India's data privacy draft bill is long due, analysts say

Proposal is aimed at protecting user data and regulating the industry

An Indian visitor passes a mural depicting various social medias including Facebook, inside a building in Bangalore on March 22, 2018.
India March 21 warned Facebook of “stringent” action for any attempt to influence polls by allowing data theft and even threatened to summon Zuckerberg if needed. / AFP PHOTO / MANJUNATH KIRAN
Beta V.1.0 - Powered by automated translation

India is looking at enforcing strict data privacy laws, which would have huge implications for the use of personal information by global technology giants such as Facebook and Google, as well as Indian companies.

A committee led by retired Supreme Court judge BN Srikrishna at the end of July submitted a draft personal data protection bill to the government. Its recommendations include foreign technology firms storing data in India rather than overseas, setting up a regulatory body, and hefty penalties for those who fall foul of the law.

“In India, currently data privacy is not very stringent, so there have been a lot companies which have been set up around data-based marketing because data is freely available in the market,” says Vikram Kotnis, the managing director of Amura Marketing Technologies, a digital marketing agency in Pune. “I think the data protection needs to come in from a consumer standpoint, but it will have far-reaching implications when it comes to a lot of companies.”

Under the data protection law, the implications of the recommendations are that “Google and Facebook will have to start moving all their data centres to India, so there may be a big boom in commercial real estate and data centres and there will be a spike in companies and jobs related to data storage”, he adds.


Read more:


India currently has little regulation in place when it comes to storage and personal information. This has become an issue given the rapid rise of smartphone and internet use in the country more than 1.3 billion.

The ever-expanding number of people in India using the internet at the end of 2017 stood at 481 million, an increase of more than 11 per cent over a year earlier, according a report by the Internet and Mobile Association of India and Kantar IMRB.

Amid this rapid rise of Indians moving online, experts explain that it has been something of a free-for-all environment when it comes to many companies obtaining Indian citizens' personal data.

“Given international developments like the changes made by the European Union to its data protection law, the General Data Protection Regulation (GDPR) and Facebook’s Cambridge Analytica fiasco, the need for a similar legislation like the GDPR in India seemed imminent,” says   Rajesh Begur, the managing partner of Mumbai-based ARA LAW. “The bill, to that extent, is one of the many developments towards making India a jurisdiction at the cusp of international best practices – while also being an important step aimed to enhance individual rights.”

The General Data Protection Regulation is a European privacy law that started in May and curbs targeted advertising.

There is still a need for a lot of clarity and the bill will be likely to undergo several changes before it becomes law, Mr Begur points out.

Google India declined to comment on the draft bill. A spokeswoman for Facebook in India said that the company was “still studying the policy”. Facebook has more than 240 million users in India, making the country its largest market.

“One will have to see how the final form in which it is legislated,” says Darshan Upadhyay, a partner at Economic Laws Practice, a law firm based in Mumbai. “However, as it now stands, several businesses including healthcare, telecom, banking, targeted marketing and several apps and search engines will have to modify the manner in which they collect, process and store personal data.”

Given the government's ambitions to move more processes online under its Digital India initiative and increase the use of the biometric identification scheme, called Aadhaar, which most of the population in India is signed up to, have made it critical to look at protecting data.

“The recent news and claims on the compromise of the Aadhaar database from the servers and its partners has made citizens wary of the security of the biometric information they are providing to the government and has sparked privacy concerns,” says Rajpreet Kaur, a senior analyst at Gartner, a research and advisory company. “Also, the unscrupulous use of personal data and information by businesses that record and sell user information to various third parties has led to outrage among citizens about the protection of their personal information and privacy.”

She adds that “the fear of reputational risk” due to growing public fears about data loss and identity theft is “making organisations increasingly concerned about data privacy”.

Many business leaders therefore say it is a welcome move that India is looking at introducing much-needed privacy laws, which should restore confidence in companies.

“There is a long way of discussions to go through before this culminates into a law,” says Dushyant Jani, the founder and chief executive of Mumbai-based digital marketing company Mobclixs. “But I'm happy to see that this much needed regulation will institutionalise a standard process to follow while dealing with any form of data.”

Government bodies would also have to comply with the privacy law under the recommendations.
"In general, this shall make the organisations, whether government departments, public sector enterprises, or private or commercial organisations more responsible in their approach towards handling the data." says Rana Gupta, the vice president of APAC sales, identity and data protection at Gemalto, which focuses on digital security.

It would ultimately be smaller companies dependent on easy access to data in India that could be the hardest hit. The likes of Facebook should be able to adapt given that they are already complying with such laws in other countries, analysts say.

“Companies like social networking websites, apps, process data for millions of users in India, often stored at remote servers,” says Rajdip Gupta, the managing director of Route Mobile, a cloud communication provider headquartered in Mumbai. “However, once the bill is passed, these companies will have to encrypt and store the data in India. Also, such companies may face difficulties while abiding by data localisation requirements, which is a challenging task. Apart from this, the infrastructure costs will increase, since data centres are more expensive to build and run taking into consideration factors such as high power costs, real estate.”

The potential introduction of sweeping new data protection regulations in Asia's third largest economy could provide a dramatic boost to the cloud computing and data centre segments of India's $160 billion (Dh588bn) IT sector, analysts say. India’s cloud computing industry, which reached $1.8bn in 2017 according to Gartner, could be one of the main beneficiary from the proposed law.

“This law will be particularly advantageous to cloud computing, internet service providers, data centres, IT infrastructure, and help them run at their optimal capacity,” says Mr Gupta. “Further investments would be spurred towards building more data centres and infrastructure.”

Siddharth Ravindran, the chief executive of, a digital finance company based in New Delhi, says he expects to see little impact from the privacy laws on his business.

“We take utmost care of customer data and have defined processes to manage confidential information,” he said.

But others are very concerned about the potential impact of the proposed regulations.

The draft data protection bill “is catered more towards the needs of individuals, sidelining the excellent data mining that marketing and digital research companies such as ours can conduct with some of this data to deliver better results for their brands and the overall industry to move forward”, says Zafar Rais, the chief executive of MindShift Interactive, a digital marketing firm in India.

His industry and business will be hampered but the new framework, if the proposed measures come into effect.

“Most players have been using data in India towards effective targeting and driving higher outreach, but things shall change towards making campaigns morecostly, reduced outreach and a reduction in being able to data mine and build far more effective campaigns,” he says. “Smaller local tech companies I worry will incur additional costs and obstacles that could form deterrents towards their growth speed.”

Ultimately, when India does implement new data privacy laws, it will be how well those regulations are actually enforced that will be critical.