Hello and Ganpati Bappa Morya.
I pen these notes brimming with optimism, an outcome of celebrating the popular Ganpati festival over the weekend. Ganpati, or Ganesha, is considered the God of New Beginnings, the Remover of Obstacles and the God of Wisdom and Intelligence.
While it is celebrated for 10 days in public spaces with huge, festive deities installed on almost every third street across neighborhoods, the shorter home celebrations tend to be an opportunity for families and friends to come together. Our family traces back our hosting of Ganpati to over 250-plus years — so it is a privilege to carry on the tradition.
It is with this optimism that I look at the data privacy and the overall digital trust landscape in India. And there is indeed a lot to be optimistic about if you observe the general pattern, though concrete outcomes may not yet be visible.
Let us begin with the Indian Parliament's monsoon session that concluded about a month ago. Parliamentarians' variety of questions about India's digital ecosystem indicates the level of importance that is being increasingly accorded to the topic. Questions ranged from addressing the problems of deepfakes, the status of the Digital Personal Data Protection Act rules and the proposed Digital India Act, to other policies and regulations being introduced or planned by the government to regulate the digital space.
One particular question that stood out in my mind involved addressing the monopolistic practices of Big Tech companies in India, given how much action is being seen globally in this area. Parliamentarian Manish Tewari asked the Ministry of Electronics and Information Technology to explain government measures and steps taken to "address antitrust concerns and prevent monopolistic practices by Big Tech companies," "support and promote Indian tech companies in competing with Big Tech, both domestically and internationally," and any best practices adopted "in regulating Big Tech to keep India's digital ecosystem secure, innovative, and competitive."
The government's response talked about the draft Digital Competition Bill, published in March 2024, that is open for public comments. It also mentioned recommendations of the Committee on Digital Competition Law, formed under the Ministry of Corporate Affairs, to introduce ex-ante measures for systematically significant digital enterprises that provide core digital services.
Artificial intelligence governance and what the Indian government is planning to do in this area is also top-of-mind for everyone in this space. At the Telangana government's Global AI Summit 2024, hosted in Hyderabad, the Additional Secretary to MeitY and CEO of Digital India Corporation, Abhishek Singh said, "Instead of trying to regulate the (AI) technology, we are looking at regulating (its) applications."
Further explaining how this would entail looking at things from a harms-to-user perspective, he said, "If there are some AI-based applications which are resulting in, for example, deepfakes or misinformation or child sexual abuse or something that has the potential of causing harm to a group of people or to a community of people, those are the applications that will be regulated."
He also addressed the concern around paucity of AI-usable data sets in India, mentioning that under the IndiaAI Datasets Platform, the government planned establish data management units in every government department to help facilitate usable datasets on the platform. The IndiaAI Datasets Platform is an initiative to make non-personal data available to researchers and startups. A matter of concern here is what exactly will constitute nonpersonal data, given the wide ambit India's DPDPA has.
Work on tackling cybercrime and cybersecurity has also taken center stage. On 10 Sept., the first foundation day celebration of the Indian Cybercrime Coordination Centre, India's Home Minister Amit Shah launched four key initiatives:
- The Cyber Fraud Mitigation Centre: Representatives of major banks, financial intermediaries, payment aggregators, telecommunications service providers, IT intermediaries and state/union territory law enforcement agencies will work together to tackle online financial crimes.
- The Samanvaya Platform: A joint cybercrime investigation facilitation system that will act as a one-stop portal for data of cybercrime, data sharing, crime mapping, data analytics, and cooperation and coordination of law enforcement agencies across the country.
- The Cyber Commandos Program: Under this program a special wing of trained "cyber commandos" across states and the Central Police Organizations will be established to counter threats to the cybersecurity landscape in India.
- The Central Suspect Registry: This would be created based on the National Cybercrime Reporting Portal in collaboration with banks and financial intermediaries to strengthen fraud risk management capabilities of the financial ecosystem.
Fake content is another area where we are seeing action. On 3 Sept., MeitY issued an advisory asking social media companies to take prompt action in removing fake content from their sites, without waiting for the time limits prescribed in the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021. The advisory referred to a recent order by the Bombay High Court instructing Meta to delete — within 10 hours — fake information and morphed profiles relating to the National Stock Exchange.
Meanwhile, India's large financial technology sector is coming under increased attention for the risks it carries and introduces into the ecosystem. The Reserve Bank of India, under whose ambit this falls, has been trying to find a middle ground between deploying traditional regulatory methods and a hands-off approach.
The intention has been to ensure innovation isn't hampered, yet risks are reduced. A way forward arrived at in the recent past has been setting up self-regulatory organizations.
On 28 Aug., the RBI announced recognition of the first fintech SRO, the Fintech Association for Consumer Empowerment. FACE claims to have many of the leading fintech companies as its members, accounting for 80% of India's total digital lending business volume.
Among its large list of responsibilities, the SRO is required to establish standards for data collection and storage in compliance with various laws and regulations, including the DPDPA, and monitor compliance.
And now for some interesting and pertinent statistics gathered over the last month:
- India's Unified Payments Interface has been much talked about globally, given how it has changed the face of payments in India. Latest data from the National Payments Corporation of India, which manages and oversees this ecosystem, shows the total volume of transactions using UPI in August was 14.96 billion. This is a 527.5 million rise compared to 14.44 billion transactions in July. Why is this of relevance to digital risk? Think of the digital footprint of these volumes and the resultant implications on digital risks.
- Another interesting digital infrastructure in India is the Account Aggregator Framework. Account aggregators are entities that enable data sharing among financial sector institutions. In the process, they "switch consents" whereby a user can consent to making their data lying with one financial institution available to another. According to Sahamati, an industry alliance for the account aggregator ecosystem, the total number of successful consents crossed 100 million on 15 Aug. in a period of three years.
- As the above statistics indicate, while digital financial services are seeing a surge in India, the majority of users, 55%, are neutral about the steps they would take for preventing any privacy intrusions or harms caused by digital finance apps. This is from a recent study titled "My data or yours? Unravelling Multi-Party Privacy (MPP) among Consumers of Digital Credit in India" conducted by the International Institute of Information Technology, Bangalore and CUTS International.
- Continuing with the financial sector, a recent survey by KPMG looked at how generative AI chatbots and customer service applications are taking the lead in financial services. And the rapid adoption of generative AI brings its own set of risks. Key concerns expressed center around data privacy, 29%, regulatory ambiguity, 13%, and security risks, 11%. As organizations continue to monitor the evolving AI regulatory environment, 63% anticipate more stringent data privacy requirements in the future. As a result, 60% are actively reviewing and updating their data handling practices.
All in all, I like to see this as lots of dispersed and disparate developments around the country signaling that many are paying attention to and thinking deeply of addressing the massive risks around the country going digital.
Shivangi Nadkarni, CIPT, is co-founder and CEO for Arrka.
