The Rise of Illegal Businesses Exploiting Personal Data

While India’s legal framework governs data processing under various regulations, the country is undergoing an alarming increase in businesses that exploit personal data by illegal, deceptive, or fraudulent means. These businesses often engage in activities that undermine financial security and individuals’ privacy rights. Some common ways in which these illegal actors procure personal data include:

1. Deceptive Call Centres and Scams: Call centres targeting individuals, pretending to be representatives of legitimate institutions, deceive people into disclosing personal information (e.g., bank details, Aadhar, OTPs, social security numbers), and then misuse it for theft or resale.
2. Phishing and Social Engineering: Fraudsters impersonate legitimate entities (e.g., banks or government organisations) and use deceptive tactics to trick individuals into revealing personal data, which is then used for identity theft or financial fraud.
3. Rogue Apps and Malicious Websites: Fraudulent apps or websites collect excessive personal data under the guise of offering services or discounts, which are either misused or sold.
4. Hacking and Data Breaches: Cybercriminals hack into organisations/government databases and steal sensitive personal data such as financial information, login credentials, and social security numbers, which are then sold or used for fraudulent activities.

Examples of Fraudulent Activities by Illegal Businesses

Illegal businesses engage in a range of deceptive practices that harm individuals and undermine trust in the digital economy.  Following are the brief examples:

 Key Takeaways:

1. Such crimes require significant analysis, preparation, infrastructure, and personnel – These crimes are typically orchestrated by organised enterprises rather than individuals, since the tasks are time-consuming and resource-intensive.
2. Majority of the effort is expended during the information-gathering phase, which involves advertisements, calls, and other tactics – most of the time is spent by them on the personal data collection.
3. Majority of the crimes are identity theft and/or impersonation – There is a requirement for a genuineness check on all collection mechanisms.

Two-prong approach: By 1) identifying these enterprises; enforcing action against all its partners and associates, and 2) implementing genuineness check, the occurrence of such crimes can be significantly reduced.

Limitations of CERT-In, TRAI in Addressing Illegal Data Exploitation

While CERT-In (Computer Emergency Response Team – India) and TRAI (Telecom Regulatory Authority of India) play important roles in cybersecurity and telecom regulation, they are not adequately equipped to tackle the growing issue of illegal exploitation of personal data by businesses outside the legal framework. Their functions are limited:

• CERT-In focuses primarily on technical aspects of cybersecurity and provides advisory services but lacks enforcement authority to prosecute illegal actors or take legal action against them.
• TRAI regulates the telecommunications sector and can issue guidelines for data privacy within this domain, but it lacks the legal authority to take direct action against businesses misusing personal data across various industries.

The ambit of both bodies is not sufficient to deal with the surveillance of organised data exploitation.

Lacunae in the Current Framework under IT Act: The Need for a Dedicated Body to Address Illegal Data Businesses

Cybercriminals often dedicate significant time, energy, and resources to collecting, processing, and misusing personal data. However, existing cybercrime law enforcement agencies primarily focus on investigating crimes that have already been committed, rather than addressing the illegal businesses whose sole purpose is to procure personal data for financial fraud. This creates a significant gap in the current framework, as the centralised cybercrime police stations are not adequately equipped to investigate and take action against these illegal entities whose primary objective is the collection of personal information.  While the misuse of personal data is typically addressed once a cybercrime complaint is filed by the victim, there is a clear need for a dedicated agency that focuses on investigating and preventing these illegal businesses from obtaining personal data in the first place.

Despite data protection-related aspects being segregated from the Information Technology Act, 2000 (IT Act), to form the DPDP Act, there is no such mechanism or governmental agency to deal with surveillance and thereafter specific enforcement of data collection by illegal businesses.  The IT Act primarily focuses on cybercrimes such as hacking, identity theft, impersonation, and cyberstalking, which fall under the jurisdiction of cybercrime police. However, data protection issues, including breaches of personal data and unauthorised data collection and processing by illegal businesses, necessitate a distinct surveillance and reporting framework, as they involve specialised expertise.

To effectively combat the rising tide of illegal businesses that steal, misuse, sell personal data, or commit financial fraud based on the same, there is an urgent need for a dedicated, empowered surveillance and reporting body. This body would focus on continuous surveillance of illegal data exploitation and report them to enforcement agencies.  This authority should work in collaboration with CERT-In, TRAI, and the cybercrime department to ensure a comprehensive and effective approach to data security and protection.

Proposal for the Establishment of the Data Protection Surveillance Authority (DPSA)

We propose the creation of a Data Protection Surveillance Authority (DPSA) to monitor, assess, and report illegal activities related to the exploitation of personal data. The DPSA will serve as a dedicated body responsible for:

1. Monitoring and Identifying Illegal Data Practices: DPSA will conduct routine surveillance to identify businesses or individuals involved in unauthorised data collection, hacking, or fraudulent activities related to personal data.
2. Collaborating with CERT-In, TRAI, and other enforcement agencies: DPSA will work alongside CERT-In, Data Protection Board, Financial Intelligence Unit, National Critical Information Infrastructure Protection Centre (NCIIPC), Ministry of Electronics and Information Technology (MeitY), TRAI, DoT, RBI, SEBI, DPIIT, CCI, ED, CBI, NIA, and such other monitoring, regulatory, or enforcement agencies, to strengthen the overall ecosystem against illegal data practices.
3. Reporting Cases to the Data Protection Board (DPB) and other agencies: DPSA will have the authority to submit reports to Cybercrime Police, CBI, NIA, ED, or such other enforcement agencies seeking to initiate cases against such illegal entities engaged in data exploitation for adjudication and necessary regulatory action.
4. Public Awareness and Risk Prevention: DPSA will actively engage in public awareness initiatives to educate individuals about the risks of data exploitation and provide guidance on safeguarding personal information.
5. Actionable Intelligence: This authority will focus solely on surveillance and reporting, ensuring that regulatory bodies and law enforcement agencies are equipped with actionable intelligence to curb data-related offences.

Framework

Option 1: Amend the Data Protection Act, 2023, in the following manner:

Chapter VIA of Data Protection Surveillance Authority.

Section 28A: Establishment of the Data Protection Surveillance Authority (DPSA)

Section 28B: Composition, Qualification, and Appointment of Members

Section 28C: Salary, Allowances, and Other Conditions of Service

Section 28D: Disqualifications for Appointment as Chairperson or Member

Section 28E: Proceedings of the Authority

Section 28F: Officers and Employees of the Authority

Section 28G: Members and Officers to be Public Servants

Section 28H: Powers and Functions of the Data Protection Surveillance Authority (DPSA)

• The DPSA shall perform the following functions:
  1. Monitor and identify unauthorised data collection, processing, and transfers routinely without due authorisation.
  2. Conduct research and surveillance on such entities who engage in unauthorised data collection and processing routinely.
  3. Collaborate with regulatory and enforcement agencies to procure information from and report violations to them.
  4. Submit reports and recommendations to the Data Protection Board and other relevant authorities.
  5. Promote awareness and best practices for data protection among businesses and individuals.
  6. The DPSA shall have no direct enforcement powers, but may recommend actions to the Data Protection Board (DPB) and/or other enforcement agencies in India for necessary adjudication.

Section 28J: Procedure to be Followed by the DPSA

1. The DPSA and its members shall maintain confidentiality while carrying out surveillance activities without any interference from or access to others.
2. The DPSA shall follow a structured process for gathering, verifying, and reporting information, as prescribed by rules.
3. Any entity found engaging in potentially unlawful data practices shall be provided an opportunity to explain or clarify before a report is submitted to the enforcement agencies.
4. The DPSA may conduct periodic risk assessments, issue advisories, and recommend policy updates to the Central Government.

Option 2: Insert the following Clauses in the proposed Data Protection Rules, 2025 in the following manner:

1. Establish DPSA as a surveillance arm of the Data Protection Board under Section 28(7)(d) of DPA.
2. Powers and functions – U/s 27 either by a complaint or reference from the government, DPSA can initiate surveillance on any person/entity within India or abroad.
3. In Rule 15 of the Rules, the power to conduct surveillance can also be added along with research, archiving, and statistical powers for DPSA.

The provisions outlined in Option 1 can be incorporated as new sections under the Rules. The following structure is proposed:

Rule 23: Establishment of the Data Protection Surveillance Authority (DPSA).

Rule 24: Proceedings of the Authority.

Rule 25: Powers and Functions of the Data Protection Surveillance Authority (DPSA).

Rule 26: Procedure to be Followed by the DPSA.

Option 3: Data Protection Surveillance Authority (DPSA) under the IT Act, 2000:

To establish the DPSA under the IT Act, 2000, a new set of rules—Data Protection Surveillance Authority Rules, 2025—can be introduced. These rules will provide a legal framework for monitoring, reporting, and coordinating data protection compliance with/without enforcement powers.

Conclusion

India is at a critical juncture in its digital evolution. While the DPDP Act establishes a solid framework for regulating personal data protection, there is a pressing need for a Data Protection Surveillance Authority (DPSA) to tackle the growing problem of illegal data exploitation.  This body, empowered by specific clauses in the DPDP Rules, will work alongside CERT-In and TRAI to investigate and take action against illegal businesses that steal and misuse personal data.

With a clear mandate, the DPSA will strengthen India’s ability to protect its citizens’ privacy and create a safer digital ecosystem.