It is Diwali week in India. The delightful festival of lights signifies many things — including new beginnings. For privacy folks, there is hope new beginnings will manifest in publication of the much-awaited draft rules of India's Digital Personal Data Protection Act.
As we await the rules and formal notifications on when various DPDPA clauses will take effect, rampant collection of personal data continues. It is almost as if there is a parallel universe out there — one in which the reality of the DPDPA doesn't even seem to be on the horizon.
Take the case of student data. As part of its "One Nation, One Student ID" initiative, the Union government is setting up the "Automated Permanent Academic Account Registry" for students from pre-primary to higher education level, which every state in India is required to maintain. Every student will be allocated an APAAR ID. While the goals of this are lofty, valid concerns are being raised about the personal data collected — which includes AADHAAR data, for example — and its security, who it would be shared with, consent mechanisms, whether choice would be given, the fact that it makes students easily trackable, and more. There is heightened concern, especially, because this is data of children.
Concerns are exacerbated by reported breaches of similarly large databases and their vulnerabilities. The most recent breach to make headlines, touted as possibly the largest single breach to date in India, involved personal details of 815 million Indians for sale on the dark web. The data reportedly included names, phone numbers, addresses, Aadhaar numbers and passport details. While there has been much media speculation about the source of the breach, it only serves to highlight how vulnerable Indians are today.
Statistics from recently published reports support this apprehension and India's general lack of preparedness when it comes to complying with the DPDPA and other data privacy regulations and mandates.
For instance, a recent study published by FTI Consulting says 47% of the top 100 Indian companies do not undertake regular cybersecurity audits or training to prepare for a data breach incident or ransomware attack.
Another study by EY says nearly 50% of Indian organizations, from enterprises to startups, are struggling to find the requisite skill sets to implement the DPDPA effectively. And only 36% of organizations have DPOs based out of India — a requirement of the DPDPA for organizations categorized as "significant data fiduciaries."
A third study from PWC that analyzed 100 organizations said only 9% that collect personal data on websites obtain clear and explicit consent, 43% do not provide a well-defined purpose for sharing data with third parties, only 2% have notices in languages other than English (the DPDPA requires notices to be published in 22 Indian languages) and only 4% have published breach notification mechanisms on their website.
In the spirit of the festive season, I want to sign off talking about something that recently warmed the cockles of my heart. I have often wrung my hands in frustration at how most people do not understand the impact and consequences of their personal data being "out there," who is tracking them and the like. On a short holiday recently with some dear friends, I found myself — to my pleasant surprise — being asked to help "clean up" their phones. Manage permissions, turn on privacy settings, talk about how to manage their security and privacy online — I did it all. And I slept peacefully that night for my wee contribution to the universe.
If you want to comment on this post, you need to login.