In today's Finshots we see how IRCTC landed itself in a soup last week'

Also, did someone forward this story to you? Well, if you’d like to receive our daily 3-min newsletter that breaks down news from the world of business & finance in plain English straight into your inbox — click here!

The Story

Everyone who has ever travelled on a train in India will probably know IRCTC or the Indian Railway Catering and Tourism Corporation. There are no two ways about it. They have a virtual monopoly in ticketing, and you must get IRCTC involved if you want to book a train ticket. In fact, the website boasts details of close to 11.70 crore passengers with details like their name, age, mobile number, gender, address, and email-id. It’s a data gold mine.

But you know how they say — Data is the new oil? Well, that idea takes a whole new meaning when you realise IRCTC is sitting on this data gold mine. If they intended, they could share this data with certain third parties and make a lot of money in the process.

And it seems they’re planning on doing just that.

Last week, IRCTC put out a tender asking private consultants to help them find ways to monetize its passenger data. And it expects to earn a whopping ₹1,000 crores from this endeavour!

Will companies line up for this data? Many entities will be interested of course. After all, it's data linked to a staggering 11.70 crore people!

But this upset a lot of people. They said — “How can IRCTC do something like this?! It’s a blatant invasion of privacy.”

And, after the online backlash, a section of the media began reporting that IRCTC denied plans to sell data in the first place. IRCTC said that they were simply exploring business opportunities. That it wasn’t really a tender and it was an “expression of interest” to gauge data’s potential. And that was it.

Now, this isn’t the first time that a government entity has dabbled with a data monetization plan.

Back in 2019, the government pocketed a cool ₹65 crores by selling data acquired by transport authorities. We’re talking about things like vehicle insurance and driving licence details.

However, there was one major issue. If these entities desired, they could have easily matched the data here with other information available elsewhere (say your name or your address) and could know who you are, what you drive, where you live and the name of your financer.

It’s honestly scary.

Now the government believes “data is a public good.” And they don’t usually seek consent before sharing this data, even though you didn’t sign away the rights to it when you registered your car with the RTO or applied for a driving licence.

And realistically, they don’t need your consent because you actually don’t own your data. You see, India still doesn’t have a law protecting data privacy. We’re still heavily reliant on the outdated IT Act of 2000 which doesn’t really lay out the contours of data ownership. It only states that a person whose data is misused can claim compensation. So the government could claim that the data is a “public good” and hand it over to other organizations anyway. And then put the onus on them to ensure that the data isn’t abused.

How can we fix this, you ask?

Well, many people pinned their hopes on the Personal Data Protection Bill (DPB). It was expected to finally guarantee your right to privacy and data protection. It should have prevented corporations from selling your data willy-nilly without your explicit consent.

But the law has been in limbo for half a decade now. And even though the bill was supposed to be passed this year, the government shelved it. The reason? A panel that was looking into the bill suggested 12 major changes and 81 amendments to the bill. So rather than simply makings the changes, the government decided to go back to the drawing board and rework it from scratch.

Now even if we are optimistic that a new and improved DPB will become law in 2023, there could still be a loophole for the government. You see, the draft bill had proposed to exempt government agencies from the law “in the interest of sovereignty” of India. And privacy advocates believe that’s a slippery slope because the government could continue to shout “public good” and sell data to private organizations.

So yeah, IRCTC’s tryst with data monetization has simply hammered home the point of why we need to step on the pedal when it comes to the Data Protection Bill. And hopefully, it’ll see the light of day sooner rather than later.

Until then…

Don't forget to share this article on WhatsApp, LinkedIn and Twitter