Airtel’s culpability, if proved, is not having sufficient safeguards in place to protect the identity details of its customers
Last Published: Wed, Dec 20 2017. 05 01 AM IST
With personal data increasingly being rendered vulnerable, companies like Airtel are being called upon to take responsibility for the personal identities of their users. Photo: Pradeep Gaur/Mint
At one level, Bharti Airtel Ltd’s recent problems with the Unique Identification Authority of India (UIDAI), which has temporarily suspended the telecom market leader as well as its payments bank from conducting Aadhaar-based verification of its mobile customers as well those of the bank, using the eKYC process, can just be written off as an isolated case of shocking misdemeanour. The Airtel executives who mounted the devious plan to open bank accounts of some subscribers in another group company Airtel Payments Bank, without their clear and tacit permission can be punished and the company fined as per the clearly laid down rules. UIDAI has alleged that when customers went to Airtel’s mobile app for verification, a box popped up with the statement “Upgrade or create my Airtel Payment Bank wallet using existing Airtel mobile KYC.” In itself, that is kosher, except that the box came pre-checked so unless the user specifically unchecked it, his consent was assumed.
And while UIDAI has appointed consulting firm PricewaterhouseCoopers to audit Airtel’s processes, it isn’t as if the company was caught unawares. The authority had issued two notices prior to suspending Airtel, which shows it was clearly not satisfied with its response. Nor was it an isolated act affecting a handful of customers. Reports indicate that anywhere between 2 million and 3 million accounts may have been thus compromised.
The allegation that the company’s executives used the Aadhaar-eKYC based verification process to open payments bank accounts of its subscribers is a flagrant breach of trust, the very argument that is being held up to oppose the mandatory linking of various services in the country to Aadhaar. Indeed, the security and privacy of Aadhaar data is exactly what the Supreme Court is currently looking into.
The problem isn’t with Aadhaar as its prime architect Nandan Nilekani has repeated ad nauseam. It is with its use and misuse as has happened in the case of Airtel, which clearly did not follow the guidelines laid down by UIDAI. A single national identity is an important part of any advanced and integrated economy. The social security number as the sole authentication mechanism has been in use in the US for over 80 years, and it is only now that there are mutterings of the need to change to a more modern and scientific system, ironically like Aadhaar.
Airtel’s culpability, if proved, is not having sufficient safeguards in place to protect the identity details of its customers. In principle, there is no difference between Airtel leaking the data to some other company and allowing it for use by Airtel Bank.
Whether by stealth or by connivance, personal data is increasingly being rendered vulnerable. Companies like Airtel are being called upon to take responsibility for the personal identities of their users. This personal identity, which is recognised and upheld in international law through a range of declarations and conventions, is now being freely shared, setting up the grounds for more such incidents.
Oddly, Airtel’s predicament is in many ways similar to the dilemma facing tech companies like Facebook, Google and Twitter—how to manage the contradictions of being hands-off as a platform and hands-on as the carriers of the content that can often be patently and dangerously false, misleading and inflammatory. The spate of fines and other forms of censure that these companies have had to deal with points to the desire of European regulators to intervene in the operations of these companies on grounds of privacy and security. Indeed, last year, the European Union (EU) passed the General Data Protection Regulation (GDPR) to replace its existing Data Protection Directive. The new regulation, which will come into force from 25 May 2018, has been designed to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
India’s data protection law is still some way off with the committee set up to prepare a structured report on data utility, data privacy and data availability, expected to submit its proposals in the next few months after which the legislation proceedings will start. In the meantime, more such incidents will end up shaking people’s faith in the sovereignty of their personal data and its custodians.
Data may be the new oil, but it is far more slippery than the former.
Sundeep Khanna is a consulting editor at Mint and oversees the newsroom’s corporate coverage. The Corporate Outsider will look at current issues and trends in the corporate sector every week.
Click hereto read more from The Corporate Outsider.