The Delhi High Court on Monday issued directions to the Centre to respond to a petition praying for investigation into data breaches in online apps, including those of Bigbasket, Domino’s, MobiKwik and Air India, which compromised personal and financial information of users.

The petitioners argued for investigation because there is no data protection law in India to offer a legislative recourse to victims of data breach.

Justice Rekha Palli asked the counsels for Ministry of Electronics and Information Technology and Computer Emergency Response Team India (CERT-In) to take their instructions on the matter raised by the petitioners Free Software Movement of India (FSMI) which is a national coalition of various regional and sectoral free software movements.

“The grievance raised in the present petition is that the second respondent (CERT-In) is not taking any action qua the incidents of cyber security breaches and data leaks committed by various entities despite the same being brought to its notice by the petitioners vide its detailed representations,” said Justice Palli in her order.

Repeated representations

Representing the petitioners, advocates Prasanth Sugathan, Prasanna S and Yuvraj Singh Rathore maintained that they had written to CERT-In on four occasions – November 11, 2020, and on March 30, April 21, and May 22, 2021 -- urging them to investigate the data breach and update the persons involved about what transpired at Dominos, MobiKwik, Big Basket and Air India as mandated.

“It was reported that there was a major cyber security incident at Big Basket. According to a report, cyber intelligence firm Cyble has reported around 20 million BigBasket users’ data has been breached and are available on Dark Web. The petitioner submitted a representation dated November 11, 2020 to Ajay Lakra, Public Grievance Officer, CERT-In on the Big Basket data breach. In this letter, the petitioner had requested the CERT-In to intimate an investigation into the incident and update citizens on what has transpired at Big Basket under Section 43A of the Information Technology Act, 2020,” said the petition.

‘Aware of responsibility’

The petition before the High Court submitted that when there was no response to their letters to CERT-In, the organisation sent a legal notice to CERT-In asking them to investigate the data breaches. In response to their legal notice, they received a response in which CERT-In maintained that, “We would like to inform you that CERT-In is aware of its responsibilities and does not require your client’s directions to investigate data breaches as highlighted by you. Organisations named in your notices have been directed to comply with the relevant provisions of law.”

The petition said that data breaches at these companies include sensitive personal information of millions of users including their addresses, phone numbers, passport information, credit/debit card details, passwords, bank accounts, KYC details, they seriously impact the privacy of the users including their financial details and personal addresses.

They pointed out that in the absence of a law governing data protection in India, the aggrieved users do not have any legislative recourse against such breaches.

“Therefore, an investigation by CERT-In on frequent data breaches at mass level becomes important to safeguard the privacy of users,” they said.

comment COMMENT NOW