Introduction to Krafton and BGMI’s Significance in India
Krafton, a South Korean video game holding company, has carved a significant niche in the global gaming industry, most notably through its development of PlayerUnknown’s Battlegrounds (PUBG), a battle royale game that redefined multiplayer gaming. In India, Krafton’s influence is epitomized by Battlegrounds Mobile India (BGMI), a localized version of PUBG Mobile launched in July 2021 to cater specifically to the Indian market. This strategic adaptation followed the Indian government’s ban on PUBG Mobile in September 2020 due to data security concerns tied to its Chinese publisher, Tencent. BGMI’s release marked Krafton’s commitment to re-establishing its foothold in India, a country with over 500 million smartphone users and a burgeoning mobile gaming population.
BGMI’s rise has been meteoric. Within months of its launch, the game surpassed 100 million downloads on Android, cementing its status as a cultural phenomenon among Indian gamers. According to Krafton, BGMI boasts over 50 million monthly active users, a testament to its widespread appeal among India’s youth. The game’s success extends beyond casual play, fostering a robust esports ecosystem. Tournaments like the Battlegrounds Mobile India Series (BGIS) and Battlegrounds Mobile India Pro Series (BMPS) have drawn millions of viewers and offered prize pools exceeding ₹2 crore (approximately $240,000 USD), elevating BGMI to a cornerstone of India’s competitive gaming scene.
Krafton has further underscored its investment in India with a pledge of $150 million over the next few years to support gaming, esports, and tech startups. This commitment reflects India’s growing importance as a gaming market, projected to reach $8.92 billion by 2027, according to Niko Partners. However, this promising trajectory has been overshadowed by recent allegations that Krafton has been selling user data in India, raising serious questions about data privacy and threatening the company’s reputation and operations in the region.
The Allegations: Origins, Specifics, and Entities Involved
Origins of the Claims
The allegations against Krafton emerged on September 5, 2024, when Santosh Torane, a resident of Maharashtra, filed a First Information Report (FIR) with the Malshiras police station. Torane accused Krafton India of illegally selling personal data of BGMI users without their consent. The complaint named four Krafton executives—WooYol Lim (Managing Director), Jitendra Bansal (Head of Marketing), Yoonal Soni (Head of Business Development), and Wooyol Shalom (Director)—alleging that they orchestrated the data sales in violation of a service agreement signed on August 2, 2021.
Torane’s initial complaint was reportedly ignored by local police, prompting him to escalate the matter to the Judicial Magistrate First Class in Malshiras. Following the submission of evidence documenting police inaction, the court issued an order under Section 156(3) of the Criminal Procedure Code (CrPC), directing the police to register the FIR and investigate. The case has since gained traction, with a hearing scheduled in the Bombay High Court on April 15, 2025, signaling its escalation to a higher judicial level.
Specifics of the Data Purportedly Sold
According to the FIR, Krafton allegedly sold BGMI user data for approximately ₹2,000 (around $24 USD) per subscriber through third-party platforms, including the instant messaging app Telegram. The complaint claims that this data encompassed “confidential information” collected from players, though it does not explicitly detail the nature of the data. In the context of mobile gaming, such information could include personal identifiers (e.g., names, email addresses, phone numbers), device details, location data, gameplay statistics, or even financial information linked to in-game purchases.
BGMI’s privacy policy, accessible on its official website, acknowledges the collection of data such as user IDs, IP addresses, and purchase histories to enhance gameplay and provide services. However, the policy also states that data may be shared with third parties—such as service providers or affiliates—to enable features like leaderboards or advertisements. The allegations suggest that Krafton exceeded these permissible boundaries, engaging in unauthorized sales rather than legitimate data sharing, thereby breaching user trust and legal obligations.
Entities Involved
The FIR does not explicitly identify the entities to whom the data was allegedly sold, referring only to “third parties” and citing Telegram as a distribution channel. This ambiguity has fueled speculation about the recipients, which could range from data brokers and advertisers to more nefarious actors in the cybercrime ecosystem. Telegram’s encrypted nature and its reputation as a platform for illicit transactions lend credence to concerns that the data may have reached unauthorized hands, though no concrete evidence has surfaced to confirm specific buyers.
The involvement of Krafton’s senior executives in the FIR suggests that the alleged misconduct was a coordinated effort rather than an isolated incident. However, the lack of detailed evidence in public filings leaves open the possibility that the accusations stem from a misunderstanding or misrepresentation of Krafton’s data practices, a point the company has fiercely contested.
Legal Framework Governing Data Privacy in India
The Information Technology Act, 2000
India’s primary legal framework for data privacy is the Information Technology Act, 2000 (IT Act), supplemented by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (IT Rules). Section 43A of the IT Act mandates that companies handling sensitive personal data implement reasonable security practices, with penalties for negligence that result in wrongful loss or gain. Section 72A imposes punishment—up to three years’ imprisonment or a fine of ₹5 lakh (approximately $6,000 USD)—for disclosing personal information without consent in breach of a lawful contract.
The FIR against Krafton invokes Sections 72 and 72A of the IT Act, alleging unauthorized disclosure of user data, and Section 85, which holds companies liable for offenses committed by their employees with their consent or connivance. Additionally, the complaint cites Sections 120-B (criminal conspiracy) and 420 (cheating) of the Indian Penal Code (IPC), framing the data sales as a deliberate and fraudulent act.
Gaps in India’s Data Privacy Regime
While the IT Act provides a foundation for data protection, it lacks the comprehensiveness of frameworks like the European Union’s General Data Protection Regulation (GDPR). The GDPR, for instance, mandates explicit user consent for data processing and imposes fines up to €20 million or 4% of annual global turnover. In contrast, India’s IT Rules are narrower, applying only to “sensitive personal data” (e.g., passwords, financial information) and lacking robust enforcement mechanisms.
The long-pending Personal Data Protection Bill (PDPB), introduced in 2019, aimed to address these gaps by establishing a Data Protection Authority, mandating data localization, and imposing fines up to 4% of a company’s global turnover. However, the bill was withdrawn in 2022, and its replacement, the Digital Personal Data Protection Act (DPDP Act), was enacted in August 2023. The DPDP Act, which came into force in September 2023, introduces stricter consent requirements and penalties up to ₹250 crore (approximately $30 million USD). However, its implementing rules are still being finalized, leaving its full impact uncertain as of late 2024.
Potential Violations by Krafton
If the allegations hold, Krafton may have violated Sections 43A, 72, and 72A of the IT Act by failing to secure user data and disclosing it without consent. The invocation of IPC Sections 120-B and 420 further escalates the case, suggesting a willful intent to deceive users for financial gain. Under the DPDP Act, such actions could attract significant fines and mandatory audits, though the law’s transitional phase may limit its immediate applicability to this case.
Krafton’s Response to the Allegations
Official Statements
Krafton swiftly denounced the allegations as “baseless” in a statement released shortly after the FIR’s registration. The company emphasized its commitment to data security, stating, “At KRAFTON, the protection of personal data is of utmost importance to us, and we are committed to upholding the highest standards of data security.” Krafton highlighted its compliance with Indian laws, asserting that its privacy policy transparently outlines data collection and sharing practices, which are limited to operational necessities like game functionality and user support.
Legal Actions
Beyond public statements, Krafton has mounted a legal defense, filing two writ petitions (Nos. 4806 and 5342/2024) in the Bombay High Court to challenge the FIR and seek a stay on the investigation. Represented by senior advocates from Shardul Amarchand Mangaldas & Co., one of India’s premier law firms, Krafton argues that the allegations lack substantive evidence and constitute an abuse of legal process. The company’s legal strategy appears aimed at quashing the FIR before it progresses further, a common tactic in India to halt investigations perceived as frivolous or malicious.
Operational Measures
Krafton has not publicly detailed specific operational responses, such as internal audits or enhanced security measures, citing the ongoing legal proceedings. However, the company referenced its past efforts to comply with Indian regulations, including the relocation of BGMI user data to Indian servers following the 2020 PUBG Mobile ban. Krafton also noted its collaboration with local authorities during a three-month trial period in 2023, after which BGMI was permitted to resume operations with stringent data security conditions.
Critics argue that Krafton’s response lacks transparency, particularly regarding the specifics of the alleged data sales. The company’s reliance on its privacy policy as a defense has drawn scrutiny, with some questioning whether the policy’s broad language on third-party data sharing adequately informs users of potential risks.
Reactions from Stakeholders
Indian Government
The Indian government has remained silent on the allegations as of late 2024, with no official statements from the Ministry of Electronics and Information Technology (MeitY) or other relevant bodies. However, the case’s progression to the Bombay High Court suggests that authorities are monitoring developments. India’s prior ban on PUBG Mobile in 2020, citing national security and data privacy risks, looms large, raising fears that BGMI could face similar restrictions if the allegations are substantiated.
The government’s cautious stance is evident in its handling of BGMI’s relaunch in 2023, which included a temporary approval contingent on compliance with data security norms. Any evidence of data mismanagement could prompt MeitY to revisit this approval, potentially imposing fines, operational curbs, or an outright ban.
Cybersecurity Experts
Cybersecurity experts have offered mixed perspectives. Dr. Anupam Tiwari, a cybersecurity consultant, noted that data sharing with third parties is standard in gaming for analytics and advertising but emphasized that “selling user data without explicit consent crosses ethical and legal lines.” He suggested that technical audits of Krafton’s servers could clarify whether unauthorized transfers occurred, though no such audits have been publicly confirmed.
Conversely, Rohan Sharma, a data privacy analyst, expressed skepticism about the FIR’s credibility, arguing that “the evidence appears anecdotal, and the complainant’s motives are unclear.” Sharma pointed to Krafton’s compliance history, including its adherence to data localization mandates, as a counterweight to the allegations.
Gaming Community
BGMI’s player base has reacted with a blend of concern and defiance. On platforms like X and Reddit, users have voiced alarm over potential data breaches, with posts like “If Krafton sold my data, I’m done with BGMI” gaining traction. A survey by gaming portal IGN India found that 62% of 1,000 respondents were worried about their privacy, though only 15% planned to uninstall the game immediately.
The esports community, which relies on BGMI for livelihoods, is particularly apprehensive. Teams like Team Soul and GodLike Esports have called for clarity from Krafton, warning that a ban or loss of player trust could devastate the ecosystem. Some players have initiated hashtag campaigns like #ProtectBGMIData, urging Krafton to address the issue transparently.
Potential Implications for Krafton’s Operations in India
Legal Consequences
If the allegations are proven, Krafton could face severe legal repercussions under the IT Act and IPC. Fines under Section 43A could reach ₹5 crore per violation, while Section 72A carries imprisonment and monetary penalties. The DPDP Act, once fully operational, could impose fines up to ₹250 crore, a significant hit given Krafton’s reported $1.9 billion revenue in 2023. Executives named in the FIR could also face personal liability, including jail terms of up to seven years under IPC Section 420.
Compensation to affected users is another risk. With over 50 million monthly active users, even modest payouts could strain Krafton’s finances. A class-action lawsuit, though rare in India, remains a possibility if the case gains momentum.
Impact on User Trust
Even if Krafton prevails legally, the allegations could erode user trust, a critical asset in the gaming industry. A 2023 PwC India report found that 78% of Indian consumers prioritize data privacy when choosing digital services. A perceived breach could drive players to competitors like Garena Free Fire or Call of Duty: Mobile, both of which have sizable Indian audiences.
Future of BGMI
BGMI’s future hinges on the outcome of this controversy. A ban, similar to PUBG Mobile’s fate in 2020, would disrupt Krafton’s $150 million investment plan and dismantle India’s BGMI-centric esports ecosystem. Even short of a ban, increased regulatory oversight—such as mandatory data audits or restrictions on in-game monetization—could hamper the game’s profitability and appeal.
Insights from Industry Analysts
Broader Impact on the Gaming Industry
Analysts view the Krafton case as a wake-up call for India’s gaming sector. Salonee Gadgil, a gaming industry expert at Niko Partners, predicted that “this could accelerate the DPDP Act’s implementation and spur sector-specific regulations.” She noted that gaming companies, often lax on data privacy due to their entertainment focus, may face higher compliance costs, potentially deterring smaller developers.
The situation also highlights India’s growing scrutiny of foreign tech firms. With Chinese apps like PUBG Mobile already restricted, South Korean and Western companies could face similar pressure to localize data and adhere to stringent norms.
Lessons for the Industry
Analysts recommend proactive measures: transparent data policies, regular security audits, and user education campaigns. Case studies like the 2018 Cambridge Analytica scandal, which cost Facebook billions in fines and reputational damage, underscore the risks of data mismanagement. Indian firms like Nazara Technologies, which prioritize local compliance, offer a model for balancing growth and trust.
Steps to Rebuild Trust and Ensure Compliance
Transparency and Communication
Krafton must prioritize transparency, releasing detailed reports on its data practices and the investigation’s findings. Hosting town halls or publishing FAQs could demystify its processes for users, addressing concerns directly.
Enhanced Security Measures
Adopting best practices—end-to-end encryption, data anonymization, and third-party audits—would bolster Krafton’s defenses. Collaborating with firms like Deloitte or EY for independent verification could lend credibility.
Regulatory Engagement
Krafton should work with MeitY and the Data Protection Authority (once established) to align with emerging norms, potentially volunteering for pilot compliance programs. Advocacy for balanced regulations could position Krafton as a responsible industry leader.
User Empowerment
Educational initiatives, such as in-game privacy tutorials or opt-in data-sharing options, could empower players. Offering rewards for privacy-conscious behavior, like bonus in-game currency, might incentivize engagement.
Conclusion: The Road Ahead for Krafton and the Indian Gaming Industry
The allegations against Krafton mark a pivotal moment for the company and India’s gaming landscape. While the legal battle unfolds, the case has ignited a broader discourse on data privacy, regulatory oversight, and corporate accountability. For Krafton, clearing its name is only half the battle; restoring user confidence and navigating India’s evolving legal framework will demand sustained effort.
As India’s gaming market grows, the stakes for data privacy will only rise. Companies that treat trust as a priority—through transparency, security, and compliance—will thrive, while those that falter risk losing a generation of players. For Krafton and BGMI, the road ahead is fraught but not impassable, offering a chance to set a new standard for privacy in India’s digital playground.