It is Diwali week in India. The delightful festival of lights signifies many things — including new beginnings. For privacy folks, there is hope new beginnings will manifest in publication of the much-awaited draft rules of India's Digital Personal Data Protection Act.
As we await the rules and formal notifications on when various DPDPA clauses will take effect, rampant collection of personal data continues. It is almost as if there is a parallel universe out there — one in which the reality of the DPDPA doesn't even seem to be on the horizon.
Take the case of student data. As part of its "One Nation, One Student ID" initiative, the Union government is setting up the "Automated Permanent Academic Account Registry" for students from pre-primary to higher education level, which every state in India is required to maintain. Every student will be allocated an APAAR ID. While the goals of this are lofty, valid concerns are being raised about the personal data collected — which includes AADHAAR data, for example — and its security, who it would be shared with, consent mechanisms, whether choice would be given, the fact that it makes students easily trackable, and more. There is heightened concern, especially, because this is data of children.
Concerns are exacerbated by reported breaches of similarly large databases and their vulnerabilities. The most recent breach to make headlines, touted as possibly the largest single breach to date in India, involved personal details of 815 million Indians for sale on the dark web. The data reportedly included names, phone numbers, addresses, Aadhaar numbers and passport details. While there has been much media speculation about the source of the breach, it only serves to highlight how vulnerable Indians are today.
Statistics from recently published reports support this apprehension and India's general lack of preparedness when it comes to complying with the DPDPA and other data privacy regulations and mandates.
For instance, a recent study published by FTI Consulting says 47% of the top 100 Indian companies do not undertake regular cybersecurity audits or training to prepare for a data breach incident or ransomware attack.
Another study by EY says nearly 50% of Indian organizations, from enterprises to startups, are struggling to find the requisite skill sets to implement the DPDPA effectively. And only 36% of organizations have DPOs based out of India — a requirement of the DPDPA for organizations categorized as "significant data fiduciaries."
A third study from PWC that analyzed 100 organizations said only 9% that collect personal data on websites obtain clear and explicit consent, 43% do not provide a well-defined purpose for sharing data with third parties, only 2% have notices in languages other than English (the DPDPA requires notices to be published in 22 Indian languages) and only 4% have published breach notification mechanisms on their website.
There is certainly rumbling on the ground — especially from civil society organizations. The long ongoing case against Meta, originally filed in 2016 in the Delhi High Court and subsequently moved to the Supreme Court of India, is seeing action again. The petitioners have requested the court to direct WhatsApp to comply with the DPDPA, saying the platform's privacy policy, and how it shares and processes data with other Meta-owned entities, violates the law. Going a step further, the petition reportedly argued that when faced with a similar situation in the EU — when the EU General Data Protection Regulation was enacted but not yet in force — WhatsApp submitted to European authorities that it would not transfer user data to any other then-Facebook company on a controller-to-controller basis for any purpose until the regulation was in force.
In the spirit of the festive season, I want to sign off talking about something that recently warmed the cockles of my heart. I have often wrung my hands in frustration at how most people do not understand the impact and consequences of their personal data being "out there," who is tracking them and the like. On a short holiday recently with some dear friends, I found myself — to my pleasant surprise — being asked to help "clean up" their phones. Manage permissions, turn on privacy settings, talk about how to manage their security and privacy online — I did it all. And I slept peacefully that night for my wee contribution to the universe.