India's Data Privacy in a Nutshell

India, now the most populous country in the world, has had a tumultuous relationship with data privacy. In 2017, in the wake of the EU passing the groundbreaking GDPR, India’s Supreme Court ruled that privacy was a fundamental right and advised the government to instill data privacy protections into law. 

Here we are, six years later, and the Indian government has tried multiple variations of a data protection bill, only for all to fail. That has left India lacking both a comprehensive data protection law and a proper data protection authority. 

The country’s first full push came when Parliament introduced a comprehensive bill in 2019, but after widespread criticism, it was shelved. That legislation was revived as the Digital Personal Data Protection Bill (DPDP) in late 2022 and was more closely modeled after the EU's GDPR in hopes of getting the bill through. 

DPDP has been greeted slightly more enthusiastically than its 2019 version, but there is still plenty of debate over the regulation's contents and it only covers personal data, as years of negotiating have gradually whittled the regulatory scope down. To call DPDP a GDPR-offshoot now would be an overstatement, as too many fundamental aspects of GDPR are not present in DPDP.

The Cost of India's Data Privacy (or lack thereof)

This slow-moving regulatory saga comes with real cost to India, a sleeping giant when it comes to the global digital economy. An IMF paper published in late March noted more than 80 million Indians were affected by data breaches in 2021, a year that saw major breaches hit Facebook, Domino’s, Air India, and Mobikwik, among others.  

IBM estimated the average cost of a 2021 data breach in India at $2.2 million. The average cost of a data breach globally in 2021 was $4.24 million. 

While that number is nearly double, reviewing the respective economies shows just how vital the digital economy is in India. India’s GDP per capita is $2256; for comparison, Italy’s GDP per capita is $35657. Despite having several significantly lower economic indicators, data breaches are hitting Indians particularly hard. 

It is no surprise then that the IMF paper concluded that the lack of a comprehensive Indian data privacy law poses a serious privacy risk.

This is all the more head scratching since India’s digital public infrastructure is generally well regarded, having recently paved the way for significant innovation and efficiency gains within the country. 

For all of these gains to not be backed by regulation feels like a major oversight by the government, which has several financial sector regulations in place covering payment data, but otherwise only has a hodgepodge of minor regulations across several industries.

India Data Privacy Draft: DPDP

All things considered, there is a lot riding on the success of the DPDP. The most recent development in the bill’s journey came a few weeks ago, as opposition MPs in Parliament's Standing Committee on Information Technology suggested 40 amendments to the DPDP draft.

The amendments, which largely come from progressives in Parliament, seek to rebuild the draft with more protections for individuals and more limitations to government exemptions. 

Dating back to the initial introduction of the bill, much of the criticism focuses on the lack of power and agency issued to the proposed Data Protection Board, as the Indian government has carved out exemptions for itself on matters such as indefinitely storing an individual's data and "deemed consent" situations where it is in the "public interest" to process data. 

With a vague definition of "public interest," many MPs feel uncomfortable passing the bill as currently written due to the potential for government overreach.

Politician John Brittas has argued the current DPDP draft does not uphold the 2017 Right to Privacy verdict of the Supreme Court that enshrined privacy as a fundamental right in the Indian Constitution. Brittas noted during interviews after the Parliamentary session, "National security should not be a ploy to defeat the purpose of the [DPDP] Bill.”

Despite the extensive list of proposed amendments seemingly slowing down the bill’s path to a vote, on April 11, the Indian government announced its intention to begin consideration of the Digital Personal Data Protection bill (DPDP) during the monsoon session in Parliament in July. 

Attorney General R. Venkataramani noted the period for public comment had concluded and the draft bill had been finalized, although he did not publicly address the amendments suggested just weeks prior.

The timing could be noteworthy, as the Indian Supreme Court hears cases revolving around data privacy matters, including a high profile case against WhatsApp. Of course, as the bill is not guaranteed to pass Parliament in July, the Court will likely go forward with these cases in the interim.

A few additional sticking points for DPDP include the lack of the right to be forgotten and the right to data portability, both of which are enshrined in the EU's GDPR. All of these would affect India’s data privacy landscape as well as the average Indian citizen, as they would enjoy fewer data rights than Europeans and even some Americans. 

India Data Privacy Enforcement

While several financial data regulations have had teeth thanks to strict enforcement from the Reserve Bank of India, many bodies of the Indian government have not historically stretched their regulatory muscles. With the way the Data Protection Board has been outlined, critics are worried it will hold no true power, undercutting DPDP and its individual data rights after multiple rewrites of the bill have already seen them trimmed down. 

The 2022 version is vastly different from India's initial attempt to pass data privacy legislation in 2017, but the proposed financial penalties are staggering: ~$18.3 Million for violations involving children's data and ~$30.5 Million for violations that fail to take adequate security measures to prevent data breaches. 

As years of global data privacy regulation enforcement have shown however, the size of a fine means little if a data protection authority doesn’t see the process through. This is another factor that might lead critics to pause as the bill is brought to the Parliamentary floor in July: do these numbers mean anything if the Data Protection Board can’t enforce and collect them? How much additional government oversight will be required when a private company inevitably does violate India’s data privacy law? 

To be Continued?

The six-year journey from privacy being enshrined in the Indian Constitution to the planned Parliamentary session on a comprehensive data privacy bill has been rocky and only brought up more questions as rights and protections have been removed during debate and public consideration.

The direction India’s data privacy goes will be a bellwether in the field going forward, but right now what happens in Parliament in July is anyone’s guess. Will progressives look past the DPDP’s deficiencies simply to get a law on the books? How will the Indian public, still trying to catch up in terms of digital literacy, react to the law? 

If you’re a privacy professional, you’ll need to keep an eye on India until this saga has concluded.