Deep Dive: Tata Neu’s customer data aggregation raises privacy concerns

“I went on Tata Neu and I wanted to see whether I can start booking on Big Basket. So the moment I checked, it had listed out some five or six addresses. Two of the addresses I can understand, one is my current address from where I’m ordering very often and the second is my previous address where I stayed for three to four years. But the default address apparently was a twelve-year-old address of my hostel. It was a working women’s hostel, which is where I used to stay. And that address was visible, which I found really surprising,” Tata Neu user Brinda Patel* from Mumbai told MediaNama.

Tata’s super app Tata Neu, which launched on April 7, was supposed to be the 150-year old conglomerate’s bet on the digital future, but Patel’s story is just one among many instances of users finding their personal details such as addresses and email IDs listed on the app even though they had never used the app before.

“Some of the other people pointed out it could have been because I might have purchased something from Croma. Yes. Twelve years back, I purchased a hairdryer from Croma. But it was an offline purchase because there was a Croma store near the hostel. I don’t know whether I listed my address or not, but this is the only thing I can think of. But that’s speculation. I really don’t know whether this is how they got it,” Patel added.

While Patel isn’t sure of how the app got her hostel address from more than a decade ago, other users who spoke to MediaNama said that the app had gathered data from their accounts on Croma, 1MG, BigBasket, or other Tata Group platforms. Not only did they find that Tata was sharing details with the new super app, but also between Tata platforms. For example, one particular Tata customer, Jishnu Mohan, who spoke with MediaNama, explained how he used an email alias to track down data sharing between Croma and BigBasket:

“I have an email alias set up in my domain, so whenever I sign up, I usually enter, for example, if it is BigBasket, I use bigbasket@xyz.com, where xyz is my domain name. So this way I can identify if someone leaks my data because I use the BigBasket email ID only for BigBasket. But when I logged into Croma, my email address was listed as bigbasket@xyz, which should never happen because I don’t use BigBasket email ID anywhere else. And then I found that all my Bangalore addresses are in Croma. I used to be in multiple places in Bangalore.”

Everyone be very careful with using #TataNeu there seems to be a massive breach of privacy. From my phone number they have picked up lots of personal data from different apps probably owned by #tata group.

— Ranendra Ojha ?? (@ranendra_ojha) April 9, 2022

Logged in to Tata Neu app with phone number. I am wondering how the app instantly got all my address and banking info.

— Utsab (@utsabnov) April 10, 2022

Dear reader, we urgently need to build capacity to cover the fast-moving tech policy space. For that, our independent newsroom is counting on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.

What are the privacy harms that can arise from data sharing between Tata brands?

The Tata Group owns over 30 companies and each of these companies owns many subsidiaries. For example, brands like Tanishq, Caratlane, and Fastrack are subsidiaries of Titan, a company owned by the Tata Group. Given the company’s presence in travel (Vistara, Air India, Air Asia), accommodation (Taj Hotels), retail (Croma, Westside), and e-commerce (Cliq, BigBasket, 1MG), the wealth of information collected by these brands allow Tata Neu to form comprehensive profiles of users. While this may be pitched as a convenience feature to the users, there are some significant harms that can arise from such profiling of users.

“The fact that information collected by an organisation for a specific purpose in relation to a service provided to an individual is now being used for various other purposes such as cross-selling and marketing entirely at the organization’s discretion is certainly concerning when an individual does not have the ability to opt-out of it,” Jyotsna Jayaram, Partner at Trilegal, told MediaNama.

“In addition to being an unconsented flow of data, this also looks like a data quality problem. If this was a different context, for example, a lending decision being made on poor data quality, then those decisions would actually be exclusionary and preliminary,” Beni Chugh, Research Manager at Dvara Research, said.

“Without strict privacy of data, there is no way of controlling whose hands the data may fall and what they may do with it. So technically, it may be used for things beyond enabling customer convenience such as auto-filling in address boxes. It can be used to discriminate against or segregate potential consumers, et cetera. In a commercial context, the user is not aware of the amount of revenue/ profits generated using her data and will not be compensated for the same,” Parul Gupta*, a lawyer focused on data protection and privacy law, told MediaNama.

When playing around with the Tata Neu app, Ayush Agrawal found that Air Asia was giving discounts to him based on the fact that he was vaccinated:

“I was browsing through different parts of the Tata Neu app, for example, I remember I went to AirAsia for flight booking, so I saw that they knew I was vaccinated and were providing some kind of discount on the basis of that. How did they know about this, about the fact that I’m vaccinated? I haven’t travelled with AirAsia per se. Giving out discounts on the basis that I’m vaccinated is like differentiating between users, right? A person who is not vaccinated would not be getting this discount, keeping aside the rationality of whether you must be vaccinated or not. I think this is a different kind of discrimination.” 

While there’s a good chance that Air Asia did not specifically know whether Agrawal was vaccinated and instead was just randomly assuming that he was, based on the vaccination rate in the country, Agrawal still pointed out the kind of discrimination that is possible by knowing personal details about users.

Tried #TataNeu. Scared to see how Tata combined all of the data I provided on their different websites over different periods of time. They should at least ask for permission. Never going to use the application.

— Ayush Agrawal (@ayushagrawal001) April 8, 2022

Such data sharing also poses significant security risks. Back in November 2020, in a massive data breach, data of over 2 crore BigBasket users, including their names, email IDs, password hashes, pin, and contact numbers, among others, was leaked and sold on the dark web. If Tata brands are sharing data among themselves and there is a data breach at any one brand, then the data from other brands also stand to be exposed.

The legality of this data sharing

Currently, sharing of data in India is regulated by the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, framed under the IT Act, 2000. As per these rules, companies must have a privacy policy in place and publish the same on their website. Consent of the user is only required if the company is collecting sensitive personal data.

“Tata’s platforms have privacy notices in place which specify that data will be shared between Tata Group companies and since users consent to these notices while signing up, Tata’s sharing is legal under the IT Act. However, the Rules under the IT Act are quite loose,” Parul Gupta* said.  “They say that you must provide a privacy notice before you take consent and the privacy notice can be very simple. It can just say for what purpose you’re collecting the information, with whom you are going to share it, who’s going to retain it, who’s going to collect it, and things like that. Furthermore, the penalties for non-compliance aren’t specific penalties and so residuary penalties of less than INR 25,000 will apply at best,” Gupta said. “As a result, the current rules are ineffective,” Gupta remarked.

Comparing the privacy policies of BigBasket and 1MG before and after the acquisition

Using Wayback Machine, we looked at the privacy policies of 1MG and BigBasket from July 2021 and May 2021 respectively, which was before Tata changed these policies. It’s important to note that there was no explicit mention of sharing data with Tata in either of these policies.

However, both companies had broad provisions that allowed them to share data with potential acquirers. 1MG’s old policy, for example, has a provision that states that “1mg may also disclose or transfer the user Information, to another third party as part of reorganization or a sale of the assets or business of a 1mg corporation division or company” and that the third-party will have the right to continue to use the personal information provided to 1mg. In this case, since Tata bought 1mg, it has the rights to the user data collected by the company. BigBasket’s old policy also has a broad provision that states the company will share data with its partners or third parties where it deems necessary, and the company can argue that an acquisition is one such “necessary” scenario.

BigBasket’s current privacy policy, on the other hand, explicitly states that data collected from users may be used for:

“processing, disclosing, transmitting, and/or sharing the data/information with Tata Group Entities, and other third parties which have business or contractual dealings with us”

Furthermore, according to the policy, BigBasket can also gather data from other Tata Group entities:

“Where you have shared any information previously with any of the Tata Group Entities and have consented to the further sharing of such information, such information will be shared with us by the Tata Group Entities.”

1MG’s current privacy policy is worded on similar lines as well.

The fact that companies can acquire another company and change the acquired company’s privacy policy without informing its users and use the personal data of the users in any way they want, stresses the need for a comprehensive data protection regime that gives users some form of protection.

“I never thought that Tata would one day buy Big Basket and then they would be having access to my addresses. That is a bit scary. And there was no consent of any kind. They would be combining this data and from this perspective, it would be a lot of data. So, for example, if tomorrow, let’s say, I use their airlines, their hotels, and then sort of combine it with their other online platforms, they would know quite a lot about me. If they want, they can shape my behaviour.” – Ayush Agrawal told MediaNama

Will the Data Protection Bill address the concerns that arise from such data sharing?

The Data Protection Bill has stricter norms around privacy notice, consent, and transparency, which might help address some concerns: 

• Consent for all personal data, not just sensitive: “The Data Protection Bill extends the requirement to obtain consent to process personal information as well. In that sense, it extends the same safeguards that exist today for sensitive personal data to personal information. As a result, the ability to process even just my name, address and phone number will primarily be permitted only on the basis of consent,” Jyotsna Jayaram said.
• Privacy notice rules are stricter: “The Data Protection Bill would have addressed concerns to some extent because the rules for privacy notice under the Bill are a little more strict in that if you receive personal data from a source that is not the data subject, then you still need to give a privacy notice saying that we’ve got your information from so and so source,” Parul Gupta said.
• More transparency on what companies are doing with the data: “There will be certain norms that apply to significant data fiduciaries such as impact assessments, audit, privacy by design policy, which are steps in the right direction. They promote transparency in how data is shared and how it is used. And that will help data protection experts, people who are lawyers or people who are people in civil society to really understand how data is processed by these companies,” Shashank Mohan,  Senior Project Manager at Centre for Communication Governance, told MediaNama.
• Fresh consent might be required in this case: “In 1mg and BigBasket’s case, since the purpose for processing has changed following the acquisition, a fresh consent might be required from users under the provisions of the Data Protection Bill. However, this depends on how broadly the privacy policy was worded before the acquisition. In the fresh consent context, the purpose would have to be drafted more narrowly in the first instance. So to say, for example, that BigBasket will collect data to provide food delivery services to you as opposed to the existing broad language,” Gupta explained.

But, there are still some drawbacks with the current version of the Data Protection Bill that might allow such data sharing to continue unhindered: 

• There are exemptions for mergers and acquisitions: “One of the exceptions to consent-based processing of personal data proposed under the Data Protection Bill is processing for reasonable purposes. These purposes will need to be notified by the Data Protection Authority along with appropriate safeguards. One of the reasonable purposes in the current draft of the Bill is mergers and acquisitions or other corporate restructuring transactions. This could potentially cover instances where personal information of customers or employees of a target may need to be shared with an acquirer or investor as a part of the diligence and transaction,” Jyotsna Jayaram said.
• If people have consented, it doesn’t matter: “As per clause 8 (4) of the Data Protection Bill, data can be shared as part of any financial transaction in line with the prescriptions of this law. What that means is any data can be shared as long as it is compliant with the contours of the bill. And I think that particular clause has made the bill weaker because to the best of my knowledge, there is no direct mention of within-group entities. It’s all still very much hinged on consent and the hope that people will actually subscribe to informed consent. And if they’ve consented to the flow of data, then it doesn’t matter except for geographical locations where the data is flowing to. So I don’t think that the bill would have necessarily changed things a great deal,” Beni Chugh said.
• Information asymmetry and consent fatigue: “Unabashed data sharing is not respecting the data privacy of individuals. But more often than not you’re signing off that data. And what becomes relevant from my perspective as an expert studying this is that just giving a privacy notice will not solve it. You can give me as many notices as you want. I’m not going to look at it. So please continue sharing my data. And why is that? It is because there is information symmetry and consent fatigue,” Shashank Mohan said. “So basically, what we need is obviously a comprehensive data protection law that holds companies accountable for the kind of notices and the kind of consent they’re making available,” Mohan added.
• Other forms of data governance should be implemented: “We, including other experts in this field, have repeatedly said that just relying purely on consent will also not work out. There are various suggestions for new models of data governance that empower individuals holistically more. Like data trusts, data commons. Yes, we need a data protection law. But the caveat there is that a data protection law that only emphasizes consent is not really going to give meaningful redressal to people,” Mohan said.
• Privacy is taking a step back compared to economic benefits in many of the government’s proposed regulations: “If you look at the NPD policy, if you look at the language used in the JPC report or if you look at the data accessibility policy, everything is talking about data sovereignty, data flows, and the economic nature of data. It seems to be that the privacy conversation is taking a slight back step in all of this. Although economic interests in data may be relevant to consider, they should not be at the cost of privacy,” Mohan said.

Should CCI investigate Tata for competition concerns?

CCI’s jurisdiction: “So CCI has jurisdiction around three kinds of issues. The first is an abuse of dominance. So if you are a dominant entity and you’re abusing that market position, what does that mean? The second is horizontal agreements, which is to say, how do you contract with your peers or people in the same sector? So that’s the collusion bit. And then the third is the vertical agreement, which is how do you interact with entities within yourself? And that one is joined with the first one, which is the abuse of dominance. The moment I’m a dominant company in even one sector and I am leaning on my intragroup partners or sister concerns or whatever we want to call them, then there is an issue of abuse of dominance,” Beni Chugh explained.

The Facebook/WhatsApp case: In March 2021, CCI launched a suo motu investigation into WhatsApp’s new privacy policy which allows the messaging platform to share more data with Facebook. CCI said that WhatsApp has prima facie violated provisions of the Competition Act and that it wanted to investigate “the full extent, scope and impact” of data sharing under WhatsApp’s new privacy policy. This raises the question of why CCI has not considered a similar investigation into Tata for its data-sharing practices. More so because users were not even provided notice about the data sharing. “What happened with Facebook and WhatsApp, they asked you several times if you would allow your data to be merged with Facebook or not? But here it’s like, the user doesn’t even know that BigBakset got sold to Tata and they have merged all their data together. They didn’t even care to inform us,” Tata Neu user Jishnu Mohan told MediaNama.

• Similarities with Tata’s case: 
  • Data sharing between group companies: While WhatsApp wanted to share data with its parent company Facebook, in Tata’s case all group companies are sharing data with each other. In both cases, there is sharing of data between group companies.
  • Competition concern: This sharing of data raises competition concerns. “CCI launched an investigation into Facebook and WhatsApp from the perspective of abuse of dominant position, where they said that we’re not looking at privacy. We’re looking at the fact that through the new privacy policy, WhatsApp is going to have access to a lot more consumer data and it’s going to be able to stalk people and create profiles and therefore basically get a dominant position to be in a place to abuse that dominant position. And that’s why it’s a competition law issue. In that sense, widespread data sharing between Tata platforms may also bring it within the CCI scanner in terms of gaining a dominant position in the data industry,” Parul Gupta said.
• Differences:
  • Facebook and WhatsApp are dominant, Tata is new to the space: “In the merits of the case, CCI said both Facebook and WhatsApp are dominant, they are not easily substitutable. But Tata Neu is quite new,” Beni Chugh said. Echoing similar thoughts, Shashank Mohan also suggested that we will have to wait and see the concerns that Tata poses and give CCI time.
  • Social media platforms have been targets because data use is apparent: “The regulations (existing and proposed) are meant to apply equally to all entities that process personal data based on the role they perform with respect to the data. That said, some of these regulations (such as those governing intermediaries and digital media entities and the proposed provisions on social media intermediaries in the Data Protection Bill) appear to have an increased focus on large social media platforms. This is probably on account of the volume of data processed and the data processing and handling practices that seem more apparent for these entities – for e.g. serving up customised and targeted ads based on user preferences,” Jyotsna Jayaram said.
  • Global attention on Facebook, WhatsApp: WhatsApp’s new privacy policy attracted scrutiny from regulators around the world, and this could have pressured CCI to also look into it, Shashank Mohan suggested.

Why is it tricky to investigate Tata: “It is tricky, on at least two counts. One is just tactically it’s tricky because Tata Neu is quite new and we don’t see any of these super-platform apps coming in and mounting a direct challenge. And therefore the space is not well defined. Wherever they have had to identify markets in these new market setups, they’ve been conservative. The second is generally the concern with platform economies. There is this whole thesis that’s going on that competition law needs to be revamped for platform economies,” Beni Chugh said.

The difficulty in regulating platform economies: “There’s the Lina Khan school of thought, that talks about internal transactions and their network effects, and therefore all of that gets compounded and that reinforces monopoly position but also abuse of dominance.” “That’s one school of thought, the other school of thought, which is not attacking platform for their ability to get big. It says that in platforms it is hard to identify markets and usually gains on one side of the market are accompanied by losses on the other side of the market. And therefore it is hard for the regulator to kind of dissect what is anti-competitive and what is not, because unfortunately if Ola abuses its drivers, and makes working harder, they’re definitely being anti-competitive and abusive there. But usually, it is also offering better services to the customer and there is a consumer surplus in the process, and what the competition authority then needs to do is balance both of these,” Chugh explained.

The effectiveness of CCI in investigating platform economies: Given the difficulty in regulating platform economies, CCI’s effectiveness under the current Competition Act is questionable. “I’m not sure if it’s entirely fair to be very critical of the CCI because I think it’s already working outside of the domain. I think that the Indian government now needs to start looking at new ways of addressing competition issues, especially in the technosphere and possibly look at amending the Competition Act. This is a pervasive problem. It’s not only Facebook, it’s not only Tata. It’s how the data economy works,” Shashank Mohan said. “We do not know if CCI has the right tools to investigate privacy policies and data sharing and such. They have generally looked at price issues but they are headed in the right direction with their investigation into Facebook and WhatsApp. But the law needs to change to better address the tech ecosystem,” Mohan said.

Questions sent to Tata Group and Tata’s response

In an email questionnaire dated April 12 sent to various media contacts at Tata, Tata Digital, Big Basket, and 1MG, we asked the following questions:

1. What personal data of users is shared between Tata Group companies and since when?
2. Which Tata Group companies share data between themselves? Is it limited to companies that are there on Tata Neu?
3. Which all Tata Group companies have submitted user data to Tata Neu?
4. Does Tata inform its users that data will be shared between various companies and has it obtained consent from users for this sharing?
5. Following Tata’s acquisition of 1MG and BigBasket, it appears that the privacy policy page of the two companies has been changed to indicate that user data will be shared among Tata Group entities. Did Tata inform the existing users of 1MG and BigBasket about this change in the privacy policy and was their fresh consent obtained? If so, please share details of the correspondence sent to users.
6. In case there is a mistake in the user data in possession with Tata, is there a process for users to request a correction? If so, can you briefly explain the process? 
7. Do Tata customers have the right to request deletion of their data in possession of one or more of the Tata group companies? If so, please briefly explain the process for the same.

A Tata Digital spokesperson responded on April 19 with the following statement:

“Tata Digital respects the privacy of its customers. We comply with, and will continue to comply with applicable data regulations, both in letter and spirit.”

* Names changed on request for anonymity

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read:

• Tata’s Neu Super App Is A Total Mess
• Delhi HC Grants WhatsApp, Facebook Extension To File Replies To CCI In Privacy Policy Probe
• When An Indigo Flyer “Hacked” His Way To Retrieve Lost Baggage, He Found A Privacy Risk That Plagues The Entire Airline Industry

Have something to add? Subscribe to MediaNama here and post your comment.