Major data breaches over the past four years include the exposure of personal and sensitive data of citizens held by the government (covid data from ICMR), airlines (Air India and Akasa), a major health insurer (Star Health), an ed-tech firm (Unacademy), financial intermediaries (JusPay and Upstox) and other consumer-facing internet firms (BigBasket and RentoMojo).
India’s internet adoption continues at a blistering pace. We could have 900 million active users by 2025, with world-leading levels of app downloads and content consumption. Both the government and private sector are betting on digital channels to strengthen service delivery and reach new markets.
Existing internet businesses with large customer bases are turning to ad-supported business models in pursuit of sustainability, while states use WhatsApp to facilitate citizen-centric public services. These developments mean internet users have richer-than-ever digital footprints.
Individuals navigating the digital economy must increasingly deal with interfaces powered by artificial intelligence (AI). As businesses test the premise that AI-led automation will cut costs and enhance service levels, consumers are forced to share information with AI chatbots for everything from purchases to grievance redressal.
AI’s lure as a productivity enhancer means that unsuspecting consumers are sharing confidential personal information for financial planning, mental health support and other services.
India’s Digital Personal Data Protection (DPDP) Act was passed six years after the Right to Privacy verdict in 2017.
That landmark Supreme Court ruling was followed by an initial draft bill proposed by the Justice Srikrishna Committee in 2019, a Joint Parliamentary Committee report and revised draft in 2021, a withdrawal of that draft in 2022, and then a new bill that was eventually passed by Parliament in August 2023.
Since then, there have been discussions and hints about planned penalty limits, potential transition periods, enforcement mechanisms and many missed deadlines to notify the DPDP Act’s rules, but no progress has been made that’s publicly known.
Announced before the 2024 general elections as part of the government’s 100-day action plan, individuals and businesses still await clarity on what this new legislation holds.
The Digital India Act, touted as a law to cover everything from social media regulation to AI governance, and the national cybersecurity policy last updated in 2013 are both essential to India’s data governance framework, but haven’t seen progress in the past four years.
Efforts by telecom authorities to curb spam and frauds have been in the works since 2021 and are yet to be fully implemented. This is an indication of the intensive engagement, adaptation and refinement needed to roll out a system that works for India’s scale and diversity of users.
Businesses will need a substantial transition period to comply with the rules once they are notified; most countries opt for 24 months (except China), so the Act may be fully in effect only after 2027 in India.
Companies will need to assess gaps in how they currently collect and process data and the cost of complying with the DPDP Act, and then put in place systems to follow the rules while minimizing customer-service disruption. Regular audits and data breach reporting are key requirements of the Act that will pose challenges for small businesses with resource constraints.
Apart from businesses, the government too will need to tweak its policy. Global experience has shown that arriving at the right balance of effective protection and a low compliance burden requires consultation with stakeholders and feedback from them.
Countries have increased financial penalties for non-compliance, strengthened accountability requirements and enhanced the investigative power of their data-protection authorities as they learn from the transition period. It could also lead to a revision of foundational concepts of data classification or provide new protections, like the right to data portability.
This is complicated by the need for data protection to work in harmony with policies in other areas, such as consumer protection, competition, cybersecurity and international cooperation.
The government’s proposed measures in the DPDP Act include age verification for minors, a contentious topic that has seen experiments ranging from self-reporting a date of birth before accessing a service—mostly ineffective—to excessive and invasive modes such as AI-based age verification through photos or KYC checks.
‘Deemed consent’ provisions enable the processing of a user’s data without explicit consent under specific conditions, and if combined with the many exemptions made for the state, these may hollow out the protections for vulnerable groups who have little choice but to provide their data to the government for social protection and other essential services.
The delay in India’s notification of draft rules imposes a high and invisible cost on people’s privacy. Their rollout must be prioritized to prepare the online ecosystem and institute an effective data protection regime in the country.
The author is principal, technology and innovation, at Artha Global
#Privacy #priority #India #afford #delay #notifying #data #protection #rules