Data privacy issues have been hanging heavy over several global tech giants over the last few months, but now it appears that India’s homegrown startups might soon have to start dealing with them as well.
A hidden-camera sting operation has suggested that India’s Prime Minister’s Office had asked Paytm for the data of its Kashmiri users after stone pelting incidents had stopped in the valley following the demonetization move in 2016. The sting operation, conducted by Cobrapost, is a part of a series of exposes which allegedly aim to show how the media can be made to influence its reporting through financial incentives. The Paytm video features Ajay Shekhar Sharma, the younger brother of CEO Vijay Shekhar Sharma, who’s also a Senior Vice President at Paytm.
“Wahan per J&K me band hue the na patthar, to humse personally PMO se phone aaya tha, kaha gaya tha data do, ho sakta hai Paytm ke users hon (When the stone pelting had stopped in Jammu and Kashmir, we’d got a phone from the Prime Minister’s office asking us to hand over the data of Paytm users),” Ajay Shekhar Sharma tells the undercover investigative reporter. There’s no footage of Sharma saying that Paytm actually handed over the data, but the Cobrapost video implies that it did, saying that it had thus compromised the privacy of its 200 million users. We have contacted Paytm for a comment on the video, and will update this article when we hear back.
The video, for its part, doesn’t provide much clarity on whose data Sharma was referring to. There had been reports that stone pelting had stopped in the Kashmir valley after the demonetization move in 2016, ostensibly because Pakistan-backed militant groups were no longer had ready cash to pay protesters in exchange for pelting stones. It’s possible that militants had then taken to paying protesters through Paytm, and the government wanted Paytm’s data to check which people were being paid.
It is, however, not uncommon for the Indian government to ask tech companies for data on their users. Just last year, Facebook said that the Indian government had asked for user data as many as 22,024 times, and in accordance with applicable law and is terms of service, it had complied with around half of those requests. In the second half of 2017, Google said that Indian government made 4,499 requests for user data.
While the PMO might have been in the right in asking Paytm to hand over user data over matters of national interest — stone pelting on national security forces presumably falls under national interest — this operation does raise questions over whether there are adequate processes in place for such sharing of data between apps and the government. Worryingly for Paytm, Ajay Shekhar Sharma appeared to show an affinity towards the present government in the sting operation. Apart from hinting that he was close to several RSS functionaries, he went on to say that “RSS hamare blood me hai (RSS is in our blood)”.
Data privacy, of course, is an issue that many tech companies are currently grappling with. Facebook CEO Mark Zuckerberg recently had to face a Congressional panel after Facebook had let the personal data of millions of users be shared with agencies which used it to campaign for elections, and companies across the world were slowly coming up terms with the European Union’s GDPR regulations which come into force today. But as Indian companies grow and amass millions of users, they’ll quickly need to form strong data privacy policies and share them openly with their users — like Google and Facebook, could publicly declare how many requests they get from the Indian government, and how they comply with them. If the don’t, given the current mood around data privacy, there could be many more sting operations in the offing.
Update: Paytm has said that it never shares user data with anyone for any purposes other than legal requests. “We never share your data with anyone: any company/ any government or any country. At Paytm, your data is yours. Not ours, or of a third party, or of the government. Our policy allows ONLY legally compliant data requests through a thorough process from law of the land to get access to data for necessary investigations,” said a blog post.