Data Privacy Day: How Far Has India Progressed In Protecting Your Information?

Data Privacy Day: How Far Has India Progressed In Protecting Your Information?

SUMMARY

While data is helping power innovation, shape user experiences, and fuel economies, it has also raised critical questions about control, consent, and security

In India, the rules for data privacy and security are in the process of being thrashed out under the Digital Personal Data Protection (DPDP) Act, 2023, even though the country is taking giant leaps on the global digital landscape

A report survey by PwC on over 3,000 consumers found that 56% of them were completely unaware of their rights related to personal data, while only 9% of organisations covered said that they have a comprehensive understanding of the DPDP Act

Had it been some six decades later, poor McKenna wouldn’t have taken such a fateful journey, but just logged into his computer and hit the gold mine. Data, the biggest treasure trove of this age, celebrates 28 January as its day of security and protection from prying eyes.  

At a time when every swipe, search, click, and share leaves a digital footprint, data privacy has attained immense significance across the world. From social media apps tracking our preferences to ecommerce platforms predicting our next purchase, the convenience of technology often comes at the expense of our privacy. While data is helping power innovation, shape user experiences, and fuel economies, it has also raised critical questions about control, consent, and security.

As governments enforce stricter regulations and companies adopt various policies, individuals are left wondering – how much of their personal information is truly safe?

In India, the rules for data privacy and security are in the process of being thrashed out under the Digital Personal Data Protection (DPDP) Act, 2023, even though the country is taking giant leaps on the global digital landscape.

On this Data Privacy Day, we chose to delve deeper into the current state of the country’s data privacy rules, understand its strengths, map its gaps, and assess the state of awareness among consumers and companies on the impending law. It is pertinent to note that this year’s theme is “Take Control of Your Data”.

India’s Take On Data Privacy

In August 2023, the Lok Sabha passed the DPDP Bill, 2023. The aim was to replace the data protection rules that were largely enforced through Section 43A of the Information Technology Act, 2000. 

Although there are some major differences between the DPDP Act and the EU’s General Data Protection Regulation (GDPR), both intend to adhere to the global standards in safeguarding sensitive data.

After much back and forth, the Ministry of Electronics and Information Technology (MeitY) released the draft rules for the DPDP Act to the public on January 3 this year and kept the feedback window open till February 18. 

However, there continue to be multiple caveats and the stakeholders have raised some concerns over the proposed rules.

The DPDP Act has a major focus on ‘data fiduciaries’ – the internet companies and social media platforms that collect personal data from users – to prevent misuse of the information and penalise companies that flout the data protection rules.

Some policy experts, however, believe that the Centre has taken a faulty approach by targeting the data fiduciaries to protect the fundamental ‘right to data privacy’.

“The current draft is inadequate. Anything that has to be controlled at a platform level cannot be done by just passing a legislation because a legislation structure says that one has to set up a regulatory body, which will have rules with provisions of slapping penalties and fines,” K Yatish Rajawat, founder of the Centre for Innovation in Public Policy, told Inc42. 

“In a platform economy, these regulations can never be implemented because the only way to implement them is to see the violation from the platform itself. And these platforms will never really reveal that it has violated a rule or a law.” 

According to him, these are complex adaptive platforms that are equipped to change their behaviour through algorithms before these are passed. “They can easily escape penalties.” Rajawat said that this is a global problem where laws are failing to catch up with technology.

Heena Vazirani, partner in risk consulting at PwC India, hailed the Act as a significant move towards strengthening data privacy as it grants individuals greater control over their personal data and sets clear directives on how organisations should collect, process, and protect this data. 

Vazirani, however, believes that some key gaps need urgent attention to make the framework more robust. “The current framework lacks clear, proportionate compliance requirements for small businesses, especially MSMEs and startups,” she said. “Given their limited resources, these businesses could face overwhelming compliance costs, potentially stifling innovation. India needs scalable, affordable solutions and simplified protocols tailored to their needs.”

In recent weeks, new-age tech startups like MobiKwik, ixigo, OYO, Dream11, Khatabook, and Razorpay reportedly met with government officials to discuss their concerns around the draft rules under the Act.

As per media reports, these startups have been concerned about cross-border data transfer. They have also shared their concern over potential overlap between existing sector-specific regulations for fintech and insurance firms from the RBI and the IRDAI, and over the rules laid out in the DPDP Act.

“The ambiguity around cross-border data transfer regulations poses a risk to India’s participation in the global digital economy. Clear, internationally aligned guidelines are needed to facilitate seamless data flow, while ensuring privacy standards,” Vazirani told Inc42.

She also pointed out that there continues to be a significant gap in public understanding of data rights and privacy protection in India, and the Centre must invest in nationwide awareness campaigns and educational initiatives to empower citizens and foster a privacy-conscious society.

A report published by PwC last year has been an eye-opener. In the survey of over 3,000 consumers across the country, it found that 56% were completely unaware of their rights related to personal data.

Meanwhile, the survey on 186 respondents representing organisations found that only 9% organisations have a comprehensive understanding of the DPDP Act.

 

Understanding of dpdp act

AI Innovation And Rising Threat To Data Privacy 

With artificial intelligence (AI) penetrating deeper into our lives in every sphere, AI innovation has accelerated rapidly. The emergence of GenAI and the era of Agentic AI have greatly multiplied the challenges to data protection and privacy. There are growing concerns around deepfake across sectors. In the absence of a robust law around data privacy, the idea of ‘responsible AI’ has become trickier.

Speaking on the potential risks, Sreedharan KS, chief compliance officer at ManageEngine, a division of Zoho Corp, said that adversarial attacks on machine learning (ML) models are one of the emerging AI-specific security risks. Using these methods, organisations or individuals with malicious intent might modify input data, steal a model through repeated queries, and leak information.

To address such potential privacy and security control risks, organisations can use quality data, data anonymisation, input sanitation and filtering, and a few other methods. Sreedharan called for strong guidelines and training for responsible use of AI. 

He highlighted that everyone, including consumers, is a data subject with expectations that their personal data is not misused. Organisations prioritising data privacy and security gain a competitive edge by building customer trust in an increasingly digital world.

In an attempt to counter this challenge, the MeitY recently introduced AI governance guidelines as part of its INR 10,371.92-Cr IndiaAI Mission. Most industry stakeholders Inc42 spoke to believe that the DPDP Act might help frame these regulations better, but more needs to be done.

PwC India’s Vazirani said that in the case of AI systems like loan eligibility prediction, the DPDP Act ensures that the personal data used is sourced ethically with necessary consent, promoting fairness and transparency in AI decision-making processes. By holding organisations accountable for how data is processed and stored, the Act ensures that AI developers implement robust governance structures to audit their algorithms for fairness and transparency. 

While the Act lays a strong foundation for ethical AI, particularly in areas of data privacy and transparency, India needs to complement it with more specialised regulations that focus on ethical development and deployment of AI technologies to resolve concerns like algorithmic bias and AI explainability, she said.

As we move from first-generation AI where people ask general questions, agentic AI requires acting on someone’s behalf. This is where the stakes for privacy rise dramatically, according to experts. Instead of simply answering a query, the AI now needs sensitive personal information like dates, date of birth, email, phone number, and credit card details. While some basic guardrails exist in these systems, the real challenge lies in building robust privacy controls and governance frameworks to manage the explosion of personal data.

Need For More Awareness Around Data Privacy

Awareness around data privacy remains at a low level in India, even though the digital revolution is accelerating in leaps and bounds. Organisations might have to quickly adapt to the rules once they are passed as law, but consumers are still not aware of their rights to privacy. This gap creates a space for misuse of data through cyber attacks.

In the banking, financial services, and insurance (BFSI) segment, the lack of consumer awareness has been the biggest cause for concern. While organisations will not only have to adhere to the impending rules, their onus also lies on educating their customers about potential data privacy and security risks.

implementation of DPDP act

Sivaram Kowta, president of banking at Zeta, told Inc42 that banks must take measures such as encryption, real-time threat assessment, and breach detection to safeguard customer data while also ensuring timely response to any breaches. 

“Empowering customers by honouring their rights to access, correct, and erase data is vital,” he said. “Clear consent management processes ensure customers remain in control of their personal information.”

The gaps in DPDP can be surely addressed through dialogues among key industry stakeholders and periodic reviews. As Rajawat noted, laws like DPDP need to be framed by technocrats, and not lawyers.

While the Indian DPDP law is forward-looking and modern, based on principles similar to other privacy laws, as technology evolves and new systems are built, we may need to rethink how we frame these laws, said Anshu Sharma, cofounder and CEO of data and AI privacy company Skyflow. 

“My hope is that regulators will continue to change and evolve the rules as technology and platforms change. The goal is not to create a static, inflexible regulatory structure, but a responsive framework that can effectively protect individual and business interests while enabling technological innovation,” Sharma said.

[Edited By Kumar Chatterjee]

You have reached your limit of free stories
Become A Startup Insider With Inc42 Plus

Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in india's startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

Data Privacy Day: How Far Has India Progressed In Protecting Your Information?-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

Data Privacy Day: How Far Has India Progressed In Protecting Your Information?-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

Data Privacy Day: How Far Has India Progressed In Protecting Your Information?-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

Data Privacy Day: How Far Has India Progressed In Protecting Your Information?-Inc42 Media
Data Privacy Day: How Far Has India Progressed In Protecting Your Information?-Inc42 Media
You’re in Good company