It is that time of the year in India when the monsoon clouds steadily roll in across the country — at times dark and ominous, nevertheless welcomed by one and all. I can't help but draw a parallel to the data protection and privacy landscape in India to this season — ominous incidents of massive data breaches steadily accelerating the demands across all quarters across the length and breadth of the country for a data protection law and other supporting legislations.

The latest breach that sent alarm bells ringing among the general public was that of CoWIN  — the government of India's vaccine portal containing health details of every adult in India. The data includes sensitive personal information like the date and place of vaccination, government IDs like Aadhaar, PAN, passport and related details and mobile numbers. Until about 9 a.m. 12 June, a Telegram bot allegedly gave out this information on based of mobile and Aadhaar numbers.

The government went into high gear, issuing denials and adding confusion. While one ministry denied any breach and claimed the system was absolutely safe, another referred this to CERT-IN for investigation. Meanwhile, a minister associated with IT claimed this was not a direct breach but data came from an earlier breach — which led to wide media discussion and speculation about silence from the government on earlier incidents, which other entities the data has been shared with (from where it could have been breached) and so on. A huge messy affair overall that is still top-of-mind even as I pen these notes.

The timing of this breach could not have come at a more inopportune time. In its ongoing G20 presidency, India has strongly advocated for a digital public goods and infrastructure, talking of its success in India. DPI has been credited with bringing about a huge change in India and is the foundation of the "Digital India" initiative. For example, UPI payments infrastructure has exploded online digital payments in India bringing about a huge opportunity to sections of business and society hitherto left out. Similarly, the Aadhaar ecosystem has revolutionized direct benefit payments and KYC in the country.

However, as I have often said in this column, these initiatives spew forth personal data in quanta several order higher than ever before. Data which does not enjoy the guardrails of protection in the form of laws and regulations. How long can this go on?

Sure, there is a lot of  preparatory action underway. The India Digital Personal Data Protection Bill — in the making since 2019 — is expected to go to Parliament in its upcoming session in August — where one hopes it would eventually get passed into law. The Indian Information Technology Act of 2000 is also being revamped into the Digital India Act. Announcements are being made around other governance measures as well, like around AI, nonpersonal data, cybersecurity policies, etc.

However, most stakeholders are exhausted with this "all chatter — no action" state of affairs. I, for one, certainly hope that — much like how our beloved monsoon rains are preceded by much thunder and lightning — this cacophony does indeed translate to action on the ground.

As always, in the absence of laws, regulators step in.

For example, on 2 June, the Reserve Bank of India released draft cybersecurity directions for payment system operators and digital payments to help these entities manage cyber risks. Known for acting decisively and rapidly, the RBI usually rolls out these measures quickly and also ensures their implementation.

Similarly, India's Telecom Regulatory Authority, the TRAI, directed all access providers to develop and deploy a Digital Consent Acquisition system through which service providers and organizations like banks, business entities, etc., can obtain customer consent for promotional calls and messages. This is expected to curb spam calls and messages which are currently rampant in India. With a unified platform for consent management, customers would be able to easily provide or revoke consent for commercial calls and messages.