Leaking consumer contact info may make biz entities liable to Rupees 250 crore fine

New Delhi, Aug 7, 2023

The proposed digital personal data protection law seeks to clamp down heavily on consumer-facing industries such as banks, insurance companies, real estate and automobile sellers, hotels and restaurants and e-commerce as well as social media giants if they compromise vital information of customers by leaking and selling names, phones numbers, or other information to third parties.

A top official involved in the drafting of the new law said that the government has taken care to make sure that entities who are the first recipients of the information from the customers are the ones that would be charged for any leaks, with fines that may go up to Rs 250 crore for a single leak and higher in case of the sharing is done with numerous companies.

“For example, you approach a bank for a car loan, and a bank official sells your details to car makers who in turn transfer it to insurance companies. In this case, it is the bank that will be penalized for illegal sharing of the data under the new law,” the official said.

“The whole concept of the data law is to protect the privacy of individuals and guard against any unauthorized usage of the data,” the official said.

In fact, the bill – which was tabled in the Lok Sabha last week by communications and IT minister Ashwini Vaishnaw – gives out examples of how to handle sensitive consumer information and what to do with it once the task is over.

It clearly spells out that the information collected on the users needs to be removed once a given task is over.

It clearly spells out that the information collected on the users needs to be removed once a given task is over. “X, an individual, electronically messages Y, a real estate broker, requesting Y to help identify a suitable rented accommodation for her and shares her personal data for this purpose. Y may process her personal data to identify and intimate to her the details of accommodation available on rent. Subsequently, X informs Y that X no longer needs help from Y. Y shall cease to process the personal data of X.”

Also, the new law mandates that companies stop forcing users for details which are not required to provide them with services. “X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (i) the processing of her personal data for making available telemedicine services, and (ii) accessing her mobile phone contact list, and X signifies her consent to both. Since phone contact list is not necessary for making available telemedicine services, her consent shall be limited to the processing of her personal data for ma king available telemedicine services.”

The government official said that companies will need to destroy – or remove – data that they have sought while fulfilling a service once the task is over. “For example, there are private companies who take critical information from users when they are applying for visa. These include bank statements, salary slips, and other vital documents, which are often submitted in digitised forms. Now they will have to destroy this information once the visa has been processed.”

The same example applies for websites that handle hotel bookings or travel ticketing, if they do not have user consent to continue to hold the user data.

The law is also clear on the matter of how companies take user consent.

“The consent given by the Data Principal (user) shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.” Companies are also mandated to provide users access to a grievance officer to answer to their complaints.

[The Times of India]