The Mumbai Police Crime Branch (Unit VI) has detained a temporary employee of the Department of Telecommunications (DoT) who was entrusted with selling sensitive personal information of mobile customers throughout the nation for as much as Rs 50,000. The suspect, Sujit Nangre, 27, is suspected of giving information on mobile service providers to Sandeep Palande, a senior Airtel employee. Eventually, loan collection companies received this information and utilised it to call clients and demand that they repay the debt.
The arrest of two brothers, Rahul Eligati, 28, and Nikhil Eligati, 25, in the final week of November blew the roof off the scheme. The brother had developed websites that offered personal information of people in Delhi, Gujarat, and Maharashtra. This information contained a person’s address, date of birth, Aadhaar card number, and family members’ cellphone numbers. It was mostly offered to loan recovery agencies for Rs 2000 per month, Rs 12000 for a half-year, or Rs 24000 for a year.
In addition to the two brothers, the police also detained four other persons during the inquiry, one of them was a Telangana resident. Sandeep Palande, the sixth individual detained, was an Airtel manager in charge of complying with DoT, according to a Crime Branch officer.
All mobile service providers are required by DoT regulations to update all new and cancelled connections with DoT during the first ten days of each month. “In addition to the numbers activated, the service providers also need to supply the paperwork supplied by consumers, which may include their Aadhar, backup number, address, birthdate, and other information. According to the officer, the DoT receives this material on a CD, which it subsequently saves in its database.
Sujit Nangre, a temporary employee in Pune who, according to the police, makes roughly Rs 25000 per month, was in charge of this. An officer said Palande was acquainted with Nangre since the latter was in charge of data compliance for Airtel. “Palande was aware of the need for personal information about individuals from debt recovery companies. He was aware that Nangre had access to all service providers’ data. According to the officer, he bought data on almost four times for less than Rs. 50,000 and sold it for between Rs. 7 and Rs. 8 lakh. The officer said, “We don’t believe Nangre was aware of what would be done with this.
Before reaching the two brothers, this information travelled from Palande to one Ishtiaq and the other accused. The brothers exploited this data as well as other data, such internet phone directories, much like certain loan recovery companies. They then had software created that would group people who shared an address, and they had a database of every member of the family, along with their addresses and other information, which was used to find people and collect loan amounts.
According to an officer, they would be getting in touch with DoT and Airtel staff to find out more about their security procedures. Giving such sensitive information about residents to a temporary employee in this situation was not a wise decision. The official also stated that they will discuss Airtel’s security protocols with them. This is important information that cyber criminals and other unsavoury persons may use for harm. The officer stated that such a wealth of data may be damaging in the wrong hands.
What is Sensitive Personal Data?
If sensitively, carefully, and particularly gathered, kept, processed, transferred, or destroyed, sensitive personal data might have an adverse effect on an individual’s right to privacy. The extent of the harm that could be done to a data principal if the safety or privacy of such data is compromised due to any sort of misappropriation or mistake during the entire course of the fulfillment of the purpose it was collected for, according to the Act, is one of the reasons behind the careful handling of such data. The “expectation” of the data principle that the authority processing the information would maintain it secret, as well as the effects of processing some data in a given way, is further factors.
A large collection of information on an individual is categorically interpreted by the Act as “sensitive.” The list consists of: financial data, official identifier and biometric data; genetic, health or biological data; information pertaining to sexual orientation or gender status (primarily intersex or transgender status); information pertaining to caste/class/tribe; information pertaining to sex life; and, finally, information pertaining to political or religious beliefs and affiliations.
Current country laws protecting sensitive personal data
The Information Technology Act of 2000 and the revisions that followed it are now in charge of regulating all data in the nation and the practises associated with the processing of personal data. The IT Act’s provisions blatantly fall short of the necessary level of security that personal data requires and deserves. The Department of Information Technology under MeitY introduced a further amendment to this legislation in 2011 known as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (hereafter referred to as the IT Rules, 2011).
The concept of “Sensitive Personal Data” in the proposed Personal Data Protection Act and the IT Rules, 2011, are very similar. The Rules cover almost all categories of data covered by the PDPA’s definition of “sensitive personal data,” in addition to listing passwords separately and including information given to body corporates for processing in accordance with legal agreements or for the provision of services by such bodies.
The criteria for the collecting and processing of personal data by body corporates are also outlined in the IT Rules, 2011. They outline consent, obligations of data fiduciaries towards data principals, requirements for data collection, review, and correction, constraints on data retention, and reliefs for corporate bodies for the transfer of such data to other persons or organisations, domestically or abroad.
The current rules governing your sensitive personal data give body corporates the freedom to transfer sensitive personal data to another body corporate or an individual, inside or outside of the country, with the data principal’s consent, if it can be proven that the recipient offers an adequate and comparable level of protection to what the original data fiduciary ensures.
Transfer of Sensitive Personal Data
Consumed, utilized in a myriad of ways, and essential to the existence of information technology in modern society are data flows. Service providers, IT teams, and other regulators began sending the data that the company collected to locations outside the country as internet companies and services began to take off all over the world. In a country like India, these transfers—also known as cross-border transfers—occurred freely until very recently without any formal regulations being set by the government or any other authority of India.
The foundations for the limitations on the transfer of personal data to other nations and other entities, not previously stated in data processing agreements, were put forth by the IT Rules, 2011, which came into effect in 2012. In order to provide proper protection, it was stated that body corporates obtaining personal data might only transfer such data to another body corporate or nation if that country or entity provided the same degree of protection as the body corporate itself.
The Rules further provide that the only circumstances under which such a transfer may be carried out are when it is necessary to carry out a legal transaction, when it is done for a legal reason, or when the informed permission of the data principle has been obtained.
The Personal Data Protection Bill of 2019’s Section 34 broadly addresses the transfer of sensitive and important data. The term “transfer” of personal data as used in the IT Rules of 2011 has been greatly refined. The definition and scope of the transfer of personal data, the codes of conduct to be followed during such a transfer, the rights of the data subject, the exemptions of certain data processors, and finally the penalties associated with it are all covered in great detail in section 34 of this Act, along with other sections.
Unauthorized and illegal transfers under the terms of this bill are seriously threatened by Section 57 of the PDP bill. The section outlines the penalty for transmitting data outside of India in breach of Sections 33 and 34 of the Act. The maximum fine is 15 crores or 4% of the company’s global gross revenue, whichever is larger.
Heavy fines for these violations, if properly implemented, which means the reporting, assessment, and accurate identification of illegal transfers, can prove to be a very effective deterrent to unauthorised transfers outside the country and can result in the appointment of internal auditors and data protection officers who can monitor such transfers and authorizations.
Defend your rights to privacy and sensitive personal data (as a Fundamental Right)
The Srikrishna Committee, which created the 2019 Personal Data Protection Bill, was appointed due to the lack of a clear legislation managing personal data in the nation. The parliament is presently reviewing this measure, which has not yet been passed and is not yet an Act.
The famed Information Technology Act, 2000 and its guidelines have up until this point in the country been and are now in charge of protecting the information and personal data of the nation’s residents. The IT Act of 2000 contains parts and regulations that grant citizens the right to protect their privacy and sensitive and general personal data.
Section 43A of the IT Act, 2000 is the main component of the Act that protects sensitive and personal data in the nation. The section established the rights of data principals in the nation against body corporates and everything that these data controllers could do with their data. The IT Rules, 2011, which focused primarily on a small number of scenarios of processing, transfer, privacy, and protection of the personal data of data principals gathered by body corporates, were made public as a more detailed and targeted version of this section.
The rules established rights to information disclosure by data fiduciaries for fact-checking purposes, rights to information disclosure about the intended use of the information, recipients, and locations where the information will be processed, and rights to informed and unambiguous consent to such processing, transfer, third-party processing, or simply collection.
The penalties for violating a valid contract safeguarding such personal information are outlined in Section 72A of the IT Act, 2000. According to the clause, disclosing such information to an unauthorized third party or to the general public constitutes a violation of a valid contract and is punishable by a fine of up to Rs. 5 lakh or a jail sentence of up to 3 years, or both. Without a constitutional declaration of such rights, the rights established by the IT Act’s provisions are weak. None of the aforementioned clauses could provide the essential safeguards of a citizen’s privacy and data if the right to privacy is not guaranteed in a given nation.
Justice K.S. Puttaswamy (Retd.) v. The Union of India was the case that made the Right to Privacy a Fundamental Right under the Indian Constitution. The lawsuit involves a challenge to the constitutionality of the Aadhar Scheme’s newly implemented provisions. Thus, this lawsuit argued that the right to privacy is a basic right together with the right to informational privacy.
The right to privacy was declared a fundamental right under Article 21 of the Constitution on August 24, 2017, together with the rights to life and personal liberty. Additionally, it gave the Parliament the authority to develop rules governing information and data privacy in the nation while also noting the pressing need for such regulations.
Sensitive Personal information is information that is precious to an individual’s privacy, such as biometrics (as in the situation cited above), financial information, information about a person’s sexual orientation or political membership, and several other sorts of personal information. Any privacy breach, leak, or unauthorised access to this data poses a substantial risk to the safety, right to life, and personal liberty of the individual concerned.
Sensitive Personal Data is now in a protected position as a law is specifically designed to safeguard it as a result of the inclusion and conclusion of the Right to Informational Privacy within the scope of a Fundamental Right. The Srikrishna Committee was established in July 2017 and delivered its first report in 2018, followed by its 2019 report, which is now being discussed in the Parliament.
edited and proofread by nikita sharma