Hello from India.
The beginning of the year is usually a rather active time in India for the rapidly growing privacy fraternity. Our increasing numbers are indicated by the number of events surrounding Data Privacy Day. What used to be a quiet day with a smattering of privacy folks organizing an event or two is now spread across several weeks. It is also the day Arrka releases its annual India-focused privacy study. All of this certainly adds an extra spring in my step as February begins.
This is much needed, by the way, given how active the month has been from a privacy perspective in India.
Before I dive into the goings-on, I thought I should share some recent data points on the sheer volumes that form the foundation of various "concerns" when it comes to privacy — so you get a sense of the quantity of risks and challenges to grapple with in this part of the world. According to a recent Telecom Regulatory Authority of India report, there were 896.61 million total broadband connections in India in November 2023, with a total of 918.19 million internet subscribers from July to September 2023. A total of 7.3 million gigabytes of data were consumed over the quarter.
It is little wonder there is considerable movement around various legislations and regulations.
Of course, the long-awaited rules under India's Digital Personal Data Protection Act continue to remain elusive, with every indication they will now see the light of day after India's general elections, when the new government comes in.
Fortunately, this doesn't seem to have stopped certain groups from examining the DPDPA's implications. The Editors Guild of India, representing journalists' interests, is concerned requirements related to consent and other obligations on entities processing personal data could potentially hamper journalistic activities. The group wrote to the Ministry of Electronics and Information Technology asking for an exemption for processing personal data for journalistic purposes.
Meanwhile, there is buzz around mechanisms to curb financial fraud in the digital realm — another area of major concern. To understand the depth of this concern, consider the volume of digital payments has skyrocketed in India in the last few years, standing at a total of 130 billion rupees in 2023. In turn, cyber fraud targeting digital payments has also dramatically risen with over 1.1 million complaints registered in 2023. Given this context, a Parliamentary Standing Committee on Communications and Information Technology presented its report to Parliament on 8 Feb. with a set of recommendations. One is to specifically weed out fraudulent apps for predatory loans, fake "know your customer" verification processes, and other types of fraud from Android and iOS. This reiterates what an earlier Parliamentary Standing Committee on Finance also indicated. The Reserve Bank of India specifically banned a list of apps and published digital lending guidelines. However, it looks like it is going to be a while before the system is "cleaned up."
The Parliamentary Standing Committee also called on MeitY to fast track rules under the DPDPA, as well as the Digital India Act, to ensure the creation of a secure and privacy-conscious India.
Another area seeing regulatory buzz is digital advertising and practices of Big Tech related to news publishing — an area that has been under the spotlight globally, as well. At a recent meeting of digital news publishers, Minister of Information and Broadcasting of India Anurag Thakur, as well as Minister of State for Electronics and Information Technology Rajeev Chandrasekhar, spoke about this. Thakur talked of bringing in policy interventions related to the impact of digital marketing and advertising on news publishers, like some other countries have done while Chandrasekhar spoke of the government's concern over adtech monopolies and duopolies, noting this will be addressed in the upcoming Digital India Act.
In parallel, the data collection juggernaut rolls on. Indian Railways recently announced plans to install CCTV cameras in 44,038 rail coaches to help identify people. This has raised several privacy concerns, especially as the data collection includes children.
The Telecom Regulatory Authority of India's recommendation to introduce the Calling Name Presentation service on India's telecom network is also generating much discussion. This means the receiving party of a call can get the name of the calling party. While this has been discussed as a solution to spam calls since 2022, it leads to a potential privacy violation of the calling party. The TRAI contends users will be able to opt out, but this has not stemmed the debate.
As laws and regulations around technology evolve, some interesting considerations have presented themselves from time to time around the world, including India. One came up during a hearing before the Supreme Court of India, leading the court to send a query to Google India. In a case pertaining to a bail condition imposed on an accused individual in a drug case, the Delhi High Court had ordered the accused to drop a personal identification number on Google Maps to make their location available to the investigating officer. The case went to the Supreme Court, which in turn asked Google India if dropping a location PIN infringes on the individual's privacy.
That brings me to the Arrka Privacy Research & Insights Study, which has tracked over the last seven years the state of privacy of approximately 100 Indian organizations via their website and mobile apps and benchmarked these against organizations in the EU and U.S. This year, an accompanying adjunct study takes a deep dive into children's apps.
Some interesting data points:
- 76% of Indian Android apps access exact precise location data, while 70% access users' camera and 58% the microphone. When it comes to iOS versions of the same apps, 51% access location even when the app is not in use, while 87% access the camera and 69% the microphone.
- There is a stark discrepancy between what apps declare on app stores versus what they do in reality. For example, 39% of Android apps declare in the Playstore that they access location, while 70% do. In the Apple App Store, 8% of iOS apps declare they access microphones, while 69% do.
- There are 18 third-party trackers on a typical Indian website and 87% Indian websites carried adtech trackers.
- Specific to children's apps, 85% of apps accessed at least one dangerous permission, while 46% accessed the camera and microphone.
Like you are probably thinking, yes, the adoption and enforcement of the DPDPA should hopefully change this stark landscape.