Hello from India!
I am penning these notes at the end of a rather special day today. Many parts of India, including the region where I come from, celebrate New Year today as per the Hindu calendar. After a sumptuous family lunch, I spent the afternoon mulling over what lies ahead for us privacy professionals in India.
We tend to be a cacophonous bunch — whether it is the policy and legal experts ensuring the law and regulations are ultimately adopted, the privacy practitioners equipping organizations to implement privacy or the numerous others, we all, directly or indirectly, think about privacy. The one commonality between us is that we tend to speak up — loudly. However, while the noise may be loud, we know that all of us, together, have barely scratched the surface when it comes to privacy. In a country looking at the personal data of 1.4 billion, what lies ahead from a privacy perspective is humungous, to say the least.
So what can one expect?
Of course, at some point in time, one hopes that "the law" will happen. Most likely, in this coming year. However, does everything hinge on that one privacy law? Obviously, it cannot. Components that go into structuring, regulating and governing everything to do with "Digital India" – data, technology, infrastructure and initiatives – also need to be addressed. And all this while "Digital India" explodes around us. In short, India is in the proverbial situation of building the airplane as it taxies down the runway for take-off.
Look at some of examples that illustrate the above scenario.
Consider the revamping of the twenty-year-old Information Technology Act, now rechristened at the Digital India Act. A blueprint was published and public consultations have begun. While there is still a lot of ground to cover, progress has been made on this critical component of governance.
Meanwhile, regulators are trotting ahead after the Securities and Exchange Board of India, which regulates the stock market, specified in its framework for adoption of cloud services that all entities under its purview have to keep their data in India.
Clearly, they are not heeding statements coming from India's Ministry of Electronics and Information Technology that the proposed bill, in the context of cross-border data transfers, would adopt a regime of "blacklisting" certain countries. This is a change of stance from earlier, when countries were "whitelisted".
The International Data Corporation recently published its "IDC FutureScape: Worldwide Future of Trust 2023 Predictions — India Implications" report. Some predictions give an indication of the future of privacy in India from a different perspective:
- "By 2025, 20% of organizations will employ a privacy engineer to operationalize privacy by design principles.
- "By the end of 2025, 50% of major enterprises will mandate data sovereignty controls from their cloud service providers to adhere to data protection and privacy regulatory requirements.
- "By 2026, driven by steep regulatory growth, talent gaps and cost efficiencies measures, 20% of organizations will invest in compliance-as-a-service offerings to meet their regulatory mandates.
- "By 2027, 45% of I2000 companies will adopt continuous risk assessments over annual security audits, leveraging service providers to limit the burden of policies, practices and technical debt."
I was mentally juxtaposing the above with recently government statistics on digital payments in India, a clear and strong indicator of the volume of digital transactions here.
Per released figures, as of December 2022, for the fiscal year 2022-23, 91.92 billion digital payments took place over three quarters, with a total estimated value of INR20.5 billion (USD250 million). To put this in perspective, this was more than in France, Germany, the U.K. and the U.S. combined. "Combine the four and multiply by four — it is more than that," Indian Minister for Railways, Communications, Electronics and Information Technology Ashwini Vaishnaw said to the World Economic Forum in January.
Imagine this taking place without a privacy law! Gulp.
As someone who is an integral part of the "airplane on the runway," a part of me balks at the uncertain times ahead.
Today, however, I decided to take recourse in a childhood memory. As a tradition on this festive day, a special dish is prepared that mixes various flavors – particularly the bitter leaves of the neem tree and a bit of sweet jaggery. As kids we would avoid eating this. And my grandmother would gently cajole us with her infinite wisdom, telling us how this dish symbolizes how life’s experiences are a mix of the bitter and the sweet.
What lies ahead for us is indeed going to be a mix of the bitter and the sweet.