone can see, who cannot hear what every founder on every social platform is saying, who cannot read what national financial publications have documented for years, is not a regulator who is failing to notice. He is a regulator who has decided not to act. Whether that decision is the product of capture, of inertia, of institutional cowardice, or of a quiet calculation that the cost of action exceeds the cost of inaction, is a matter on which the Reserve Bank owes the country an explanation. None has been forthcoming.

TRAI’s Do Not Disturb fiction

The Telecom Regulatory Authority of India introduced its Do Not Disturb framework with considerable fanfare more than a decade ago. The Telecom Commercial Communications Customer Preference Regulations, 2018 — the current iteration — were sold as a comprehensive solution to the unsolicited commercial communications problem.

In practice, the framework has been outflanked in every direction.

The DND registry covers calls and SMS from registered telemarketers. The banks at the receiving end of the MCA pipeline do not, in many cases, place calls themselves. They contract with Direct Selling Agents, lead-generation partners, marketing aggregators, and a long tail of unregistered intermediaries who place the call from ordinary 10-digit mobile numbers. Those numbers are not flagged by the DND filters. The complaint mechanism cannot identify the call as commercial. The penalty, when it is occasionally imposed, falls on an intermediary that disappears and reconstitutes under a new name the following week. The bank, the actual beneficiary of the call, is at no point in the loop on which TRAI’s enforcement falls.

The result is that founders who have dutifully registered on the DND list, who have ticked every box, who have changed nothing in their behaviour except to trust the State’s promise that they would be protected from unwanted commercial calls, continue to receive — within hours of incorporation — twenty, thirty, fifty calls in a single morning from banks and compliance vendors who have evidently never heard of TRAI.

This is not a TRAI implementation failure that better software will fix. It is a structural failure. The regulator regulates the messenger; the actual beneficiary, the bank or compliance firm, sits outside the regulator’s perimeter. Until the framework places liability on the commercial principal that benefits from the call — until a bank that uses an unregistered DSA to call a DND-listed founder is itself penalised — the DND list will remain what it currently is: a piece of theatre, performed for the benefit of a citizen who is being mocked even as he believes he is being protected.

The political economy of looking the other way

Why does none of this get fixed? The answer, when examined, is depressingly mechanical.

The MCA’s infrastructure is built and maintained by vendors who are awarded contracts under procurement rules that prioritise lowest cost over data-handling rigour. The contracts that govern access to filing data are not in the public domain. The audit logs of who accessed what registrant data and at what time, if they exist at all, are not subject to citizen scrutiny. Vendor employees turn over rapidly, with limited continuity of personnel-level accountability. The financial penalty for a vendor that leaks data, if a leak is even attributed, is a fraction of the commercial value of the data itself. The incentive structure favours leakage.

The banks that purchase the data face no enforcement consequences worth speaking of. The Reserve Bank does not name them in supervisory action. The Data Protection Board has not penalised them. The Banking Ombudsman does not categorise the complaint correctly. The customer harassed by the call has no meaningful private remedy because the damages — in any individual case — are too small to litigate. The incentive structure favours purchase.

The compliance services firms that piggyback on the same data face even less scrutiny. There is no central regulator for the cottage industry of “startup support” vendors who blanket new founders with offers. The DPDP Act applies in principle but enforcement against thousands of small actors is operationally infeasible. The incentive structure favours proliferation.

The State, at the centre of all this, has no internal champion for fixing it. The Ministry of Corporate Affairs is investigating, quietly, with no public timeline. The Ministry of Electronics and Information Technology, which administers both the IT Act and the DPDP Act, has not made the MCA pipeline a publicly stated enforcement priority. The Department of Financial Services, which has policy oversight of the public sector banks, has been silent on the private sector banks’ behaviour. The PMO has not made privacy a campaign theme. The Opposition has not made it a parliamentary one. The press, with honourable exceptions, has not made it a national story.

In this environment, the question of whether the government is literally selling citizen data is, to repeat, beside the point. The government does not need to be selling it. The government merely needs to not stop other people from selling it, and to ensure that the regulatory architecture that would otherwise have stopped them is either captured, inert, or unbuilt. That second condition — the absence of effective enforcement — is the policy lever the government actually controls. Every year that the lever is not pulled is a year in which the market in citizen data continues to clear, and a year in which the participants in that market — directly or indirectly, formally or informally — accumulate more reason to ensure the lever is not pulled next year either.

This is the political economy that the harassed founder is up against. It is not a conspiracy. It is something simpler and harder to dislodge: a stable equilibrium.

What the taxpayer is entitled to demand

A privacy regime that means anything would, at minimum, contain the following five elements. None of them is present today.

It would require the Ministry of Corporate Affairs to publish, with full audit trails, the list of vendors and contractors with access to registrant data, the access controls in force, the audit logs of who accessed what and when, and the corrective steps taken in every instance of suspected leakage. The current regime, in which the Ministry conducts “internal investigations” whose findings are never published, is a regime of unaccountable opacity.

It would require the Reserve Bank of India to issue, in the form of a binding direction to all regulated entities, a prohibition on the ingestion of marketing leads derived from non-public government data, with a specific carve-out for verifiable customer consent. Banks would be required, on demand, to demonstrate the lawful source of every marketing lead. Failures would be subject to graduated supervisory action, beginning with named censure and escalating to penalty. The current regime, in which banks face no consequence for ingesting data they cannot lawfully justify holding, is a regime of regulatory absenteeism.

It would require the Data Protection Board, in its first year of substantive operation, to take up at least one named-bank proceeding under the DPDP Act in connection with the MCA pipeline, to issue a substantial penalty, and to publish the order. A privacy law that does not produce a single named adjudication against a major regulated entity in its first year of operation is a privacy law that is teaching every potential violator that nothing will happen to them.

It would require the Telecom Regulatory Authority of India to shift the locus of TCCCPR liability from the telemarketing intermediary to the commercial principal who benefits from the call. The bank that contracts the DSA must, under such a regime, be jointly and severally liable for the DSA’s compliance failures. The current regime, in which the bank can hide behind a disposable intermediary, is a regime of designed circumvention.

It would require, at the foundational level, an amendment to the DPDP Act to restore the public-interest override in the RTI interaction, to introduce meaningful structural independence for the Data Protection Board, and to ensure that the Act is read as a tool to discipline the powerful rather than to shield them. A privacy law that is in practice used to restrict citizen access to information about government conduct, while in parallel failing to discipline corporate misuse of citizen data, is a privacy law operating in the wrong direction.

None of these five elements is technically difficult. None of them is constitutionally controversial. None of them is opposed by any organised constituency outside of the regulated entities who profit from the current arrangement. That none of them has been implemented is the clearest available statement of where the government’s actual priorities lie.

The taxpayer’s bottom line

The citizen who pays his taxes, who fills out his forms, who hands over his data when the State demands it, who registers on the DND list when he is told that will help, who reads about the DPDP Act and assumes it must mean something, is entitled to the following accounting.

He paid for the construction of the MCA portal. He paid for the salaries of the officials who operate it. He paid for the contracts of the vendors who maintain it. He paid for the licence fees of the software that runs it. He paid for the Reserve Bank of India, the Telecom Regulatory Authority of India, the Ministry of Electronics and Information Technology, the Ministry of Corporate Affairs, the Data Protection Board, the Department of Financial Services, the Banking Ombudsman, and every other body that is supposed to ensure that his data, once handed over, is protected. He paid, in other words, for the entire architecture that has comprehensively failed him.

In return, his personal mobile number, his email, his PAN, and in many cases his Aadhaar are now in the hands of private banks he has never approached, compliance vendors he has never engaged, marketing firms he has never heard of, and a long tail of doorstep callers he never invited. The State that took his data has not protected it. The regulator that was meant to police the recipients has not policed them. The privacy statute that was meant to deter the misuse has not deterred it. The do-not-call list that was meant to filter the calls has not filtered them.

It is not unreasonable, in such circumstances, for the citizen to ask whether his taxes are not enough. Whether, in addition to everything he has already paid, the State requires the supplementary income — direct or indirect, in cash or in kind, formally or informally — of trading him to whoever will offer the most for him. And whether, when the State proves so completely incapable of preventing that trade through years of warnings, complaints, exposes, and unanswered RTI applications, the more honest description of the State’s posture is not failure but consent.

The Digital Personal Data Protection Act of 2023, in this light, is not a privacy statute. It is a piece of theatre, performed for the benefit of an electorate that has been told there is a law, while the law is in practice neutralised against the entities it should have disciplined and turned, where it can be turned, against the activists who would otherwise have held the State accountable. The Reserve Bank of India, in this light, is not a regulator of the banks. It is, on the evidence of its silence, a regulator that has decided that the banks’ commercial convenience outweighs the citizen’s right not to be hunted. The Ministry of Corporate Affairs, in this light, is not the custodian of its registrants’ data. It is, at best, a custodian who has lost the keys and refuses to change the locks; at worst, a custodian who has noticed that there is money in leaving the door open.

For the entrepreneur whose phone began ringing the morning after he submitted his incorporation papers, the polite term for what has been done to him is regulatory failure. The honest term is something stronger. And the question he is entitled to put, on behalf of every Indian who has ever filled out a government form, is the one with which this article began.

Why is the government selling citizens’ data to private entities? Are our taxes really not enough?

This article draws on the published reporting of Moneylife on the MCA data pipeline, the Right to Information reply obtained by the World Cyber Security Forum from the Ministry of Corporate Affairs, the lived accounts of founders harassed within hours of incorporation, and the regulatory framework comprising the Information Technology Act 2000, the Aadhaar Act 2016, the Digital Personal Data Protection Act 2023, the Telecom Commercial Communications Customer Preference Regulations 2018, the RBI Master Direction on KYC 2016, and the RBI Directions on Outsourcing of Financial Services.