The Delhi Supreme Court on Monday gave instructions to the center to respond to a petition praying for an investigation into privacy violations in online apps, including those from Bigbasket, Domino’s, MobiKwik and Air India, which contain personal and financial information compromised by users.
The petitioners called for an investigation because there is no data protection law in India that gives victims of data breaches legal recourse.
Judge Rekha Palli asked lawyers from the Ministry of Electronics and Information Technology and Computer Emergency Response Team India (CERT-In) for their instructions on the Free Software Movement of India (FSMI), a national coalition of various regional and sectoral groups, raised by the petitioners Free software movements.
“The complaint made in the present petition is that the second defendant (CERT-In) is not taking any action to prevent incidents of cyber security breaches and data leaks by various entities, although this was communicated by the petitioner through his notification detailed representations” said Judge Palli in her order.
Representing the petitioners, lawyers Prasanth Sugathan, Prasanna S and Yuvraj Singh Rathore alleged that they investigated the data breach four times – November 11, 2020 and on March 30, April 21 and 22, and informed the people involved about the incidents at Dominos, MobiKwik, Big Basket and Air India provide information.
“It was reported that Big Basket had a major cyber security incident. According to a report, cyber intelligence company Cyble has reported that the data of around 20 million BigBasket users has been breached and is available on the dark web. The petitioner submitted an opinion on November 11, 2020 to Ajay Lakra, Public Grievance Officer, CERT-In, on the Big Basket data breach. In this letter, the petitioner asked CERT-In to investigate the incident and inform citizens about the events at Big Basket under Section 43A of the Information Technology Act 2020, ”the petition said.
The petition before the High Court stated that if the organization did not receive a response to its letters to CERT-In, it would send a legal notice to CERT-In asking them to investigate the data breach. In response to their legal notice, they received a response in which CERT-In claimed: “We would like to inform you that CERT-In is aware of its responsibility and does not need any instructions from your customer to investigate any data breach you highlighted. The organizations named in your communications have been instructed to comply with the relevant statutory provisions. “
The petition states that data breaches at these companies involve sensitive personal information of millions of users including their addresses, phone numbers, passport information, credit / debit card details, passwords, bank accounts, KYC details, they have serious implications for user privacy , including their financial details and personal addresses.
They pointed out that the injured users have no legal recourse against such violations in the absence of a data protection law in India.
“Therefore, a CERT-In investigation into common mass-level data breaches becomes important to protect user privacy,” they said.