Without Data Protection Law, India Puts Privacy Rights of Users at Risk: IMF Paper

'A robust data protection framework is essential to protect citizens’ privacy, prevent companies and governments from indiscriminately collecting data, and holding companies and governments accountable for data breaches,' the paper said.

New Delhi: A comprehensive data protection law is still missing in India, placing the privacy and other digital rights of users at risk, a new IMF working paper has said.

The IMF paper titled, Stacking up the Benefits: Lessons from India’s Digital Journey, said, “A robust data protection framework is essential to protect citizens’ privacy, prevent companies and governments from indiscriminately collecting data, and holding companies and governments accountable for data breaches to incentivise appropriate data handling and adequate investments in cybersecurity.”

The paper, authored by Cristian Alonso, Tanuj Bhojwani, Emine Hanedar, Dinar Prihardini, Gerardo Uña, and Kateryna Zhabska, was published March 31, 2023.

In 2017, the Supreme Court ruled that privacy is a fundamental right and asked the government to implement a robust regime for data protection. However, each day that goes by without a data protection law, the government is failing to ensure that citizens exercise their fundamental right to privacy effectively.

According to reports, more than 80 million Indian users were affected by data breaches in 2021. In fact, in 2021, India was ranked third in terms of global data breaches, Business Today reported.

Data breaches in that year included Air India, Domino’s, Facebook, Mobikwik, and Upstox exposing users’ names, phone numbers, and even bank account, passport, and Aadhaar data, per the Internet Freedom Foundation.

Each year, IBM estimates the average cost of a data breach in India.

The average cost of a data breach in 2021 in India amounted to $2.2 million. For comparison, the average cost around the world was estimated at $4.24 million per incident, the IMF paper quoted IBM as saying.

“For users, the experience of fraud can weaken trust and delay transition to digital channels,” the IMF paper added.

Also read: Data Protection Bill Is Riddled With Arbitrary Provisions That Violate the Right to Privacy

Social protection systems

The IMF paper said that “India’s main social safety net and subsidies programmes are characterised by near universal rights-based programmes, which faced high levels of leakage, inefficiency, and corruption.”

The largest programme is the public distribution system (PDS), which has suffered from corruption, in the form of identity fraud (i.e., duplicates, non-existent beneficiaries, etc.) and quantity fraud (i.e., under-selling, diversion of wheat and rice).

In 2012, an estimated 36% of total spending on the PDS never reached intended households because of ghost beneficiaries and the illegal diversion of subsidised goods by intermediating dealers, it added.

It further stressed on the need to modernise social protection, and said that while the current schemes in India reached a large group of households during the COVID-19 pandemic, studies show that the pandemic response excluded about half of all women. There is significant room to identify new groups who could be included in the social protection system, therefore making social assistance more resilient and adaptable.

Additionally, it said India’s DPI (digital public infrastructure) ecosystem holds powerful lessons for other countries embarking on their own digital transformation. It said, “India Stack has been harnessed to foster innovation and competition, expand markets, close gaps in financial inclusion, boost government revenue collection and improve public expenditure efficiency.”

India Stack, which is the collective name of a set of commonly used DPIs in India, started with the Aadhaar digital ID scheme, which was launched in 2009. It consists of three different layers – identity (Aadhaar), payments (UPI), and data (DigiLocker and Account Aggregator).

“The widespread adoption of Aadhaar has the potential to dramatically improve the use of third-party data for risk analysis and enforcement work at the tax administration. In practice, some forms of criminal evasion schemes that were previously difficult to detect and deal with will become considerably more challenging for those engaged in them. Beyond its use for mitigating deliberate evasion, the simple ability to access more current and up to date registration information is already improving the use of targeted education, outreach, and other essential taxpayer services,” the paper said.

It added that certain features of India’s journey would be difficult to replicate elsewhere, such as Aadhaar, though this is not a precondition for success.

It, however, said despite significant progress, digital literacy remains low in India, and represents a barrier to engaging with DPI-based solutions.

“For example, while there has been an exponential increase in UPI-based payments, only 35% of persons aged 15 and over have made or received a digital payment, indicating that the use of digital solutions is concentrated within select segments of the population. Digital literacy is ‘the ability of individuals and communities to understand and use digital technologies for meaningful actions within life situations’ and so, it requires individuals to be able to use computers, tablets, or smartphones and access the internet,” the paper said.

It further highlighted that digital literacy is low for older and poorer individuals.