For the past five years, India has been on a journey to create a comprehensive data protection law. Those efforts include a report from a committee formed to study privacy issues in India, data protection bills, and most recently, a report from a committee tasked with studying one of those bills. Despite these efforts, no laws have been passed—and the recent committee report produced a number of causes for concern. For example, several members noted their objections to the provisions that enable the government to exempt its agencies from the bill’s provisions.

The current version of the bill has been modified to address a host of economic, nationalistic, and privacy-related concerns or objectives. Creating a law that addresses all these issues while also effectively regulating India’s rapidly changing technology landscape may be too gargantuan a task. There may be merit in first creating a privacy or data protection law, then addressing other concerns and objectives in subsequent legislation or policies.

Arjun Kang Joseph
Arjun Kang Joseph is a senior research analyst with the Technology and Society Program at the Carnegie Endowment for International Peace India. He works primarily on data, privacy, and the intersection of health and technology.
More >

In fact, in a recent interview, the IT minister refuted reports that the government was considering introducing new data protection legislation. These reports had suggested that the reason the government was considering creating fresh legislation was that the current version of the data protection Bill did not comprehensively addresses the requirements of the country’s changing technology landscape. The minister also said that the government was targeting the monsoon session of Parliament to get approval for the bill. As the timeline for creating this law drags on, the question is now whether India can afford the delay in the creation of its data protection framework.

There are several reasons that may point otherwise. New technologies that enable more granular and real-time data collection are constantly being developed. Larger and more detailed data sets are being created to aid in the development of better and more complex artificial intelligence systems. Without a law to govern this data collection, these technologies give rise to ever greater privacy and surveillance concerns.

Over the past few years, India has seen a significant uptick in the number of data breaches, ranking third in the world. In 2021, five major data breaches alone resulted in the data of 113 million users being leaked. Apart from being a privacy concern, this is also an economic concern. A recent report by IBM Security and Ponemon Institute estimated the average total cost of a data breach in India in 2021 was Rs. 16.5 crores ($2.17 million).

In the absence of a law, companies are free to indiscriminately collect data. Having a data protection law would protect citizens’ privacy, while also creating greater consequences for data breaches. This would aim to prompt companies to better protect the data they possess.

The Indian government has also increasingly begun to collect data to be used in connection with newly developed technologies, in efforts to improve governance and facilitate better delivery of services. Some of the major examples include Aadhar, a unique identification number issued by the Indian government; e-Sign and e-KYC, services that allow users to digitally authorise official documents; and the digital health infrastructure—the Unified Health Interface—created under the National Digital Health Mission. A very recent development on this front was the  draft India Data Accessibility and Use Policy published for public consultation by the government. The policy aimed to provide greater access to government held data in order to provide opportunities for better governance, service delivery, and innovation, and to harness the value of Indian data. After much criticism, the government has now revised the proposed legislation. The revised version is to be released soon.

In order for citizens to avail the benefits of these government initiatives or even be willing to participate in them, they first must trust the systems being created. This trust will only be generated when they know that their data is protected by law and that appropriate checks and balances exist to prevent misuse of their data.

Aside from the privacy-related issues, there are a few other factors that must be kept in mind.

The current situation is fraught with regulatory uncertainty, as it is still unclear which form this law will take. This has its own cost. Aside from a lack of clarity around legal and compliance measures, such policy uncertainty also acts as a deterrent to enter the Indian market, which will in turn reduce competition and may affect consumer welfare, stifle research and development, and more.

The creation of the law also will not mean that it will be implemented immediately. India will still need time to set up the proposed Data Protection Authority, the cross-sectoral regulator outlined in the recent bill. The DPA will then have two years to implement the law, as per the current timeline.

Lastly, India needs to be clear on its internal framework for the treatment of data before it can look to exert its influence in this sphere externally. This is especially important considering the fact that India will assume presidency of the G-20 in December, and having a clear stance could help position it to be a leader in this space, rather than a follower. It is India’s best interest to create a data protection law sooner rather than later.