“I went on Tata Neu and I wanted to see whether I can start booking on Big Basket. So the moment I checked, it had listed out some five or six addresses. Two of the addresses I can understand, one is my current address from where I’m ordering very often and the second is my previous address where I stayed for three to four years. But the default address apparently was a twelve-year-old address of my hostel. It was a working women’s hostel, which is where I used to stay. And that address was visible, which I found really surprising,” Tata Neu user Brinda Patel* from Mumbai told MediaNama.
Tata’s super app Tata Neu, which launched on April 7, was supposed to be the 150-year old conglomerate’s bet on the digital future, but Patel’s story is just one among many instances of users finding their personal details such as addresses and email IDs listed on the app even though they had never used the app before.
“Some of the other people pointed out it could have been because I might have purchased something from Croma. Yes. Twelve years back, I purchased a hairdryer from Croma. But it was an offline purchase because there was a Croma store near the hostel. I don’t know whether I listed my address or not, but this is the only thing I can think of. But that’s speculation. I really don’t know whether this is how they got it,” Patel added.
While Patel isn’t sure of how the app got her hostel address from more than a decade ago, other users who spoke to MediaNama said that the app had gathered data from their accounts on Croma, 1MG, BigBasket, or other Tata Group platforms. Not only did they find that Tata was sharing details with the new super app, but also between Tata platforms. For example, one particular Tata customer, Jishnu Mohan, who spoke with MediaNama, explained how he used an email alias to track down data sharing between Croma and BigBasket:
“I have an email alias set up in my domain, so whenever I sign up, I usually enter, for example, if it is BigBasket, I use email@example.com, where xyz is my domain name. So this way I can identify if someone leaks my data because I use the BigBasket email ID only for BigBasket. But when I logged into Croma, my email address was listed as bigbasket@xyz, which should never happen because I don’t use BigBasket email ID anywhere else. And then I found that all my Bangalore addresses are in Croma. I used to be in multiple places in Bangalore.”
Everyone be very careful with using #TataNeu there seems to be a massive breach of privacy. From my phone number they have picked up lots of personal data from different apps probably owned by #tata group.
— Ranendra Ojha 🇮🇳 (@ranendra_ojha) April 9, 2022
Logged in to Tata Neu app with phone number. I am wondering how the app instantly got all my address and banking info.
— Utsab (@utsabnov) April 10, 2022
Dear reader, we urgently need to build capacity to cover the fast-moving tech policy space. For that, our independent newsroom is counting on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.
What are the privacy harms that can arise from data sharing between Tata brands?
The Tata Group owns over 30 companies and each of these companies owns many subsidiaries. For example, brands like Tanishq, Caratlane, and Fastrack are subsidiaries of Titan, a company owned by the Tata Group. Given the company’s presence in travel (Vistara, Air India, Air Asia), accommodation (Taj Hotels), retail (Croma, Westside), and e-commerce (Cliq, BigBasket, 1MG), the wealth of information collected by these brands allow Tata Neu to form comprehensive profiles of users. While this may be pitched as a convenience feature to the users, there are some significant harms that can arise from such profiling of users.
“The fact that information collected by an organisation for a specific purpose in relation to a service provided to an individual is now being used for various other purposes such as cross-selling and marketing entirely at the organization’s discretion is certainly concerning when an individual does not have the ability to opt-out of it,” Jyotsna Jayaram, Partner at Trilegal, told MediaNama.
“In addition to being an unconsented flow of data, this also looks like a data quality problem. If this was a different context, for example, a lending decision being made on poor data quality, then those decisions would actually be exclusionary and preliminary,” Beni Chugh, Research Manager at Dvara Research, said.
“Without strict privacy of data, there is no way of controlling whose hands the data may fall and what they may do with it. So technically, it may be used for things beyond enabling customer convenience such as auto-filling in address boxes. It can be used to discriminate against or segregate potential consumers, et cetera. In a commercial context, the user is not aware of the amount of revenue/ profits generated using her data and will not be compensated for the same,” Parul Gupta*, a lawyer focused on data protection and privacy law, told MediaNama.
When playing around with the Tata Neu app, Ayush Agrawal found that Air Asia was giving discounts to him based on the fact that he was vaccinated:
“I was browsing through different parts of the Tata Neu app, for example, I remember I went to AirAsia for flight booking, so I saw that they knew I was vaccinated and were providing some kind of discount on the basis of that. How did they know about this, about the fact that I’m vaccinated? I haven’t travelled with AirAsia per se. Giving out discounts on the basis that I’m vaccinated is like differentiating between users, right? A person who is not vaccinated would not be getting this discount, keeping aside the rationality of whether you must be vaccinated or not. I think this is a different kind of discrimination.”
While there’s a good chance that Air Asia did not specifically know whether Agrawal was vaccinated and instead was just randomly assuming that he was, based on the vaccination rate in the country, Agrawal still pointed out the kind of discrimination that is possible by knowing personal details about users.
Tried #TataNeu. Scared to see how Tata combined all of the data I provided on their different websites over different periods of time. They should at least ask for permission. Never going to use the application.
— Ayush Agrawal (@ayushagrawal001) April 8, 2022
Such data sharing also poses significant security risks. Back in November 2020, in a massive data breach, data of over 2 crore BigBasket users, including their names, email IDs, password hashes, pin, and contact numbers, among others, was leaked and sold on the dark web. If Tata brands are sharing data among themselves and there is a data breach at any one brand, then the data from other brands also stand to be exposed.
The legality of this data sharing
“Tata’s platforms have privacy notices in place which specify that data will be shared between Tata Group companies and since users consent to these notices while signing up, Tata’s sharing is legal under the IT Act. However, the Rules under the IT Act are quite loose,” Parul Gupta* said. “They say that you must provide a privacy notice before you take consent and the privacy notice can be very simple. It can just say for what purpose you’re collecting the information, with whom you are going to share it, who’s going to retain it, who’s going to collect it, and things like that. Furthermore, the penalties for non-compliance aren’t specific penalties and so residuary penalties of less than INR 25,000 will apply at best,” Gupta said. “As a result, the current rules are ineffective,” Gupta remarked.
Comparing the privacy policies of BigBasket and 1MG before and after the acquisition
Using Wayback Machine, we looked at the privacy policies of 1MG and BigBasket from July 2021 and May 2021 respectively, which was before Tata changed these policies. It’s important to note that there was no explicit mention of sharing data with Tata in either of these policies.
However, both companies had broad provisions that allowed them to share data with potential acquirers. 1MG’s old policy, for example, has a provision that states that “1mg may also disclose or transfer the user Information, to another third party as part of reorganization or a sale of the assets or business of a 1mg corporation division or company” and that the third-party will have the right to continue to use the personal information provided to 1mg. In this case, since Tata bought 1mg, it has the rights to the user data collected by the company. BigBasket’s old policy also has a broad provision that states the company will share data with its partners or third parties where it deems necessary, and the company can argue that an acquisition is one such “necessary” scenario.
“processing, disclosing, transmitting, and/or sharing the data/information with Tata Group Entities, and other third parties which have business or contractual dealings with us”
Furthermore, according to the policy, BigBasket can also gather data from other Tata Group entities:
“Where you have shared any information previously with any of the Tata Group Entities and have consented to the further sharing of such information, such information will be shared with us by the Tata Group Entities.”
“I never thought that Tata would one day buy Big Basket and then they would be having access to my addresses. That is a bit scary. And there was no consent of any kind. They would be combining this data and from this perspective, it would be a lot of data. So, for example, if tomorrow, let’s say, I use their airlines, their hotels, and then sort of combine it with their other online platforms, they would know quite a lot about me. If they want, they can shape my behaviour.” – Ayush Agrawal told MediaNama
Will the Data Protection Bill address the concerns that arise from such data sharing?
The Data Protection Bill has stricter norms around privacy notice, consent, and transparency, which might help address some concerns:
- Consent for all personal data, not just sensitive: “The Data Protection Bill extends the requirement to obtain consent to process personal information as well. In that sense, it extends the same safeguards that exist today for sensitive personal data to personal information. As a result, the ability to process even just my name, address and phone number will primarily be permitted only on the basis of consent,” Jyotsna Jayaram said.
- Privacy notice rules are stricter: “The Data Protection Bill would have addressed concerns to some extent because the rules for privacy notice under the Bill are a little more strict in that if you receive personal data from a source that is not the data subject, then you still need to give a privacy notice saying that we’ve got your information from so and so source,” Parul Gupta said.
- More transparency on what companies are doing with the data: “There will be certain norms that apply to significant data fiduciaries such as impact assessments, audit, privacy by design policy, which are steps in the right direction. They promote transparency in how data is shared and how it is used. And that will help data protection experts, people who are lawyers or people who are people in civil society to really understand how data is processed by these companies,” Shashank Mohan, Senior Project Manager at Centre for Communication Governance, told MediaNama.
But, there are still some drawbacks with the current version of the Data Protection Bill that might allow such data sharing to continue unhindered:
- There are exemptions for mergers and acquisitions: “One of the exceptions to consent-based processing of personal data proposed under the Data Protection Bill is processing for reasonable purposes. These purposes will need to be notified by the Data Protection Authority along with appropriate safeguards. One of the reasonable purposes in the current draft of the Bill is mergers and acquisitions or other corporate restructuring transactions. This could potentially cover instances where personal information of customers or employees of a target may need to be shared with an acquirer or investor as a part of the diligence and transaction,” Jyotsna Jayaram said.
- If people have consented, it doesn’t matter: “As per clause 8 (4) of the Data Protection Bill, data can be shared as part of any financial transaction in line with the prescriptions of this law. What that means is any data can be shared as long as it is compliant with the contours of the bill. And I think that particular clause has made the bill weaker because to the best of my knowledge, there is no direct mention of within-group entities. It’s all still very much hinged on consent and the hope that people will actually subscribe to informed consent. And if they’ve consented to the flow of data, then it doesn’t matter except for geographical locations where the data is flowing to. So I don’t think that the bill would have necessarily changed things a great deal,” Beni Chugh said.
- Information asymmetry and consent fatigue: “Unabashed data sharing is not respecting the data privacy of individuals. But more often than not you’re signing off that data. And what becomes relevant from my perspective as an expert studying this is that just giving a privacy notice will not solve it. You can give me as many notices as you want. I’m not going to look at it. So please continue sharing my data. And why is that? It is because there is information symmetry and consent fatigue,” Shashank Mohan said. “So basically, what we need is obviously a comprehensive data protection law that holds companies accountable for the kind of notices and the kind of consent they’re making available,” Mohan added.
- Other forms of data governance should be implemented: “We, including other experts in this field, have repeatedly said that just relying purely on consent will also not work out. There are various suggestions for new models of data governance that empower individuals holistically more. Like data trusts, data commons. Yes, we need a data protection law. But the caveat there is that a data protection law that only emphasizes consent is not really going to give meaningful redressal to people,” Mohan said.
- Privacy is taking a step back compared to economic benefits in many of the government’s proposed regulations: “If you look at the NPD policy, if you look at the language used in the JPC report or if you look at the data accessibility policy, everything is talking about data sovereignty, data flows, and the economic nature of data. It seems to be that the privacy conversation is taking a slight back step in all of this. Although economic interests in data may be relevant to consider, they should not be at the cost of privacy,” Mohan said.
Should CCI investigate Tata for competition concerns?
CCI’s jurisdiction: “So CCI has jurisdiction around three kinds of issues. The first is an abuse of dominance. So if you are a dominant entity and you’re abusing that market position, what does that mean? The second is horizontal agreements, which is to say, how do you contract with your peers or people in the same sector? So that’s the collusion bit. And then the third is the vertical agreement, which is how do you interact with entities within yourself? And that one is joined with the first one, which is the abuse of dominance. The moment I’m a dominant company in even one sector and I am leaning on my intragroup partners or sister concerns or whatever we want to call them, then there is an issue of abuse of dominance,” Beni Chugh explained.
- Similarities with Tata’s case:
- Data sharing between group companies: While WhatsApp wanted to share data with its parent company Facebook, in Tata’s case all group companies are sharing data with each other. In both cases, there is sharing of data between group companies.
- Facebook and WhatsApp are dominant, Tata is new to the space: “In the merits of the case, CCI said both Facebook and WhatsApp are dominant, they are not easily substitutable. But Tata Neu is quite new,” Beni Chugh said. Echoing similar thoughts, Shashank Mohan also suggested that we will have to wait and see the concerns that Tata poses and give CCI time.
- Social media platforms have been targets because data use is apparent: “The regulations (existing and proposed) are meant to apply equally to all entities that process personal data based on the role they perform with respect to the data. That said, some of these regulations (such as those governing intermediaries and digital media entities and the proposed provisions on social media intermediaries in the Data Protection Bill) appear to have an increased focus on large social media platforms. This is probably on account of the volume of data processed and the data processing and handling practices that seem more apparent for these entities – for e.g. serving up customised and targeted ads based on user preferences,” Jyotsna Jayaram said.
Why is it tricky to investigate Tata: “It is tricky, on at least two counts. One is just tactically it’s tricky because Tata Neu is quite new and we don’t see any of these super-platform apps coming in and mounting a direct challenge. And therefore the space is not well defined. Wherever they have had to identify markets in these new market setups, they’ve been conservative. The second is generally the concern with platform economies. There is this whole thesis that’s going on that competition law needs to be revamped for platform economies,” Beni Chugh said.
The difficulty in regulating platform economies: “There’s the Lina Khan school of thought, that talks about internal transactions and their network effects, and therefore all of that gets compounded and that reinforces monopoly position but also abuse of dominance.” “That’s one school of thought, the other school of thought, which is not attacking platform for their ability to get big. It says that in platforms it is hard to identify markets and usually gains on one side of the market are accompanied by losses on the other side of the market. And therefore it is hard for the regulator to kind of dissect what is anti-competitive and what is not, because unfortunately if Ola abuses its drivers, and makes working harder, they’re definitely being anti-competitive and abusive there. But usually, it is also offering better services to the customer and there is a consumer surplus in the process, and what the competition authority then needs to do is balance both of these,” Chugh explained.
The effectiveness of CCI in investigating platform economies: Given the difficulty in regulating platform economies, CCI’s effectiveness under the current Competition Act is questionable. “I’m not sure if it’s entirely fair to be very critical of the CCI because I think it’s already working outside of the domain. I think that the Indian government now needs to start looking at new ways of addressing competition issues, especially in the technosphere and possibly look at amending the Competition Act. This is a pervasive problem. It’s not only Facebook, it’s not only Tata. It’s how the data economy works,” Shashank Mohan said. “We do not know if CCI has the right tools to investigate privacy policies and data sharing and such. They have generally looked at price issues but they are headed in the right direction with their investigation into Facebook and WhatsApp. But the law needs to change to better address the tech ecosystem,” Mohan said.
Questions sent to Tata Group and Tata’s response
In an email questionnaire dated April 12 sent to various media contacts at Tata, Tata Digital, Big Basket, and 1MG, we asked the following questions:
- What personal data of users is shared between Tata Group companies and since when?
- Which Tata Group companies share data between themselves? Is it limited to companies that are there on Tata Neu?
- Which all Tata Group companies have submitted user data to Tata Neu?
- Does Tata inform its users that data will be shared between various companies and has it obtained consent from users for this sharing?
- In case there is a mistake in the user data in possession with Tata, is there a process for users to request a correction? If so, can you briefly explain the process?
- Do Tata customers have the right to request deletion of their data in possession of one or more of the Tata group companies? If so, please briefly explain the process for the same.
A Tata Digital spokesperson responded on April 19 with the following statement:
“Tata Digital respects the privacy of its customers. We comply with, and will continue to comply with applicable data regulations, both in letter and spirit.”
* Names changed on request for anonymity
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- Tata’s Neu Super App Is A Total Mess
- When An Indigo Flyer “Hacked” His Way To Retrieve Lost Baggage, He Found A Privacy Risk That Plagues The Entire Airline Industry
Have something to add? Subscribe to MediaNama here and post your comment.