I am sure all ye privacy pros are having a fabulous start to 2024.

Here in India, 2024 certainly promises to be an action-packed year for privacy, especially judging by the activity in December 2023. At a time when people usually look to unwind and enjoy a year-end break, the privacy and related scene in India seemed to have found the extra adrenaline to sprint past the finish line.

On 24 Dec. 2023, the Parliament of India passed the new and much awaited Telecommunications Act, 2023. It replaced the nearly 140 years old Indian Telegraph Act and other laws that had, thus far, governed the telecommunications industry in India.

While several aspects of this new law are still being discussed, one area in particular has had the privacy community frowning. The law discusses using verifiable biometric-based identification mechanisms as part of the subscriber verification process. Given the sheer volume of subscribers in India, the risks from using biometric data are substantial, to say the least.

The Central Consumer Protection Authority on 30 Nov. 2023 issued another interesting set of guidelines for prevention and regulation of dark patterns in marketing. The guidelines cover aspects like creating a false urgency, basket sneaking, confirm shaming, forced action, subscription trap, interface interference, bait and switch, drip pricing, disguised advertisement, nagging, trick question, nontransparency in billing and rogue malwares. They have created a stir in the marketing industry, even as it gears up to handle the impact of India's Digital Personal Data Protection Act.

Speaking of, we continue to await the release of the DPDPA Rules. Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said the government has set a 31 Jan. deadline to issue the rules and post a public consultation. Given the rather poor state of understanding and maturity in a typical organization in India about what it takes to implement a privacy program, the perception is that the rules are required before a program can be rolled out. Further, it doesn't help that there is not yet clarity from the government on timelines for the DPDPA to take effect. All in all, looks like when things finally move forward, it will be a mad scramble, indeed.

However, some speculation about aspects of the anticipated rules is trickling in. For example, there was recent media coverage about a proposed Aadhaar-based mechanism to verify a child's age for granting their access to online services and to obtain parental consent. As readers may recall, the DPDPA has stringent clauses around children's privacy, with verifiable parental consent required. Aadhaar being the government ID that almost all residents in India have, including children, this mechanism may well serve to ease out a lot of the anticipated logistical burden on organizations.

Meanwhile, as a country, India has been making rapid strides in deploying facial recognition technologies across multiple spheres, causing increasing alarm in the privacy community.

The latest to join the bandwagon is the government's pension department. Those receiving a pension are required to procure a "Digital Life Certificate " from a certificate disbursing agency. Done using Aadhaar enabled biometric authentication, the department is now using facial recognition. According to data released by the concerned ministry, of the 117 million DLCs generated in November 2023, almost 20 million were generated using face authentication.

This is just one of several such initiatives that have already taken off. Another popular one is DigiYatra — an initiative to expedite passenger entry and security at airports using facial recognition. While it is already operational in 13 airports in India, severe criticisms have been expressed from the privacy, security and civil liberties perspective, including the  absence of regulatory oversight, lack of informed consent from users and overreach of personal data collected. Adding to the complexity is the makeup of public and private entities of the foundation administering the initiative.

It is important to keep in mind that all of the above is taking place in a country where the Internet user base is 888.27 million, according to data released in October 2023. And this population of users is slowly, but surely, becoming cognizant of implications of such initiatives on their personal data.

A recent report published by Capgemini Research Institute found:

  • 63% of Indians are concerned about their personal data being distributed to third parties without their consent.
  • 55% are concerned about their data being misused by organizations collecting it.
  • 56% are worried about companies having access to their health data via connected products.

Notwithstanding all of the above, the (relatively) small community of privacy pros in India has been super busy. An enthusiastic group of IAPP KnowledgeNet chapter committees from Mumbai, Delhi, Bangalore, Pune, Chennai and Hyderabad came together in Bangalore 8 Dec. 2023 for a unique Pan-India event. With the sheer force of enthusiasm and minimal on-the-ground logistical support, this wonderful team pulled off a meet attended by over 120 people from across India. As a speaker on one of the panels, I attended the meet in person and reveled in the energy, drive and enthusiasm of India's privacy pros. The event embodied the state of privacy in India today — young, dynamic, learning at every juncture, dedicated to the cause and enthusiastically sharing knowledge with others to elevate the overall privacy posture of the country.