Own a car, have a driving licence? Your data is up for sale

Photo for representational purpose only. Photo: iStock

Data is indeed the new gold. And its cost is the consumer’s privacy.

The Indian government earned ₹65 crore in the past three months by monetising data of vehicle registration certificates (RCs) and driving licences (DLs) under the Bulk Data Sharing policy, ministry of road transport and highways told Parliament on Tuesday (July 8).

“The government has provided access (to such data) to 32 government and 87 private entities,” minister of road transport and highways Nitin Gadkari said.

Any organisation seeking bulk data can obtain the data at ₹3 crore in 2019-20. In the case of educational institutions, data can be obtained only for research purposes and for internal use at a one-time payment of ₹5 lakh only in 2019-20, Gadkari informed Parliament.

The data shared includes 28 sets of data for each vehicle consisting of vehicle’s registration number, engine number, registering authority, financing and insurance.

In March 2019, the government had approved the Bulk Data Sharing policy, enabling it to monetise database of vehicle registration certificates and driving licences. It stated that the sharing such data can support the transport and automobile industry and improve services to citizens.

The ministry stores data related to licences and registrations in its flagship applications Sarathi and Vahan, which are operational in 28 states and UTs. Under the Centralized National Registry for transport, the government has records of around 25 crore vehicle registrations and 15 crore driving licences.

According to the policy, organisations requesting the data should be registered in India and be majority (at least 50 per cent) owned by an Indian resident or company.

The government argues that as part of this policy, it does not disclose personal details of car owners and drivers. But the data can be potentially mined for the missing details through cross-reference to other publicly available details.

In fact, the policy itself admits that “there is a possibility of triangulation” or matching the data with other publicly available databases to identify. For instance, with the help of Vahan app anyone can track details of the owner, including the name, address and contact details.

The policy also lists several safeguards. The data, according to the government, is released in an encrypted format and its security is the responsibility of the organisation buying it

In terms of data protection, the policy states that all bulk data accessed by the organisation should be processed and stored in servers within India. At any point, the data should not be transferred, processed or stored in a server outside the country, the policy states.

The ease of availability of this large database and the possibility of matching it with consumer records on other public platforms raises several questions about privacy, safeguards and the potential for misuse.

But experts argue that since the data is being shared under a law passed by Parliament in April, it doesn’t violate any law. “It is not a violation of someone’s privacy as the government is working within the ambit of extant rules and regulations,” advocate and cyber law consultant V Rajendran told The Federal.

The policy was framed in the backdrop of a landmark judgement in August 2017 where the Supreme Court recognised the right to privacy as a fundamental right under Article 21 of the Constitution. The judgement, however, did not define privacy or private data, leaving the government and others to define it.

“It is left to the government and the Supreme Court to interpret what is deemed private data until a law on privacy defines it,” Rajendran said.