Tl;dr

In continuation of our weekly series #PrivacyOfThePeople, we look at the impact of the Personal Data Protection Bill, 2019 on different sections of society, from farmers to students. In this post, we examine how dating and matrimonial services share your personal data and just how well the Bill protects us. We explore the need to secure such data as well as why the current regulations are inadequate.

Background

Last week, in the fifth post in our #PrivacyOfThePeople series, we looked at student data under the Personal Data Protection Bill, 2019. We took a deep dive into the merits and demerits of the Bill when it comes to protecting the records of students and their guardians. We illustrated how intentionally or unintentionally, student data ends up with companies providing services such as coaching facilities, educational loans, insurance, or regular advertising. All of this is a severe breach of our privacy. Till date, we have covered the impacts of the Bill on workers, farmers, and social media users.

This post continues to discuss how different groups of people are affected by the Personal Data Protection Bill, 2019. This week, we’re taking a look at dating and matrimonial services - notoriously known for sharing personal data and what the Bill has to say on the same.

The Issue

According to several studies, connecting online is now the most preferred way to meet new people, increasingly so amongst young adults. An estimated 66 million people use the popular dating app Tinder alone. Whether you’re trying to meet new people, searching for a match on Valentine’s Day, or looking for a potential spouse - dating and matrimonial platforms (collectively known as GeoSocial Networking platforms) are constantly collecting and processing large amounts of personal data. This data can include your gender, date of birth, location, racial or ethnic origins, sexual orientation, religious beliefs, more intricate details regarding personality, lifestyle, interactions on the platform, and interests. What’s most alarming is that most of these platforms actually store your messages (sent and received), pictures, and videos, and can retain this data indefinitely. What’s worse? If you connect any of these services to your social media platforms such as Facebook or Instagram, the dating app company has access to thousands of additional data points on you.

In a world of big data, dating and matrimonial platforms are regularly leaking this very personal information. In 2020, a Norwegian consumer group found dating apps like Tinder, Grindr, and OkCupid guilty of sharing their users’ personal information with thousands of advertising partners. It was revealed in 2018 that Grindr had been sharing the HIV status of their users with 2 third-party companies (Apptimize and Localytics). This extremely sensitive information was coupled with the users’ GPS data, phone number, and email ID, according to the Norwegian nonprofit SINTEF. This is a chilling violation of user privacy.

This issue of violating privacy isn’t limited to dating apps alone. Love Vivaah is an Indian matrimonial site that promises to find you a life partner from over 1 million Aadhaar-verified profiles. In this ‘genuine’ matrimonial site, users are required to give their Aadhaar card details in order to create a profile. Apart from the fact that requiring Aadhaar based verification may contravene the Supreme Court’s judgement in the Puttaswamy case, sharing one’s Aadhaar information involves a certain risk to one’s privacy.

If such services aren’t giving away your data, they’re certainly not protecting it either. In a serious data breach last year, over 70,000 photos of female Tinder users were leaked online. Given that it is necessary to upload a photo of yourself in order to make a profile on Tinder, the company is duty-bound to protect such data. In 2020, the personal data of Bharatmatrimony users was breached, but the platform faced no consequences. As we have seen earlier, such data often ends up in the hands of data brokers who will sell your data to anyone from advertising agencies to researchers - and that’s if you’re lucky. The nature of data that’s taken from dating apps can also end up in pornographic websites, used in phishing, or fraud.

The PDP Bill

The PDP Bill extends the definition of sensitive personal data to include not just gender and health information, but also religious affiliation, caste or tribe, and an expanded notion of financial information. Under the Bill, personal data may be processed subject to valid consent, which means consent that is free, informed, specific, clear and capable of being withdrawn. In addition, processing sensitive personal data requires explicit consent, which means consent obtained must (i) inform the data subject about the purpose processing which may cause significant harm, (ii) be direct and not inferred, and (iii) be separate for different purposes and categories of sensitive personal data. Since the Bill only protects personal data, non-personal user data is still at risk. As we have written extensively earlier, in today’s world anonymised data means very little.

The European General Data Protection Regulation (GDPR) separately addresses automated/algorithmic decision-making. This means data principals have rights like notification, access, and objection if subjected to purely automated decisions. The Indian Bill, however, does not draw such a distinction.
Furthermore, the Bill fails to adequately safeguard data of any sort in the case of data breaches. Clause 25 which deals with the breach of personal data states that in cases where a data breach may cause harm to the data principal, the data fiduciary (the GeoSocial Networking platform) must inform the Data Protection Authority, not the principal themself. Moreover, there are no penalties imposed on the data fiduciaries in the event of a data breach

Solution

To remedy some of these problems, here are a few of our recommendations:

1. Dating and matrimonial platforms to process data responsibly: This is to be done in compliance with the PDP Bill. If any sort of data processors are hired, they will need to be monitored to ensure compliance. Such data processors may only be appointed vide a contract and are bound by the instructions of the data fiduciary and must treat data as confidential as per Section 31 of the Bill.
2. Messages of GeoSocial Networking platforms should be encrypted: While the messages sent between users on such GeoSocial Networking platforms like Tinder are secure at the server level, they are not end-to-end encrypted or safe from data breaches or third-party access. The onus falls on the companies providing such services to protect the messages of their users.
3. Protect Non-Personal Data: Allow non-personal and anonymized data to be regulated by the Data Protection Authority. Doing so would shift the focus onto the protection of citizens’ digital rights and ensure robust regulatory mechanisms for non-personal data.

This is the fifth post in our #PrivacyOfThePeople series on how the Personal Data Protection Bill will impact different facets of our life; you can read part 1 on worker surveillance here, part 2 on the farmers here, part 3 on social media here, part 4 on healthcare data here, and part 5 on student data here.

Important Documents

1. The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
2. IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
3. Previous blogpost dated January 18, 2021, titled “Unconstitutional draft report on non-personal data ignores concerns about privacy and data monopolies” (link)
4. The SaveOurPrivacy Campaign (link)

This post was drafted by Tanvi Roy, who is currently interning at IFF and reviewed by IFF staff.