What does the law say about Bigbasket's data breach?
The e-grocery company, Bigbasket, suffered a massive data breach recently. But what does Indian law say about protecting personal data?
Called “the oil of the 21st century,” data is the most valuable asset on the internet today. It’s what drives companies like Facebook, Google, and Amazon.
To regular users, how this works may not be clear. What’s Instagram going to do by knowing what I ate for breakfast?
Here’s a simple explanation. Everything you do on a platform like Facebook generates data. Name, age, location, likes, comments, phone model – Facebook knows it all. This data allows the platform to show you targeted ads.
Since I like running, I’m more likely to click on ads for shoes than for lehengas. So, Facebook can make more money through targeted ads than random ones. Therein lies the value of data.
Now, to the breach.
Bigbasket is a popular e-grocery app. You can order things like veggies, milk, and eggs, and Bigbasket will send them to your house.
Recently, Bigbasket announced that it had suffered a data breach. The breach happened in October. The news was made public on 7 November 2020.
The leaked data included names, email IDs, phone numbers, and addresses of over 2 crore users. Bigbasket claimed that no financial data, such as credit card numbers, was breached.
This personal information was put on sale on the dark web for ₹30 lakh.
The Mystery of Indian Data Protection Laws
Data privacy has been a hotly contested issue in India.
The primary legislation is called the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (!!). For convenience, let’s call these the Data Protection Rules.
The rules are inadequate for dealing with today’s challenges. Here are some issues –
Data is classified as personal information (‘PI’) and sensitive personal information (‘SPI’). PI includes general information like name, age, and address. SPI means sensitive information such as passwords, financial information, sexual orientation, medical records, etc. The Data Protection Rules only provide robust protection to SPI.
The rules don’t adequately address issues like where data must be stored (data localisation).
The only penalty for a breach is compensation to affected persons if their SPI is leaked due to negligence.
To the best of our knowledge, no one has been punished under the Data Protection Rules so far.
Given these problems, a new Personal Data Protection Bill was introduced in 2019. This Bill addressed many concerns about the Data Protection Rules. However, it is still pending before the Parliament.
What Happens to Bigbasket?
Considering the potential harm caused, you’d think that Bigbasket would be penalised heavily, right?
That’s unlikely. Two reasons.
First, under the Data Protection Rules, a body corporate needs to be negligent in maintaining its security practices for the penalty to kick in. Bigbasket will probably argue that the breach happened despite its top-notch security practices. There was no negligence.
Second, for compensation, the leaked data should be SPI like passwords, financial information, sexual orientation, and biometric information. PI such as phone number, address, and email ID doesn’t make the cut. Bigbasket claims that no SPI was breached. So, no compensation.
The company has now filed a complaint with the Cyber Crime Cell to catch the culprits.
You can check out our courses here.