Policy Framework for Data Protection in India


Policy Framework for Data Protection in India – A National Conference to Deliberate India’s Data Protection Policy was held on  22nd January 2018 at the Constitution Club of India, New Delhi. The event was organized by Center for Knowledge Sovereignty (CKS) in association with Microsoft, Bharat Niti and The Dialogue. The Knowledge Partner for the event was Mirror Now.

Hemant Goswami
Chairman – Bharat Niti

“Talking about identity thefts, every time you go to a public place, whether to obtain an arm’s license or a ration card, you have to prove your identity fresh. There is no chance of someone stealing your identity as it is very difficult to prove it. What has changed after the new cyber revolution has taken place? 

 I wonder whether the whole new cyber world in which we are living now, has made us more secure or are we on the edge of facing different kinds of threats from fraudsters. It is hard to believe that the world we are now is very secured than what it was earlier. What India is doing right now I think nowhere in the world any country is doing. In the US it is so difficult for citizens to go to any bank and withdraw money; even the Internet money transferring or transferring money from one bank to anothertakes them 3 days, IMPS is unimaginable for them.This is the new environment which we have created. This is where we have moved to from a place where your identity was not secured to a place where your identity is certain and cannot be stolen as of date. The concern for US, which is identity theft is not here in India. I have not seen Aadhaar related frauds in India. It maybe 1 in a million but it is far less than what is happening in US right now. So, from where we have come and where we are going is something we must appreciate when we discuss about cyber security. I think the kind of example which we are creating for the world is unparalleled. The scales on which we are working are unparalleled. We are working on such scales that we are the natural leaders in the whole world of cyber security and electronic transaction. We are creating new models for that. So when we discuss about privacy laws and how to make it more secured, we must understand that what we have created till now is far better that what has ever been created in the world till date.”

Lt. Gen. V M Patil
AVSM, PVSM (Retd.) Vice Chairman – CKS 

“Till the end of the 17th century India’s share in the world’s GDP was 37% and within 150 years of colonization it came down to 0.1%. Now in the 21st century particularly the way the events have moved in last 3 years, the world is looking at India once again with hopes and there are many reasons for that. We are a country with 125 crore Indians, of which 800 are less than 35 years of age.The younger generation and our present leadership cannot afford to let down the hopes of the world and the hopes of Indians. The digital economy, the data protection and protection of individual’s privacy, all these determine whether India can rise to the expectations of the world. 

As Gen Shekatkar mentioned, till 19th century the world used weapons and military power to acquire resources; in the 20th century in the cold war between the 2 blocks,the Americans used the power of economy and the digital power to influence the 11 countries in the Soviet system for over 45 years, without firing a single shot but merely by stringent economic policy. This also led to the dismantlement of the Soviet Union. That is the digital power which Americans have shown to the world in the last century. While couple of months back, the Chinese used their digital power to influence the media and perception during the Doklam crisis for 79 days and created such a fear psychosis among the majority of the ill/misinformed Indians on how China can teach a lesson to India. They never fired a shot but they used the digital medium to such an extent that all the Indian media stationed in Beijing used to get everyday briefing and social media posts conveying that India needs to be taught a lesson. But thanks to the leadership of our country and the way they acted with maturity and confidence, the Chinese had to ultimately withdraw.”

Lt Gen. Dr D B Shekatkar, 
PVSM, AVSM, VSM (Retd.), Chairman –CKS

“It is a common perception that soldiers are not supposed to be knowledgeable. India is the vishwa guru because the amount of data available in India is enough to sustain the whole world. Why is it so? Because on this planet every 6th human being is an Indian. That is our reach, we are not generating the data only within our country but we are doing it across the globe and the whole world is looking at us. 

The Border is losing significance day by day; the topic which we are discussing today is the borderless world. Knowledge has no border, data has no border. This takes us to new point- connectivity of the people, where geographical distances have lost their relevance today. This is the power of connectivity and this depends on who is asking what and who is providing what. We should however be careful on the usefulness and uselessness of this Data. 

The 19th century was the century of muscle power, where everyone who had the muscle could rule the world, while the 20th century was the century of money power; based on the power of money you can buy anything that you name it. The 21st century is the century of knowledge power, the more knowledgeable you are the more powerful you will be and you become knowledgeable because the data available to you or because of the information available to you.In 1992 or 1993, a document was produced titled ‘What will China do to the world by 2035?’ Now nobody knows where it has gone, but every word written in the report is coming true. China is spending 90 billion dollars every year across the world to mould the minds of people in favour of China and to make them think that what China is doing is correct and is for the good of the world. And therefore, the war we are going to fight in this century will be bloodless and contactless, where you are not in contact with your enemy, your adversary, your competitor.”


Dr. Avik Sarkar
Head – Data Analytics Cell at NITI Aayog, Govt. Of India

“The first thing that I would like to talk about is why are we talking about data so much? From the government perspective, we need a lot of data for policy and good governance purpose. So if we take the recent example of Dengue that had spread all over Delhi, it is very common in many countries to get the healthcare data, know where the dengue clusters are, map them with polluted water location and resolve the issue. We are not able to do such simple things because we do not have health records in electronic format that can be shared in a way so that decision makers can take the decision. So it becomes very challenging for us.
We are now in the AI (Artificial Intelligence) game and we can use the same for good governance. The leaders in this field are US, China and a few other countries where already they have already gone ahead and form their AI policies on how to enable the AI ecosystem. There are several aspects in the AI ecosystem that a country can do to enforce it so that private players, academia and researchers can accelerate the work in AI. One of the factors that NITI is working is availability of good amount of training data because that is one of the core things and when you want data for this purpose they would like to have all the data. There is a lot of work on the anonymization. But we have to do this to ensure that the ecosystem is there and the things are in place.” 


1st Panel: Framework of the IT Act from a Technological point of view

The 1st panel discussion was held to discuss the overall framework of the IT Act and was moderated by Kazim Rizvi, Founder – The Dialogue. The panelists included, Deepak Maheshwari, Head of Govt. Affairs- Symantec Corporation; Mukesh Jain, Chief Technical Officer – VFS Global; Meenu Chandra, Senior Attorney Manager, IP& DCU Lead (India Region) – Microsoft and Dr B V L Narayana, Director – CRIS


Deepak Maheshwari
Head of Govt. Affairs- Symantec Corporation

“One of the things that I would like to start my discussion on Data Protection framework in the country is that any legislation has to balance many interests and issues. In data protection there has to be a balance between the rights of an individual to self-determination but at the same time we have to foster the innovation ecosystem; there has to be a process that incentivizes positively. We need positive incentives for the data controllers and processors to comply with that and then there has to be a remedial process in terms of grievance addressable etc. if there is any breach. So that’s the broad framework on which it has to be made. When we look at Justice Srikrishna’s whitepaper which has come out, one of the important things that I have noticed this time when compared to the IT Act is that the Act also has the provision for example section 43 A but that applies only to body corporate whereas in this whitepaper the proposal is applied for both private as well as public sector. Some exceptions must be there like national security.

Second, in terms of consent if you see section 43 A, it is only about consent whereas now the proposal is about not only consent but other basis as well including legitimate interest and contractual obligations etc. In that you can have scenarios like prevention of financial frauds, law enforcement activities and the purpose of ensuring cyber security within a frame of legal interests. Going beyond that one of the important things is we must have judicial oversight for certain type of ask from the law enforcement or other agencies how this is being practiced.

We should remember that data transfer and even internet are not unidirectional, they are multi-directional and if you are looking from a frame of national borders, it’s bi-directional, there are things which go out and comes in. India has been the greatest beneficiary of cross border data transfers for past few decades and that is how we have created the 150 bn IT industry in the country. So we should not only think of data going out but we should also think that there are people who are sending data in. The whole notion that if data in India it is safe, I think that is slightly misplaced. We should also look at that aspect.” 

Mukesh Jain
Chief Technical Officer – VFS Global 

“Privacy is as defined by an individual. While signing up for a free account or Android we go through the terms and conditions and we press accept button. It’s a legal document. The document also says that the company owns all your data. We ourselves because of less knowledge or to get something for free or some other reason end up sharing our information. So just because they are asking to use your data and you cannot say no and have to press yes, you are being held hostage. I was in a committee in Microsoft which recommended cookies should not be allowed. Microsoft was actually the first company to actually disable cookie. But there was too much of pressure from other players and unfortunately that has to be revoked. If you do not want to share your information then it should be allowed. That is how private browsing came into picture but very few know about that. Privacy is in your control and you have full control. If 20% of the people discard to download an app because you are asking so many information then it will for sure change. Unfortunately we cannot ask everyone to change so that will lead to laws. After my research on Poka-yoke, first and foremost why do we need data collected? You have to say no for sharing data.”      



Meenu Chandra
Senior Attorney Manager, IP& DCU Lead (India Region) – Microsoft

“Now we have the demarcation between personal data identified as the bill data and sensitive data because very rightly the risks associated with a piece of data will vary with the kind of data it might be. The more sensitive it is the higher the risk context which means the security context is higher and the protection context is even more important. In that context, I think we need to have the ability to look at when we talk about consent in the context of these kinds of data, how are we going to be implementing the consent requirements. Right now we want to talk about consent explicitly from the data subject which is good and important. It is also important to realize how we are going to be implementing those pieces. So when we talk about consent about mobiles and addresses, well this is a kind of data we are throwing anywhere. But at the same time looking at how many times you are going to prompt a user in this digital world to give consent, you would end up having multiplicity and fatigue of taking consent in that process.

So we need to think a little bit broader in that sense. Notification can be used in that case rather than asking for consent every time.  You can talk about the legitimate interest that you have in using a data beyond the consent that you might have given is covered within the legitimate piece in the notification. Using notification is a good tool. Again looking at de-identification, a lot of data does get gathered but doesn’t have value because its linked to an individual. It might just have value as a meta tag. That data might get gathered on a server somewhere on the world just to give an analysis of de-identifying them from their names to get them into that space of knowing their routines etc. There is value in using de-identified data and that value should not be hampered because we are talking about every piece of data that might lead to some individual. So we need to be very careful about the rules of de-identification.”     


Dr B V L Narayana
Director – CRIS

“There are two issues which I will raise, not on security and protection but on the governance of data. There are two issues in the use of data, first is rendering services. I have a name which is B V L Narayana and I have a huge problem in telling it to people that I am B V L Narayana and not somebody else. My PAN Card has some other name my mistake, the income tax people have told me a lot of times that you are not the same person but because I pay tax they accept it. I had a tough time to convince them that I am the same person and it’s the mistake of the PAN Card department. It became worst because as per Prime Minister now the PAN number is connected with AADHAR. In AADHAR they asked my full name. My surname is the first part of my name, B is my surname. As per AADHAR I am not the same person though everything else matches and therefore they could not link my PAN Card with AADHAR. Therefore the issue that comes in is when I am putting the data as my identity and it is put in by someone else then who has the right to decide what is correct, what should the rule say. The law may say anything but it has to apply. In railways the rule which we have given to our staff is to trust the customers. So my first request is if data is used as identity and that becomes a mandate for services then who should have the right to decide, should the individual have the right or the person who wants to take the services have the right? It is a very common issue. Security comes much later. If I cannot use data for services so what will I do with security? The more I allow usage the better it is.”

2nd Panel – Data Protection & Sovereignty

The 2nd panel was moderated by Faye D-Souza Executive Editor – Mirror Now and the panelists who participated are Amit Dubey, Chief Technical Officer, Tech Mahindra; Karma Bhutia, Founder & CEO iShippo.com; VinitGoenka, Member Governing Council – CRIS, Secretary – CKS; JayadevaRanade, Cabinet Secretariat – RAW and Triveni Singh, Deputy Superintendent – Noida Police cybercrime cell.


Faye D-Souza 
Executive Editor – Mirror Now

“Today we run the risk globally in general and in particular India of getting exposed to filtered information and the best way to tackle this by reading the morning newspaper. The paper, whether you like it or not will tell you everything. It will not curate information based on who you are. This is a serious problem because today a football fan will read only about football news. We are raising an entire generation of citizens who are ill informed of the things they are not particularly interested in. And so we are raising a generation who is becoming selective in terms of what information he wants. Now the dark side of that is fake news. I don’t believe the government can step in because that will amount to censorship and undemocratic. But the person who can step in at this moment is you. There is a very good way to check if something is fake or not by being smarter than that algorithm. You can verify that information by checking two top newspapers if they have published any news on that topic or not.” 



Amit Dubey
Chief Technical Officer, Tech Mahindra

“There were more than 15, 000 requests to Facebook support system last year during a criminal investigation case by law enforcement agencies. Out of these 15, 000 requests, only 53% were responded. It takes 12-15 days sometimes to get a response from Facebook. They have their own international norms and policies which require lot of approvals and the data centers are mostly out of India, so they have to follow those norms and policies. They cannot give a quick response which is always a problem for law enforcement agencies. There were more than 100, 000 requests which go through individuals. Each of us have problems on Facebook and we want to get a response because of somebody is misusing our data, bulling etc. In that case it takes much more time than 12-15 days as of standard duration.  There are a few recommendations which I am going to make here –

•    The data should be in India and it should be governed under the Indian Government Policies and then only the quick response can happen. If we are going to follow some international norms then it will never have that efficiency in the system.

•    Second is the privacy factor of any data. On whenever we are sharing any data, Facebook should also be accountable, they should have some sort of Artificial Intelligence into their system that somebody is cloning my account. They should at least warn or alert me. That will help us to get some privacy protection to our data.” 


Jayadeva Ranade
Cabinet Secretariat – RAW 

“There are 2 types of illiteracy – one is the traditional form of illiteracy which is the ability to read and write and the other is illiteracy as far as technology is concerned. People like us a bit more time in understanding the Internet. When we look at the cyber domain, we look at it as a big black box. This issue really needs to be addressed and in a manner that creates an awareness. So that is an issue that does come in. The whitepaper besides talking about people like me also talk about the regulator. I will cite an example that is there in public domain – during the Doklam crisis, the government went ahead for setting up of an undersea cable and BSNL decided to float a global tender without putting in any disability clause. So we have a situation today where people applied and among them we had Huawei as a bidder which is a Chinese company. So when we talk of illiteracy, I include this illiteracy on behalf of a regulator too.”



Vinit Goenka
Member Governing Council – CRIS, Secretary – CKS

“As the civilization progresses, there arises the need to change the law. Every new thing that comes in the civilization creates a new challenge for the existing civilization. A simple change made in the law, for instance making seat belts mandatory while driving, it is the duty of the government to make the people aware of it through multiple exposure to advertisements or even through educational institutions also. So laws of the country can be imbibed in a citizen through academics also. No law is complex; they can be made simple by breaking them into small parts and then passing on the same to citizens.People like you and me who have larger access to people should also take the responsibility of percolating this information about laws to them. Another major topic in the country today is data sovereignty. Now there is a difference between data sovereignty and censorship. The data which is circulating within the country should not go out through any social media or any e-marketplaces. Laws should be enforced that makes it abiding on the part of companies to bring their datacenters inside the country where they stack large amounts of data of the country. This will also make it easier to investigate whenever there is any breach of data.”


Karma Bhutia
Founder & CEO iShippo.com

“I have a couple of things that we should update. I think AADHAR is an important thing in terms of its design, technology, data integrity etc. Then AADHAR is also helpful in the fact that it answers the who part and the identity of an individual. Now, 1.25 bn people are identified. Now the big question comes, which all other big companies are interested in it? That answers what, why, when and where. Intent and desire – that’s where all the marketing lies. The attribution is the biggest game in terms of marketing and it is possible by profiling. Once you get attributed for a thing, I get to know what, when and how you did that because of identity. Now profiling happens when you have third party players. They say that AADHAR is secured. But with eKYC data all over the place, there happens to be leakages from third parties. But in actual, the AADHAR data is not leaking. So the identity space constraint, probably it is secured. When it is considered that Data is the new oil, we have the oil that everybody wants – to be able to attribute and profile. Once it is done they know all the parameters then the theme changes because your privacy is getting violated. The privacy is not violated by somebody else holding your identity but the mission is happening by combining all of these things, which we need to address in terms of policy where we can say attribution and profiling have to be limited.”  


Triveni Singh
Deputy Superintendent – Noida Police cyber crime cell

“There came a boy in my office who told me to name any website which he would then hack it. And believe me, the boy actually hacked it in front of me much to my disbelief. This incident happened a year back. When asked how he does it, he said that there are small tools available on Google with the help of which websites can be hacked and it just takes 2-3 hours of understanding these tools. These tools include some data tempering and data fiddler software which can be downloaded from Google. I called two of the top telecom and insurance companies in India and I asked the boy to hack their websites. He not only hacked the websites but also recharged their phones free of cost. What I am trying to say is that almost all the websites are 90% hackable and none of them are 100% secured. Even iCloud that claims to be a fully secured website has been hacked. So having a secured website is a myth. In today’s date, there are 2 legal provisions – if there is a criminal breach we can lodge the FIR and arrest the culprit. The other provision is that under the IT Act, civil penalties can be imposed on certain offences by a civil court and there is a different machinery for it. Each state should have an adjudicating authority. But sadly no one is aware of the presence of an adjudicating authority.”


3rd Panel – Right to Perspective & Privacy

The 3rd panel was moderated by PriyankaChaudhuri, SFLC.in and the panelists included Charu Malhotra – Professor, Indian Institute of Public Administration; Prof Subhasish – IIT Delhi; Anand Krishnan, Senior Analyst-Policy – Data Security Council of India; cyber law expertPuneetBhasin; Abhijeet Chatterjee and AtulTripathi, Consultant – The National Data Council Secretariat. The idea of the discussion was to focus on individual participation, about what an individual deserves from fundamental rights and from Right to perspective that includes fundamentals like consent, Right to be forgotten and so on. It also looked at key data protection principles


Priyanka Chaudhuri, 

“The objective of data protection law is not to protect the law but the individual. The recent KS Puttaswamy judgement has also emphasized on protecting individual privacy. Justice B N Srikrishna, former judge of the Supreme Court of India will head a Committee of experts which has been formed to deliberate on a data protection framework for the country. Even this report says that the individual should be the center of data protection. One of the core principle of data protection is the individual participation.” 



Charu Malhotra 
Professor, Indian Institute of Public Administration

“There are many aspects as to why personal data should be protected. First is the identity and the profiling of the person, second aspect which is equally important is the commercialization of the data which could be leaked out. The third aspect is the surveillance aspect of the data, if the state uses the data in certain cases for surveillance for minority or certain other groups, is it ethically or provisionally correct or not. Today the challenges to the data protection framework are many fold. The first is the diversity of the country; when we talk of diversity we just don’t talk about seniors or the illiterate section, but we also talk about communities and demarcations on the socio-cultural aspect of a country. So it is very important for the data protection law to address this demarcation of the country in order to come up as a holistic framework. 

The second issue which I am worried about is the consent and the notice part. If I am intelligent enough to understand a document and ready to give my consent, would an intellectually weaker individual able to understand to those same conditions just like me and give his consent? The Whitepaper on Data protection also talks about sending a notice to everyone. Now in which language would the notice be sent, through which channel it will be circulated, such things should be addressed first.

The third thing is how many of us understand that when we talk of data, it is not just about data that is getting captured but also the data that is being stored, processed or transitioned. So imagine there is this whole pipe where you put your data and anybody can drill into it to steal any data. How you as a citizen get to know that?”   


Prof  Subhasis Banerjee
Computer Science & Engineering – IIT Delhi

Prof. Subhashis pointed that data can only be used for pre-approved and legitimate purposes. Informational self-determination and the autonomy of an individual in controlling usage of personal data have emerged as central themes across the privacy judgment. It is argued that Indian data protection regime should offer stricter privacy protection than what is prevalent in the US, and on the other hand have a more innovation friendly setup than what the privacy protection framework in the European Union can offer, which perhaps is unduly restrictive without being commensurately effective. Additionally, the framework should be sensitive to our large under-privileged population which may not have the necessary cultural capital to deal with an overly complex digital setup.

A passive regulatory framework based on detection of privacy breaches, and traditional understanding of privacy protection based on the principles of consent, purpose limitation and transparency is unlikely to be successful for privacy protection.  He also advocates an architectural solution based on online validation of authorisation and access control to prevent privacy infringements in the first place.


Anand Krishnan
Senior Analyst-Policy – Data Security Council of India

“In my opinion, it is not the consent that is broken but it is the notice. We go and try to explain in a legal language of what he is signing up for, regardless of the fact whether he understands or not. At the end of it, a person clicks on a consent button affirming his action that he has understood everything what he is signing up for, what kind of processing will happen with his data and so on. This point has come up in several public consultation meetings before. The White paper that has been published is in English and incredibly a large document, but there is a need to publish it in Hindi and other languages for more people to access it. If we are talking about privacy and following the recent judgement, then it was important that we publish this Whitepaper in at least 2 languages. Talking about notice, it should also be made available in a couple of other languages without just keeping its access for the elite and educated class. There have been many conversations on how we will fix the notice and the need to simplify it further. Possible solutions could be radial boxes, pre-ticked boxes which will let the user see that what personal data being given, what processing is going to take place and then give them the option to opt out of it at a later stage. There is this misconception that consent is the only basis of processing data. There are 2-3 various ways through which you can have different grounds of processing. Now Right to be forgotten has application across the internet. It is my ability to go and get that data set deleted from a public domain, but it is a fact that the data once published will never get erased or deleted.”


Puneet Bhasin
Cyber law expert

“There is nothing like a right that will be deleted forever from the face of this earth. It may be that on Facebook or any social media, you are off the feeds or certain records or from any public information from any agency that you requested to not publish it. So it is not that suddenly out of the blue everything is going to be erased. There is a erasure of data with respect to a context. Now this Right to be Forgotten has been given much hype and there have been a lot of deliberations on it abroad. In most of the cases, more than Right to be Forgotten, it is the issue of Right to recover data after the demise of a person. A large amount of data in today’s time is being stored by you in social media – moments, writings, photographs, everything. So the family members of the deceased try to recover this data since they are part of memories. It is upon us whether the access of the account of a person who is not alive is actually seen as an authorized or an unauthorized. This may not have made much of a difference some 4-5 years back because we never used to post so much about our lives on Facebook. But today every aspect of our life is being shared on Facebook. So these are all priceless memories. So you try to hack into their account to get back those memories which is an offence in the eyes of law. So I think that is a bigger issue than mere erasure that our data protection framework is not interested in.”


Abhijit Chatterjee
Chief Innovation Officer, C-Zentrix 

“I believe that if there is a problem, there must be a solution too.  Now the problem statement is – you have a mobile phone in hand and it has got stolen. You had taken some photographs in that phone and they reach some wrong hands. If these photographs and information are not much of importance to you then it is absolutely ok. But if the information in the phone is something confidential which cannot be shared with everybody, the first question that should arise is that the person who gets the phone, can he get access to the data available in the phone. Even if he is able to access that data, is there any possibility that he might misuse that sensitive data. Now you cannot go to CBI or the government and say that your phone is stolen and that they are responsible for the theft. This may not happen with all of us but I would like to address specially the teenagers who have just got a mobile phone as gift from their parents. They would surely want to show how tech-savvy they are and so will download apps, take videos & selfies and upload them wherever possible for others to see.  But what they don’t understand is that each of this information is so important that tomorrow if any of their personal details are misused, they can be harmed. Even before considering any law of this land, it should be the foremost responsibility of us individuals of how we treat our own personal details – of what to post and what not to post, how much of our life needs to be made public and so on.”   


Atul Tripathi
Consultant–The National Data Council Secretariat

“Today social media has become the potent trouble maker for any policing affairs. I will give you three examples – one is the classic example of J&K, where everything is happening on social media, whether it is a call for stone pelting or any encounter taking place, or any hindrance being caused. The second example is that of West Bengal, where a Facebook post caused a havoc in a place called Basirhat. Lastly on 1st& 2nd January, we saw what happened in Bhima-Koregaon in Maharashtra. It was all there on social media. That has become the biggest pain. So the data which is there on social media – how do you get hold of it because it is not within our legal boundaries? How much of data is available to us even it is outside the legal boundaries. It is very very miniscule. These are the 2 big challenges that the policing affairs or any law & order agency face. Another important thing that is already taking place in today’s time and was also referred even by the Prime Minister very recently is online radicalization. This is again happening on social media. It is there for all of us to see. Some of us may not be enticed towards it but lot of us does get attracted to it.  That has started to create a big havoc in the society. In the coming days, online, social media and the data are going to be the biggest challenge.”