By Karmendra Kohli, CEO & Director, SecurEyes
As one of the world’s foremost digital powers among emerging economies, India seeks to shift from merely using data-driven digital services to controlling and leveraging such data for its strategic and economic ends with the decision to establish a comprehensive legal framework for data protection. This article explores the critical interplay between data privacy, data protection, and cybersecurity in light of the recently cleared ‘Digital Personal Data Protection (DPDP) Bill 2023’ by the Union Cabinet and set to be tabled in the Indian Parliament.
India’s Approach to Data Governance
India’s vision for data governance is geared towards fostering a $1 trillion digital economy by 2025, as projected by a 2019 Ministry of Electronics and Information Technology report. To achieve this, India recognises the need to create an adaptable environment through policies, platforms, and partnerships catering to the digital world’s borderless nature.
Empowering users with control over their personal data has become a paramount objective in India as the nation experiences a rapid surge in the adoption of cutting-edge technologies and services. With this technological advancement, a crucial dialogue has emerged centred around the delicate balance between data rights and digital innovation.
Within India’s expanding digital landscape, there is a growing awareness of potential risks stemming from data misuse and cybersecurity threats that citizens may face. Recognising the significance of addressing these issues, there is a call for empowering individuals to be well-informed and equipped to safeguard their data rights.
As of July 2023, despite the central role that data plays in both private enterprises and public initiatives, India has yet to establish a unified and comprehensive data protection law. This critical gap underscores the need to prioritise the empowerment of users, allowing them to actively participate in the shaping of data regulations and advocating for their rights concerning personal information.
By bolstering awareness, education, and engagement, India can foster a culture of data empowerment, ensuring that individuals have the tools and knowledge to assert control over their personal data. Encouragingly, with a collective effort from stakeholders and policymakers, a more resilient and user-empowering data protection landscape can be cultivated to fuel the nation’s progress in the digital era.
India’s approach to data governance comprises three key tracks. Firstly, it involves regulating personal data, drawing inspiration from the principles outlined in the EU’s GDPR and other international regulations on personally identifiable information. Secondly, India is pioneering the establishment of a non-personal data framework, which no other country has embarked on yet. Lastly, India is addressing the governance of government data through the National Data Sharing and Accessibility Policy.
India’s Approach in a Global Context
India’s data governance approach should be understood in the context of global trends. Many countries are grappling with the issue of regulating cross-border data flows. Japan, for instance, supports the unrestricted flow of data across borders, as evident from its leadership in the Osaka Declaration on Digital Economy in 2019. The United States, on the other hand, has adopted a laissez-faire approach, allowing data to flow freely across borders without comprehensive federal legislation for data protection. Despite numerous proposals over the years, no one comprehensive federal law governs data privacy in the U.S. yet.
In contrast, Europe has taken a different route, establishing data governance through various directives and legislation which individual countries have implemented. Their approach is based on human rights principles, allowing cross-border data sharing under specific circumstances, provided other countries meet the EU’s requirements.
China, however, stands out with a significantly distinct data governance approach as it enforces strict data localisation requirements and monitors domestic data usage using advanced technologies. This approach has influenced other nations like Russia and Egypt to varying degrees.
In its unique stance, India declined to sign the Osaka Declaration at the 2019 G20 summit, concerned that it conflicted with its policy priority of data localisation. This decision highlights that economic, national security and developmental considerations are now intricately linked to both domestic and international data governance efforts.
With its massive population, a significant portion of which is yet to come online, and its growing technological capabilities, India is forging a new path in data governance. The country’s innovative governance solutions position it to play a crucial role in shaping global data governance.
Interplay between Data Privacy and Cybersecurity
While the contours of the proposed Bill will remain confidential until it is brought to Parliament, a comprehensive data protection law must encompass strong cybersecurity measures to prevent data breaches and protect sensitive information from unauthorised access. By incorporating cybersecurity controls at each step of the data lifecycle – acquisition/creation, use/processing, transmission/sharing, storage/archiving, and destruction – the Bill can ensure the holistic protection of personal data. Recognising this synergy, the Bill should encompass provisions that enforce stringent cybersecurity practices to fortify data infrastructure against evolving cyber threats.
To buttress the point, cybersecurity measures are designed to protect digital systems, networks, and data from unauthorised access, disruption, and damage. Their significance lies in their ability to defend against a multitude of cyber threats, including but not limited to unauthorised access, identity theft, disruption of services, malware, ransomware, etc. These measures are essential for preventing data breaches and ensuring business information’s integrity, availability, and confidentiality.
While the proposed Indian Digital Personal Data Protection Bill 2023 represents a significant milestone, ensuring effective implementation requires further clarity on specific key provisions. Clear guidelines and standards should be established to help organisations understand their responsibilities and obligations regarding data protection and cybersecurity. The ongoing stakeholder engagement and consultations with industry experts can contribute to refining the bill and addressing any ambiguities, enabling its seamless execution.
Conclusion
The Indian Digital Personal Data Protection Bill 2023 represents a vital step towards securing citizens’ personal data and bolstering data governance in India. The Bill acknowledges the inseparable relationship between data privacy, data protection, and cybersecurity by emphasising the integration of cybersecurity measures. As India’s reliance on digital technology and commerce grows, it is imperative to prioritise robust cybersecurity practices to safeguard personal data from cyber threats. Continued refinement and clarity in key provisions, combined with active collaboration and knowledge sharing, will contribute to the effective implementation of the Bill, instilling greater consumer confidence and reinforcing India’s commitment to data privacy and cybersecurity.