Tiffany Haney
India's Digital Personal Data Protection Act 2023 (DPDPA) is the primary data protection law in the country. The act gives individuals certain rights over their personal data, including the right to access their data, the right to have their data corrected or deleted, and the right to withdraw consent for the processing of their data. The DPDPA also requires businesses to obtain consent from individuals before collecting or using their personal data. As a result, the Indian government has cracked down on the unauthorized use of Indian citizens' Permanent Account Numbers (PAN) by financial technology companies and other consumer tech firms. This PAN enrichment service helped these companies create customer profiles and cross-sell financial products. However, it represented unauthorized access to the Income Tax department's backend infrastructure. To protect personal data, businesses in India may also enter into Non-Disclosure Agreements (NDAs), which are legally binding contracts that prohibit the sharing of confidential information.
| Characteristics | Values |
|---|---|
| Does India prohibit the disclosure of PAN? | Yes, the Indian government is taking stringent action against technology companies' unauthorized handling of personal data as it moves forward with implementing the Digital Private Data Protection Act, 2023 (DPDP). |
| What is PAN? | Permanent Account Number. |
| What does the DPDP Act do? | The DPDP Act requires businesses to obtain consent from data subjects before collecting or using their personal data. It also imposes restrictions on the transfer of personal data outside of India. |
| What are the rights of individuals over their personal data? | The DPDPA gives individuals certain rights over their personal data, such as the right to access their data, the right to have their data corrected or deleted, and the right to withdraw consent for the processing of their data. |
Explore related products
What You'll Learn
- The Indian Cybercrime Coordination Centre (I4C) is cracking down on unauthorised PAN usage
- Financial technology companies and consumer tech firms are targets of the crackdown
- India's Digital Personal Data Protection Act 2023 (DPDPA) governs data sharing
- Businesses must obtain consent from data subjects before collecting personal data
- The DPDPA gives individuals rights over their personal data
The Indian Cybercrime Coordination Centre (I4C) is cracking down on unauthorised PAN usage
The Indian Cybercrime Coordination Centre (I4C) is cracking down on the unauthorised usage of Indian citizens' Permanent Account Numbers (PAN) by financial technology companies and other consumer tech firms. The I4C, operating under the Union home ministry, has directed the cessation of unauthorised access to citizens' PAN data, as part of a broader initiative to strengthen digital privacy protection. This move comes as the government prepares to implement the Digital Personal Data Protection Act, 2023 (DPDP).
The legitimate PAN verification service through the National Securities Depository (NSDL) remains unaffected by the crackdown. This authorised channel only confirms whether submitted details match their database without sharing personal information. While there has been no disruption in the authorised service, multiple people in the know said that most consumer lending, loan sourcing channels or direct sales agents, and credit aggregators used this unauthorised service extensively.
Industry experts suggest these measures align with the government's broader strategy to enforce data protection regulations. "After the Supreme Court judgement on Aadhaar, the rules around database access became more formalised. The government is now extending this to all government databases," an industry executive noted. While the crackdown may cause temporary disruptions, industry participants acknowledge it will help standardise data protection practices ahead of the DPDP Act's implementation.
The I4C is a government initiative to combat cybercrime and protect citizens' digital privacy. It aims to create a multi-stakeholder environment, bringing together law enforcement specialists, industry experts, and academia to address the evolving landscape of cyber threats. The I4C also focuses on research and innovation, developing new technologies and forensic tools to stay ahead of cybercriminals and prevent the misuse of cyberspace by extremist and terrorist groups.
Chef's Pan: Essential or Excessive?
You may want to see also
Explore related products
Financial technology companies and consumer tech firms are targets of the crackdown
India's Union home ministry has directed a crackdown on the unauthorised access to citizens' Permanent Account Numbers (PAN) data by financial technology companies and consumer tech firms. The Indian Cybercrime Coordination Centre (I4C) is leading the charge against the misuse of PAN data, which has been termed "PAN enrichment".
PAN enrichment involves using PAN card numbers to build customer profiles, especially for lending companies selling loans and other financial products. The data was also used to cross-check information provided by applicants. PAN numbers are linked to consumer credit scores, making them particularly valuable. This practice gave these companies unauthorised access to the Income Tax department's backend infrastructure, maintained by technology service providers.
Industry sources indicate that this unauthorised service was widely used by various financial entities, including consumer lending platforms, loan sourcing channels, direct sales agents, and credit aggregators. However, identifying specific companies is challenging as these practices were often embedded in internal processes.
The government's crackdown is part of a broader initiative to strengthen digital privacy protection and eliminate unauthorised access to Indian citizens' Personal Identifiable Information (PII). The implementation of the Digital Private Data Protection Act, 2023 (DPDP) will require businesses to obtain proper consent and use authorised channels when processing citizens' information.
Potato Salad Safe in Aluminum?
You may want to see also
Explore related products
India's Digital Personal Data Protection Act 2023 (DPDPA) governs data sharing
India's Digital Personal Data Protection Act, 2023 (DPDPA) governs data sharing by outlining the rights and duties of individuals and entities involved in data processing. The Act recognises the right of individuals to protect their personal data while also acknowledging the need to process such data for lawful purposes.
The DPDPA defines the obligations of Data Fiduciaries, which include persons, companies, and government entities that process data. It outlines the rights and duties of Data Principals, who are individuals to whom the data belongs. The Act imposes financial penalties for any breach of rights, duties, or obligations related to data processing.
The Indian government has taken a strong stance against the unauthorised use of personal information, including PAN card details, by technology companies. The Indian Cybercrime Coordination Centre (I4C) has directed the cessation of unauthorised usage of Indian citizens' Permanent Account Numbers (PAN) by financial technology and consumer tech firms. This move is in line with the government's implementation of the DPDPA, which aims to protect citizens' personal data.
PAN card details have been misused by firms to access customers' personal information, including full names, addresses, and phone numbers, through the Income Tax department's backend systems. While not a data breach, this practice represents unauthorised access to sensitive information. The government's crackdown on PAN card misuse is a step towards ensuring the privacy and security of its citizens' personal data.
The DPDPA shares similar principles with the European Union's General Data Protection Regulation (GDPR) but differs in key aspects. Unlike the GDPR, the DPDPA applies only to digital personal data and does not distinguish between personal and sensitive personal data. The DPDPA establishes the Data Protection Board of India as an adjudicating body to resolve disputes related to personal data breaches.
Le Creuset Pans: Non-Toxic and Safe for Cooking?
You may want to see also
Explore related products
Businesses must obtain consent from data subjects before collecting personal data
India is taking steps to protect its citizens' personal data. The country has seen a crackdown on the unauthorised use of PAN (Permanent Account Number) card details, with the government taking stringent action against technology companies' mishandling of personal data. This is part of the implementation of the Digital Private Data Protection Act, 2023 (DPDPA).
The DPDPA requires businesses to obtain consent from individuals, or data subjects, before collecting, using, or storing their personal data. This consent must be freely given, specific, informed, and unambiguous. It is one of the fastest-growing digital economies in the world, with over 1.4 billion internet users, and so the collection, use, and disclosure of data are subject to a number of laws and regulations.
The DPDPA also gives individuals certain rights over their personal data, such as the right to access their data, the right to have their data corrected or deleted, and the right to withdraw consent for the processing of their data. This is in line with global trends, such as the EU's GDPR (General Data Protection Regulation), which also requires that consent be obtained freely, specifically, and unambiguously.
Businesses must also inform individuals of the categories of data being collected and the source from which it was obtained. This includes if the data was obtained from publicly accessible sources. This information should be provided within one month of obtaining the data or when communicating with the individual, whichever is earlier.
Data localisation is another key aspect of the DPDPA, requiring certain types of personal data, such as biometric and financial information, to be stored within India. Additionally, the DPDPA restricts the sharing of personal data with third parties. Businesses can only share personal data with third parties if they have obtained consent from the data subject or if it is necessary for the purpose for which the data was collected.
Mastering Drumsticks on a Grill Pan
You may want to see also
Explore related products
The DPDPA gives individuals rights over their personal data
India's Digital Personal Data Protection Act (DPDPA) came into force in 2024, giving 1.4 billion people data privacy rights they previously lacked. The DPDPA establishes a rights-based framework for data protection, focusing on individual rights and
The DPDPA outlines the rights of data principals, obligations of data fiduciaries, and penalties for data breaches. It also introduces a special category called significant data fiduciaries (SDFs). A data principal is a person to whom the personal data relates. For children, their parents or legal guardians are the data principals, and for persons with disabilities, it is their legal guardian. Data fiduciaries are bound to stop processing the personal data of the data principal in the event of revocation of consent. The definition of consent is broad and almost identical to the GDPR's definition, except for the word "unconditional". Consent should be free, specific, informed, and unconditional.
The DPDPA requires data fiduciaries to request consent from the data principals before processing their personal data. It also mandates verifiable consent for children and persons with disabilities. The act obligates data fiduciaries to recognise consent managers and thereby enable data principals to entrust such registered consent managers to act on their behalf. Consent managers provide a transparent mechanism to give, manage, review, or withdraw consent. They must be registered with the Data Protection Board of India (DPB) and meet the requirements prescribed by the DPB.
The DPDPA also grants individuals the right of grievance redressal, requiring data fiduciaries to provide a tiered redressal process to establish relationships with aggrieved individuals. Under the DPDPA, aggrieved individuals must consult the data fiduciary's grievance redressal process before escalating to the Data Protection Board of India.
Choosing the Right Pot for Hot Rails: A Guide to Getting it Right
You may want to see also
