As one of the first Indian citizens to receive a certification from the IAPP in 2011, Shivangi Nadkarni, CIPT, has been on the cutting edge of the development of India's privacy landscape. While pursuing her certification, she co-founded Arrka in 2010, which developed India's first and only privacy platform helping small- and medium-sized businesses manage their privacy programs. Today, Arrka operates a privacy lab for clients to test their systems and works with the IAPP as an official training partner. Arkka recently published the 2022 iteration of its annual report on personal data collection in India: "State of Privacy: Mobile Apps and Websites from India."

Nadkarni spoke with IAPP Staff Writer Alex LaCasse and reflected on how India became a major technology hub since her career began in the late 1990s. She also discussed the latest legislative developments surrounding the proposed Digital Personal Data Protection Bill and how likely India is to pass the legislation in the near future. 

Editor's note: This conversation has been edited for length and clarity. 

The Privacy Advisor: How did you get your start in privacy, and what most interests you about it?

Nadkarni: I worked in the information security field from 1999 to around 2010, and one of my industry friends casually mentioned I should start looking at data privacy. I started looking into privacy, found the IAPP and took an interest in a certification program. I wrote to the IAPP about wanting to take an exam and didn’t realize they had never conducted an exam in India before. In 2011, I heard from the IAPP and took my CIPT exam — at that time, it was called the CIPP-IT certification.

A couple of years later, the Data Security Council of India was started. It's a body (that) is a part of NASSCOM, which is India's biggest IT industry association. This unit was to focus exclusively on security and privacy. I was invited to work at the council and did pro bono work for them because they were just starting out. They gave me a full-time opportunity, and by then I had cofounded my company, Arrka, in 2010.

The Privacy Advisor: Can you talk about Arrka and what issues you were trying to solve in the privacy environment at the time?

Nadkarni: When we started Arrka my co-founder and I had come from the services industry. One of the things we were sure we didn't want to do was set up large teams and do a lot of service business. We wanted to do something different, and started with info security and added privacy later. After a period of time, privacy became our primary focus because of the opportunities we received. We could see the writing on the wall, because we worked with large enterprises, large banks, telecommunications and some diversified groups. At the same time, we worked with a lot of small- and midsize businesses too. A lot were IT companies that catered to international markets and were implementing privacy programs because of client demand. It had nothing to do with local law. We realized privacy would explode one day because no amount of human skill would ever meet the demand of the privacy challenges. We knew these companies needed to automate.

Automation was the key. People could do 80-90% of their work independently. We started automating and building our platform. Today, we have India's first and only privacy management platform, which is a fast platform for small and midsize businesses where they can actually assess design, implement and manage their privacy programs right out of the box.

The Privacy Advisor: India is such a major player in the global digital economy. How has the privacy conversation evolved from the start of your career through today?

Nadkarni: For many years, every seminar and every discussion around privacy would start with privacy would never work in India. We, as a culture, are not privacy sensitive. We will tell a life story to the stranger on the bus or the train. And it's taken a while for people to realize we don’t have to confuse privacy as a culture with data privacy. I think one of the major shifts was in 2017, when the Supreme Court issued the judgment that privacy is a fundamental right in India. Until then, the notion of privacy was kind of interpreted and not direct, so that was a game-changer. After that, the Supreme Court asked the government to come up with a data privacy law, and that's when a commission was set up. We’ve had various versions of the bill, and that's been an ongoing process, but 2017 was a critical year for privacy.

The Privacy Advisor: Speaking of India’s proposed data protection bill, in your view, what are the major remaining issues Parliament needs to resolve to get the legislation passed? How likely is it that lawmakers will reach a consensus this year?

Nadkarni: We've been through a lot. We had a version of the bill that was pretty comprehensive, and then it went back to a standing committee of Parliament. They added a lot (of provisions) which had nothing to do with privacy. Then, finally, the whole thing was junked and withdrawn, with lawmakers essentially saying, "Hey, this is too complicated."

The new version is a simpler, smaller version focused exclusively on personal data protection. While there have been a lot of criticisms around it, speaking from my organization's perspective, I think the simplified version is working by sticking to core privacy principles. There are rights and organizational obligations articulated. There is an emphasis on children's data being high risk. This version was put out for public comment and I think this is what is expected to be introduced back in Parliament. The government gave an affidavit to the Supreme Court of India that they would introduce the bill in the current session of Parliament, which is currently on a break and is expected to restart March 13.

So, there is a strong indication the bill will get introduced in Parliament, though it may not get passed. It will probably get passed in the following session. I feel India is very critical from a global perspective because we are the second-largest digital nation in the world after China. There are 1.4 billion Indians and over 1 billion of them have a mobile device. So, there is data spewing (from Indian citizens), and there is no law. There is a huge understanding in the country about how (a data protection law would be) very powerful because we are a data-rich nation.

The Privacy Advisor: Let’s talk about the proposal for data embassies in the Digital Personal Data Protection Bill. After the previous data localization requirement was dropped from the bill, do you see data embassies as a middle-ground position on localization?

Nadkarni: I think data embassies are feasible. I don't think they really dropped (localization), it was more couched in a different language. All they said is that you can transfer data to a whitelist of destinations, which is a way of saying the rest of the data cannot travel wherever. In this whitelisting, it's not just countries but the concept of embassies, which I think is a smart thing. I'm hoping there’s a lot of discussion around this, but the industry is saying it's a good thing. It will preserve pockets where there are business interests, without compromising the rights of organizations or individuals.

The Privacy Advisor: In January, you likely heard India’s Minister for Railways, Communications, Electronics and Information Technology Ashwini Vaishnaw said the final iteration of the bill would balance innovation with the protection of personal rights. Additionally, to paraphrase, he said elements of the EU General Data Protection Regulation have had stifling effects on innovation. Do you think the final form of India’s law will end up closely resembling the GDPR, or will its provisions be more unique to India’s situation?

Nadkarni: There has been a lot of talk about the bill taking a different path from the GDPR. I believe India will take its own unique path because it doesn't want to burden businesses too much. But you have to stick to the basics, which is protecting the rights of individuals without compromising their privacy, yet, at the same time not stifling innovation to protect the huge sector that works off data. For example, the bill does not classify data into what most other bills do, as sensitive or nonsensitive data. 

The Privacy Advisor: So, in that instance, do you think India’s protections will go far enough to ensure individuals’ privacy if it doesn’t copy elements of data classification mechanisms from the GDPR?

Nadkarni: There will need to be more downstream work. Without having this classification you're looking at a risk-based approach, which needs more work. People and businesses need concrete guidance to actually translate and implement the law on the ground. So, there is a lot of further work to be done, and I think the law will be the start of things.