The alleged leak from the CoWin database is yet another indication of some persistent weaknesses in India’s digital public infrastructure (DPI) and a pointer to the need to overhaul its techno-legal approach to managing the personal data of citizens. According to the government, the details being disseminated from the Telegram bot may be from a prior data leak. The concerns, therefore, extend way beyond this one leak, damaging as that may be. It has been six years since the Supreme Court declared privacy a fundamental right and five years since a committee chaired by Justice (retired) B N Srikrishna prepared the first draft of legislation for personal data protection. But a policy vacuum continues to exist since India still doesn’t have a dedicated law on data protection and privacy. Nor does it have a dedicated law on cybersecurity.
Incidents of this kind will continue to occur because of dissonance between government policy to encourage digitisation
