Incidents of this kind will continue to occur because of dissonance between government policy to encourage digitisation, on the one hand, and the absence of legislative support to protect citizens using digitally driven services, on the other. The Digital India policy targets the provision of multiple services, including both government and private-sector services, via digital means. There is also a thrust on developing an increasingly cashless economy by encouraging digital payments. Much of this depends on the use of a single binding identifier, Aadhaar, to authenticate the identity of users and know-your-customer formalities. This DPI and the public and private services built on top of it interface with over 700 million citizens using smartphones. Many, if not most, of those users are not tech-savvy, and the data security of the services they access could vary a lot.

The alleged leak from the CoWin database is yet another indication of some persistent weaknesses in India’s digital public infrastructure (DPI) and a pointer to the need to overhaul its techno-legal approach to managing the personal data of citizens. According to the government, the details being disseminated from the Telegram bot may be from a prior data leak. The concerns, therefore, extend way beyond this one leak, damaging as that may be. It has been six years since the Supreme Court declared privacy a fundamental right and five years since a committee chaired by Justice (retired) B N Srikrishna prepared the first draft of legislation for personal data protection. But a policy vacuum continues to exist since India still doesn’t have a dedicated law on data protection and privacy. Nor does it have a dedicated law on cybersecurity.