Hi there!

Recently, India celebrated one of its "fun" festivals — Holi. Holi marks the beginning of spring and is celebrated by playing with lots of color and water.

This same mood of a colorful and boisterous greeting of a new season appears to have enveloped several other areas as well. It certainly seems like a whole new season of initiatives being announced/taken further on the "digital" front in India, which, in turn, involves personal data and the privacy of individuals. There is concern this slew of digital initiatives is being discussed and adopted — without the guardrails of privacy and data protection in the form of a law.

Look at some of the developments in the last month:

Last week, India’s Central Bank, the Reserve Bank of India, released a framework for geo-tagging payment system touchpoints. It has directed banks and payment system operators to submit geographical coordinates of touchpoints used to receive payments from customers, including details like merchant names, contact details and merchant location details. The intention is to assess the distribution of digital payment facilities across the country and thereby formulate strategy and policy.

Digital initiatives in health care are also rapidly taking shape. The Indian government’s massive, multi-tiered, health digitization project — Ayushman Bharat Digital Mission — was allotted a budget of approximately US$200 million by India’s union cabinet last month for a nationwide rollout over five years. The ABDM is set to be a massive ecosystem integrating various players associated with health care. Since the ABDM was announced in August 2020, more than 170 million unique health IDs have been issued to Indian citizens. Multiple private sector entities have been integrated into this ecosystem for various purposes, giving them access to health data of citizens. This has, as expected, given rise to concerns around privacy and the associated rights of citizens. While the ABDM has outlined privacy-specific measures, it relies heavily on the India Data Protection act — that has yet to take birth. Meanwhile, the initiative rolls ahead.

Another interesting development, with its impact on privacy yet to be fully understood, was the release of the draft India Data Accessibility & Use Policy. This is a policy framework to streamline data sharing of data in the government's custody. The draft outlines the associated privacy measures, talks about techniques like anonymization and building controls around retention periods. Again, it is a massive project given how much data lies with the government. How this would pan out over time remains to be seen.

Meanwhile, a committee has been created to investigate the government's use of Pegasus on Indian citizens. The committee has already started hearings.

There was also an outcry in the Indian Parliament and the media around Facebook allegedly giving an unfair advantage to the ruling BJP over electoral ads following a detailed report published by The Reporters’ Collective — a collective of journalists who put a spotlight on India’s political economy and governance functions — and Al Jazeera.

The good news amid all this, going by anecdotal evidence, is that the general interest and awareness about data privacy among citizens and organizations is going up. Many more conversations around privacy are taking place and its impact on business is slowly being understood.

Meanwhile, our neighboring country, Sri Lanka, passed the Personal Data Protection Bill. The Middle East, not too far away, has also seen a lot of action with the UAE passing its privacy law, joining other countries in the region.

As the harsh summer months roll in, we in India keep going in anticipation of the monsoon rains that follow providing a much needed respite. This time, I do hope that with the monsoons, the monsoon session of Parliament provides the necessary respite the country needs in the form of the passing of the Data Protection Bill.

Cheers.