The Delhi High Court on Friday directed the central government’s counsel to take instructions for the government’s stand on a petition alleging large-scale data breaches on four e-commerce platforms. The petition was filed by Yarlagadda Kiran Chandra, General Secretary of the Free Software Movement of India (FSMI), a national coalition of sixteen regional and sectoral free software movements.
Between March and May 2021, there were several reports of data breaches on platforms hosted by BigBasket, Dominos, MobiKwik and Air India that leaked sensitive personal information of millions of users including their addresses, phone numbers, passport information, credit and debit card details, hashed passwords, bank accounts, and Know-Your-Customer (‘KYC’) details. This personal data is reportedly on the dark web, thereby violating citizens’ privacy, financial security and physical safety.
The petitioner and his organisation wrote several requests to the nodal agency for cybersecurity, Computer Emergency Response Team India (CERT), to launch an investigation and update citizens on the matter as provided for under § 43A of the Information Technology Act (“IT Act”).
Citing the agency’s failure to take action in this regard, the plaintiffs filed this petition invoking § 70B of the IT Act, which requires the agency to collect and analyse information on cyber incidents as well as take emergency measures for handling such incidents. The citizen charter of CERT mandates it to redress grievances within one month from the date of receipt.
Noting the absence of legislation for personal data protection in India, and consequently the absence of legal recourse against such breach, the petitioners urged that investigations by CERT for mass-level data breaches are vital to safeguard the privacy of users.
Notably, the companies targeted in these data leaks are market leaders in their own sector and the use of e-commerce platforms in India has ballooned since the pandemic. The court’s decision in this matter will have a significant impact on consumer privacy in the country’s emerging digital markets. The next hearing on this petition is scheduled for 23 September 2021.