COWIN- Alleged Breach & Concerns About Enforcement Of Data Privacy

Some newspapers have reported that there has been a compromise of the Co-Win database. In line with its past behavior, the Government was quick to deny that the database was breached.

While the government’s statement may sound like an outright denial, but it is limited to the breach of the Co-Win portal and does not deny a compromise of data through other means. The PIB release itself points out the following ways in which the data could have been breached:

• The Telegram bot was giving out information breached earlier as suggested by the Minister of State in his Twitter post. This begs the question on if there was a previous breach which went unreported.
• Authorized users could access the database based on OTPs. It is possible that the breach could have happened after the authorized user accessed such data.
• Third-party apps have API-based access to this data, again based on beneficiary OTP. They could have gained access to the data through some vulnerabilities.

Mixing up National Cyber Security with Privacy

Deny first and then investigate has been the government’s modus operandi for all the previous instances of breach. For instance, there are no proven instances where the Aadhaar database has been breached. We need to be cognizant of the fact that for any data breach to occur, the core database need not be breached. The vulnerabilities in any seeder database could also end up compromising the data. If one was to believe the government, one can reasonably assume that the CIDR of UIDAI had never been breached. If true, it is a  testament to our national cyber resilience strategy and security.

However, it is irrelevant from the perspective of an individual’s rights on whether the compromise happened from a government database or a seeder database of another department or state government. Regardless, an individual runs the risk of social engineering and other risks regardless of where the breach happened.

Investigation while in denial

Would an investigation while in denial lead to reliable findings? Would an investigation focused on cyber/national security away from the pubic gaze lead to finding gaps with respect to the protection of individual privacy? It is unlikely, so we must divorce cyber security from data protection. The government must probe the cyber security issues using its might but should also empower its citizens with a right to enforce their rights. This will build accountability within government and amongst private actors dealing with personal data of Indians.

About Enforcement

This begs the question, what is the right of citizens if our data has been compromised? Mind you, whether you are vaccinated or not is a piece of sensitive personal information. Most countries have laws which protect the information as sensitive, and such a breach would entitle them to get remedies from the data protection authority. But not in India.

• The current Information Technology Rules only apply to body corporate and not to the government.
• The Digital Personal Data Protection (DPDP Bill) allows the government to exempt itself from the applicability of this bill.
• The complaint mechanism for Data Principals under the DPDP Bill is reduced to a grievance redrill mechanism. Data principals can’t sue for compensation under the DPDP Bill.
• The DPDP Bill only provides for penalties for non-consequences, which means that errant government departments can act with impunity since there are no real consequences for violating privacy.

A private complaint mechanism empowers citizens to come with their resources without entirely relying on the state's resources. It will improve the accountability of entities processing personal data.

The government needs to take data seriously.

Puttuswamy judgement unequivocally established privacy as a fundamental right of Indian citizens. To put this in context, the eight judges of that nine-judge bench have retired, and we have had 6 new chief justices since then, but we do not have the data protection law promised by the government to the Supreme Court.

But then again, what is the use of a non-enforceable fundamental right to privacy? What is the use of non-accountable investigations to alleged breach? Do we expect to burden the writ courts of the country to adjudicate matters relating to fundamental right of privacy.

India is negotiating our most ambitious international policy push since the non-alignment movement, i.e. “the digital public infrastructure (DPI)”. While CO-Win may not officially be classified as a DPI, it shares many characteristics of the DPI that was or is still used by both the private sector and the public sector in our battle against COVID-19.

For a robust DPI ecosystem, we need trust in the DPI. The government also knows this, and DEPA is its answer to the trust. But how can trust be genuinely achieved without enforcement?

We expect DPI models to be adopted in many countries in few years due to its potential for governance, service delivery and ensuring access. We cannot expect the world to be convinced of our DPI model without a data protection law with proper enforcement.

We eagerly await the DPDP bill to be introduced in the Monsoon session. The time is ripe to introduce sections in the DPDP Bill relating to:

• Enforceable right for data principals against both government and private entities
• Strong and independent data protection authority to hold government departments accountable with parliamentary oversight.

This will not only boost the individual rights regime in the country but also truly help us be the global leader for DPI.

(The author is a tech & media lawyer and can be reached at Nikhil.Narendran@trilegal.com. The views expressed are personal and do not necessarily reflect the views of his organisation or LiveLaw)