“Congratulations on your new start up!”
“Congratulations!! Few More Things For Your New Venture!!”
Isn’t this a wonderfully welcoming way to receive an announcement that your company has been registered? But hang on. You have got it all wrong. This is indeed the first welcome that every new company receives in Digital India, but it is not the official welcome (if there were such a concept) or confirmation mail from the ministry of corporate affairs (MCA) informing you that your registration is complete.
Ask anyone who has registered a company or a limited liability partnership (LLP) online, and you will learn that a flood of spam calls to your registered mobile number, scores of emails and WhatsApp messages marketing bank accounts, compliance services, rubber stamp-makers, etc, will be your first intimation of formal registration. The official email will reach you a few days later.
If this does not frighten you, then it should. It tells you that there is a fat pipeline stealing all your personal and corporate data, directly from MCA and it is being retailed to hundreds of business entities who see you as their target customer. I use the word steal, because senior MCA officials, when alerted to what is happening, are investigating the data leak. This indicates that there is no formal sanction to release or sell such data.
Techies will jump in now to gaslight this serious issue by tutoring me about how tech companies are able to ‘scrape’ data and build databases to sell your information. Yes, we know about largescale scraping of data; but when it happens, even before a formal (automated) email goes out of the ministry informing you about the registration, it points to a systematic sale of data at source by those handling government contracts.
It also raises questions about data privacy and whether careless and callous automation contracts of the government are exposing us to risk.
But let me start with a case study of company ‘X’, which I have provided to receptive senior officials at MCA, for their investigation. On 19th July, at around 9.30am, the partner of X LLP received a call from ICICI Bank congratulating him on the new registration and sought an appointment to open an account for the entity. Surprised, he asked the marketer for the basis of his information. “How do you know? We don’t have any official confirmation as yet”, he said. The answer, “We receive this information from the back-end.” That was only the first call. In the next hour, his mailbox had offers from Axis Bank, HDFC Bank, IndusInd Bank, South Indian Bank, Deutsche Bank, Kotak Bank—some of them sent multiple emails through different officials, who were perhaps buying the database independent of one another.
Then there was Filingbuzz which claimed to have “started an association for Start-ups & MSME companies” and provided mentoring, legal consultancy, guidance on a plethora government benefits and financial advisory services, for a fee. There was Falcon Ebiz, Bizz At Ease, H&G Ebiz, My Biz Development and Filingbuddy.in with a similar spiel, with the addition of full complement of compliance services, including board meetings, tax filings and annual reports. There were a couple of rubber stamp and letterhead-makers, a trademark and licences expert who also made a pitch, although it is hard to see how an LLP provides a big business opportunity for them.
There was even an email that showed up as ‘MCA Support’, but was pitching a registration “under Startup India and take benefits from India Government for your new venture…” This, too, was two days before the official confirmation from MCA. The list above does not include innumerable whatsapp messages and spam calls that he continued to receive.
The email that really mattered—the official communication from MCA—finally reached him at 8.40p.m. on 21st July, by which time you could hardly blame the businessman, if he had mistaken it for a spam email. As I said earlier, the silver lining to this story is that MCA realises that this level of leakage could have serious implications for the security of its systems; so an investigation has been initiated.
I am more concerned with the manner in which our privacy is being compromised with direct leaks from compromised government databases. As the reporting trustee of our not-for-profit organisation, Moneylife Foundation, I am routinely harassed with calls to my mobile number offering compliance and legal services or those helping you access Corporate Social Responsibility (CSR) funds. The source of the data is a statutory reporting database.
Eighteen years later, private players seem to have a direct pipeline to government databases, which are part of the mandate of creating a Digital India and offering Ease of Living. In 2005, there was considerable concern over the Securities and Exchange Board of India (SEBI) collecting biometrics under its MAPIN database. Although MAPIN was junked due to protests from the financial sector, there wasn’t a squeak from this very sector when Aadhaar, a national biometrics-based identification project, was taken up without addressing any of the concerns of misuse, cloning, theft etc. The need for an effective privacy law with adequate checks & balances, grievance redress and penalties for misuse has yet to be implemented.
Personal Data Protection legislation has been going through many iterations and the Digital Personal Data Protection Bill, 2022 has been introduced in Parliament, but data privacy still feels like a distant dream. The biggest threat to our privacy arises from government mandates, wrote Mr Maheshwari, to which, Nandkumar Sarvade, former IPS officer and data security expert, had this sharp response: “In our country, privacy has been the neglected younger sibling of cyber security, which itself is a malnourished child, waiting for the State to start giving it some proper diet”. He says, the failure to put in early ‘guard rails’ for technology-based projects tend to “derail good-intention projects, as they get mired in poor vision and shoddy execution”.
As things stand, the only time that every government department zealously protects personal information is in connection with queries under the Right to Information (RTI) Act. The manner in which sensitive personal data is leaking from MCA makes a mockery of Section 43A of the Information Technology Act (ITA), which, on paper, provides that any body-corporate that possesses, deals or handles any ‘sensitive personal data’ or information should maintain reasonable security practices and procedures relating to such data.
Data is leaking from the government itself and ‘body corporates’ are buying it to market services with no regard to privacy, sensitivity or data protection, endangering everybody who complies with statutory filing and reporting requirements.
In fact, the entire discussion on PDP seems afflicted by MAFA (mistaking articulation for action) syndrome. Narayanan Vaghul, former chairman of ICICI, had coined the term in the 1990s to explain why no final decisions were forthcoming on key issues especially those that impact individual freedom. We will soon complete the first quarter of the 20th century and policy-makers have segued directly to the use of artificial intelligence (AI) without fixing the issue of personal digital data privacy.