Here’s how the Ministry of Corporate Affairs’ open database is fueling a ‘Spam Bazaar’

New Delhi: When a new entrepreneur registers a company with the Ministry of Corporate Affairs, the last thing they expect is a flood of promotional emails, from banks offering zero-balance accounts and insurance companies pushing policies, to courier services pitching logistics support and IT vendors asking about tech needs. Often, these cold calls and spam start even before the official Certificate of Incorporation has arrived.

On Sunday, IPS Arun Bothra, Additional Director General of Police (Railways), Odisha, Bhubaneswar, tweeted, “A friend registered a company with the ROC last week. Suddenly, he is getting mail from banks to open an account with them and take out a loan. Insurance companies are offering policies. Courier companies are offering their services. Computer and software dealers are asking if he has any business opportunities for them. He can’t even ask who stole and sold his data in the open market.” 

A friend registered a company with the ROC last week. Submitted all information about his firm along with the contact details.

Suddenly, he is getting mails from banks to open account with them and take loan. Insurance companies are offering policies. Courier companies are…

— Arun Bothra 🇮🇳 (@arunbothra) July 27, 2025

His tweet quickly triggered a chorus of similar experiences. The blame, most agreed, lay squarely with the Registrar of Companies under the Ministry of Corporate Affairs, the body responsible for maintaining the public database of Indian companies and directors.

“There is only one possible source for this data leakage, the ROC office itself. The application for company incorporation happens at the ROC office and portal; they must be giving out this data,” Amit Ranjan,  Architect for the National Digital Locker Project, plainly said.

For years, the Ministry of Corporate Affairs has maintained one of India’s most publicly accessible corporate databases. Through the MCA21 portal, anyone can, for a nominal fee, download incorporation papers, director appointments, and financial filings. These documents often include personal information submitted during registration, such as PAN cards, Aadhaar numbers, email addresses, phone numbers, and even residential addresses of directors.

While the intention is regulatory transparency, this access has raised growing concerns around personal privacy. Many entrepreneurs are unaware that their personal contact details may become easily accessible once they incorporate. Amit Ranjan noted, “To the best of my understanding, an incorporated companies list is a public database. As soon as registration is done, the company name is available publicly. But not the phone number, email ID, that can only be available if the ROC office is giving it over, either for payment or else.”

The lack of clear boundaries between corporate disclosure and personal privacy in India’s regulatory systems has made such misunderstandings increasingly common.

What data is publicly visible in MCA’s master data / ROC registry?

Company CIN, status, incorporation date
Directors' full names and DINS
Directors' personal address, email, phone (via DIR-2)
Financial filings (balance sheet, annual return)
Charges, compliance records
Certified documents attached (PAN, Aadhaar etc.)

How does the MCA portal work?

Technically, the MCA portal does not sell data, but it does make it available to anyone who downloads ROC forms like DIR-12, which contains the attached consent form DIR-2, where directors provide their phone number, email, and address. As a result, it creates a public data bazaar that operates within legal bounds, yet remains deeply exploitative.

“This happened with me, too. Almost every private bank first started emailing, then calling nonstop. And not just banks, insurance agents, loan offers, courier services, software vendors… all out of nowhere. This isn’t just data theft; it’s harassment. You register a company with the ROC, and suddenly your entire contact info is up for sale in the open market. No consent. No protection. No accountability. Data Privacy in India is a joke.

And the worst part? You can’t even ask who sold my data?” one user recalled. 

Legally, the MCA is not in the wrong. As per the Companies Act, details filed with the ROC, regardless of sensitivity, are considered public information. Since these disclosures are made as part of statutory compliance, India’s recently enacted Digital Personal Data Protection (DPDP) Act 2023 exempts them from the need for individual consent. But legality doesn’t equal ethical clarity.

A scroll through X revealed the emotional and operational toll this loophole takes on small founders and directors. One user recalled, “We also had rubber stamp dealers sending all co-directors messages when we opened a Sec 8 company.”

Anil Chhikara, Chairman of Startup India foundation, called it out bluntly: “Big scam, all this data is for sale from RoC to all these spammers.”

The intrusion is often immediate, “Even before the ROC sent my mail, the banks started calling. One of those bankers only told me the company was registered. One bank went ahead and opened a current account also,” one user recalled.

For some, the flood never stops. As another founder noted, “Very common practice. We started 4 years back and still today I get at least 2–3 promotional emails from banks, internet service providers, logistic partners and whatnot.”

For professionals working in data governance and compliance, this scenario poses a classic conflict of corporate transparency versus individual privacy. The MCA has historically favoured the former, preserving a searchable public record of corporate activities. But in the age of digital data mining and AI-driven scraping, old transparency frameworks are turning into tools for mass harassment. And for now, entrepreneurs have little recourse. There is no opt-out mechanism. No request form for redaction. No anonymisation standard. Not even a warning at the time of filing. This leads to one burning question: why aren’t directors explicitly told that their personal details will be publicly accessible?

The answer lies in regulatory inertia. Indian incorporation forms have remained largely unchanged in format for years. While the government has digitised processes, it hasn’t yet updated its mindset to factor in how publicly posted data is now scraped, sold, and repackaged, often within hours.

The MCA’s silence, paired with the DPDP Act’s public-data exemptions, makes one thing clear: unless the government acknowledges this as a systemic breach of privacy and introduces stricter safeguards, the data bazaar will continue. Until then, every new director who dreams of building something in India’s start-up economy will also have to deal with spam calls, cold emails, fake account openings and the sinking realisation that their personal data was sold before their first product even launched.