Geo Focus: Asia , Geo-Specific , Governance & Risk Management
Vehicle Information Is for Sale; Is Privacy at Stake?
Government of India Reportedly Selling Data for ProfitThe Ministry of Road Transport and Highways informed the Parliament on Saturday that it has earned around INR 65 crore, or about $9.5 million, by providing restricted access to a database of registered vehicles and drivers to private-sector companies, according to Inc42.
See Also: How Active Directory Security Drives Operational Resilience
It's disheartening that the government apparently did not inform citizens that their data would be sold. And it's not clear how the ministry handled security when sharing the data.
In reply to questions from the Parliament, Nitin Gadkari, union minister of road transport and highways, revealed that the ministry is selling vehicle registration and driving license data, according to Inc42.
While the government says that the data sold to companies includes only vehicle information, such as name of owner, model of the vehicle and color, it's not clear where that information was stored.
The selling of this data raises serious privacy concerns and violates the trust that individuals put in the government.
Policy on Bulk Sharing
Back in March, the Ministry of Road Transport and Highways released a policy, "Bulk Data Sharing Policy & Procedure," that describes who can buy big batches of vehicle data of registration certificates and driving licenses, how the buyers can use that data and how much it will cost. The policy states that the ministry will share data with enforcement agencies, the automobile industry, banks and finance companies at specified rates for each data set.
Generally, the government solicits public feedback before releasing such policies. But in this case, the ministry apparently did not hold any consultation with industry experts or the public nor did it specify how it would secure the data. It did, however, mention that sharing data in a controlled manner can support the transport and automobile industry.
The policy has mandated certain security measures for companies that buy the data. But those security recommendations are very basic. For example, the policy stresses having a proper access control mechanism in place but fails to describe how this must be achieved.
Shivangi Nadkarni, co-founder and CEO of Arrka Consulting, a privacy advisory and security testing firm, notes: "This is not about the security of the data. This is about the right or wrong of this action. The government or entities to whom the data has been sold may institute the most stringent of measures to keep the data secure - but what bothers me as a citizen is, what is this securely kept data being used for?"
This is not the first instance where government has openly sold citizens' data for money. For example, in the United States, the Florida Department of Highway Safety and Motor Vehicles reportedly raked in more than $77 million for driver and ID cardholder information sales in fiscal 2017.
The Need for a Data Protection Law
Unfortunately, the Information Technology Act, 2000 does not bring the government under its purview; it only covers private-sector companies. Furthermore, India does not yet have a data protection law in place.
It's disturbing that the buyers of this data can now use it for purposes other than those for which it was submitted to the government.
"Perhaps, legally, there is nothing really stopping the government from selling the data. But there has to be some accountability," Nadkarni says. "Therefore, formation of the data protection law in India becomes all the more urgent."