Personal Data Breach Hyderabad
Screenshot of X user indicating misuse personal dataOfficial X platform

Reports from users on X have been circulating claims that personal information and data of some hotel residents from Hyderabad and Visakhapatnam has been shared with an American crypto firm, 'Zebichain'.

Some of these date back over a few years (from 2019). It has been alleged that the information sharing has taken place without any due intimation or consent from the concerned persons/parties.

With India guaranteeing its citizens 'the right to privacy' and having enacted the Digital Personal Data Protection Act in 2023, the protection of data privacy can be called into serious question here, if such claims are duly proved to be conclusive and true.

Personal Data Breach Hyderabad 2
Screenshot of an X user highlighting the issue with the Telangana PoliceX Official platform

Through a series of posts on X, users have relayed their concerns and experiences publicly on the platform, while also raising the issue with the Telangana Police regarding the matter. Apart from the sharing of personal data, a user also reported that "webcam captured photos' have also been shared. In addition, some statements also said that consent was not obtained or the residents were unaware of such data aggregation.

For context, information usually shared with hotels like names, addresses, contact information and gender amongst others constitute 'personal data' under the law and explicit consent has to be obtained from the person whose data is gathered for any type of use (subject to some exceptions such as national security). In addition, persons have the right to request removal of such data, as well as the rights to 'object to' and restrict such use.

In 2018, 'Zebichain' or 'Zebi Data' had made the following statement regarding the information sharing. Babu Munagala, Founder, MD & CEO (in a interview with Entrepreneur.com-India) stated "All of the private and sensitive data of individual hotel guests is stored in the blockchain and any access or updates to the data are part of the immutable records on the blockchain. The individual remains as the full controller of data as the consent of the individual is taken before every use of their data," he says while adding that, "When a visitor enters the hotel and already has a Zebi ID, he/she can check in within seconds. If not, he/she can provide a picture and photo id, and create a Zebi ID, which is stored on Zebi's blockchain platform. The guest will no longer have to leave a printed photocopy of his/her id card or mobile number with the hotel because his/her Zebi ID is on the Blockchain. This mitigates the risk of the guest data being misused by a hotel or other enterprises."

Though robust data privacy laws in their current form were not in place at the time in 2018 and only took effect in September 2023, it remains unclear as to the pervasiveness of such information sharing over time, where it is now and the purpose for such data aggregation.