How do we uphold data privacy in a “smart" world dominated by the Internet of Things (IoT), sensors, algorithms and apps? Can individuals have a meaningful degree of control over the vast amount of personally identifiable information (PII) generated and transacted across platforms in cyber space? Or are we on course into a world where online privacy would become a “luxury good", as indicated by experts in a survey by Pew Research Center.
There are increasing call-outs advocating the need for India to enact a comprehensive data protection law. Here are a few reasons in support of the argument:
March of digitization
With the Digital India roll-out, push on digital payments, rising e-commerce penetration, and an unprecedented number of platforms and services transacting PII of individuals, a stronger data protection regime is a must to foster trust in the data ecosystem. With rising cybercrime and data breaches, and absence of strong data protection regulatory framework ensuring consumer protection and right to recourse, individuals tend to resort to non-electronic means for transactions. A survey by the Centre for International Governance Innovation (CIGI), in collaboration with the United Nations Conference on Trade and Development (UNCTAD) and the Internet Society, shows that privacy issues top the concerns that constrain e-commerce growth.
Inadequate regulatory protection
The Information Technology (IT) Act 2008 Section 43A Reasonable Security Practices and Procedure rules are not a substitute for a data protection regime. Most government departments and agencies are not “body corporate", and hence beyond the remit of Section 43A compliance requirements. Also, regulatory oversight and enforcement has not been effective to ensure compliance by the organizations.
Share in global digital trade
Cross-border data flows are increasingly becoming a key determinant for claiming a country’s share in the global digital trade. Countries are enacting new data protection regulations or amending existing laws, developing multilateral trade agreements concerning data flows (Trans Pacific Partnership, Transatlantic Trade and Investment Partnership). Or they are trying to create regional harmonies—such as through the Regional Comprehensive Economic Partnership (RCEP)—to emerge as lucrative destinations for digital investments. Nasscom-DSCI’s vision to establish India as a cybersecurity hub or as a cloud hub could be constrained because of an inadequate data protection regime.
Business enabler for the outsourcing sector
Other than the obvious opportunity loss of business from regions like the European Union (EU)—which demands comprehensive data protection regulatory protection even for business-to-business (B2B) processing transfers—having an inadequate data protection regime risks the Indian IT-BPM industry losing out to potential economies that are upgrading their laws to ensure regime interoperability. Nasscom-McKinsey Perspective 2025 pegs the Indian outsourcing industry at $350 billion, provided the sustenance of India as an IT outsourcing hub coupled with growth from new verticals. With industry professionals acquiring niche skill sets, a stronger data protection regime would act as an enabler for business growth and employment opportunities amidst the global job market crisis.
Imposing fines and penalties
This should probably feature lowest on the government’s list of motivations to enact a data protection law. However, lack of a stringent legal framework for PII protection has not only led to privacy violations going unpunished, but it also limits consumers’ rights to claim compensation against casual and unethical data privacy violations and constrains the government’s ability to impose fine and penalties. The EU General Data Protection Regulation (GDPR) has raised the stakes by increasing the limits on fines up to 4% of the global turnover or 20 million euros, whichever is higher. Recently, the Federal Trade Commission (FTC) got a $2.7 million judgment over billions of unlawful robo-calls. Italy’s data protection authority, the Garante, fined five companies in excess of 11 million euros for unlawful processing of PII. Internet giants have been fined heavily and consistently by EU regulators, over the years, for privacy violations. While the Indian government should not set ‘budgetary targets’ from data privacy violations by organizations, stringent penalties and enforcement prompts organizations to invest in cybersecurity and develop more robust software—besides acting as deterrence against off-the-cuff data privacy violations. The earnings should be reinvested in improving awareness to drive data privacy adoption in the country.
The task of revising the data protection regime is vital for the progress of the country, and should be undertaken on priority. Rather than copy-paste the European model, we should develop a regime that suits the Indian context and protects against privacy violations but does not stifle technology innovation. With the Ministry of Electronics and Information Technology (MeitY) initiating work on a Data Protection Law, Justice AP Shah’s privacy expert group report could serve as a good starting point.
The author works with the Data Security Council of India (DSCI). The views expressed are personal.
Comments are welcome at firstname.lastname@example.org