With Privacy as its Core Principle, Personal Data Protection Bill to Boost Digital Economy, Tech Sector

India is on the cusp of a data revolution. An average Indian consumes 8.3 GB data per month, a 92X increase compared to the data consumption four years ago. By 2022, the next half billion Indians will come online for the first time through their mobile phones. This massive amount of data appetite of a mobile-first consumer has opened avenues for businesses and government alike.

Data provides a golden opportunity to closely understand what consumers want and design customer-centric products and services. The Government of India has embarked on policy initiatives for digitisation, an essential prerequisite for data generation at scale. IndiaStack, the paperless layer that leverages Aadhaar, is reported to have powered around 17 billion e-KYCs (know your customer) and saved more than US$7 billion in authentication services for the government. This stack offers endless opportunities to fintech companies, healthcare providers and others to understand customers better and provide value added services.

Similarly, the deployment of Unified Payment Interface (UPI) has enabled financial inclusion of millions of unbanked citizens while the online goods and service network has brought in transparency in flow of funds across states. This continuing digital transformation brings with it trails of consumer data that needs protection to sustain confidence in a data economy. Personal data breaches such as the recent Pegasus spyware undermining Whatsapp data of Indian citizens has driven the need for a strong data protection regime. In the wake of global regulations such as General Data Protection Regulation (GDPR) and the recognition of privacy as a fundamental right by Supreme Court, the Indian lawmakers have conceptualised the Personal Data Protection Bill 2019 – a landmark legislation balancing individual and national interests on data.

Closely modelled on GDPR, the Personal Data Protection Bill (PDPB) is built on the solid principles of user consent, purpose limitation, collection limitation, authorised basis for processing, right to access and correct personal data, right to delete erroneous data (including profiling) and data portability. Once implemented, the Bill will require enterprises to incorporate “privacy by design” as its core management principle and revisit information technology infrastructure and policies to comply with requirements.

The power of artificial intelligence (AI) and big data is mooted to be one of the drivers of the data economy. The Srikrishna Committee report on Data Protection clearly outlines that data asymmetry is the biggest barrier in harnessing data and unlocking the power of AI. As of today, data of Indian citizens primarily resides in servers outside the Indian territory. The size of the Indian data market more than justifies the creation of local infrastructure by global behemoths. Because of data localisation mandated under the Bill and local business models built around data will flourish. This, in turn, will employ the burgeoning tech talent in the country and expand innovation.

An example of the effect of data localisation on big data can be outlined as such. Reserve Bank of India (RBI) has announced an in-house analytics lab that is going to cover cases such as inflation management, banking supervision, fraud detection and financial inclusion. The base data for this would include financial information of citizens that is to be stored and processed within India’s territorial boundaries as a result of data localization mandate.

Data localisation will ensure transparency in business processes and warrant protection of interest of individual’s data. As a result of this, digital companies storing Indian citizens’ data will have to comply with national interests and co-operate with the Government in cases of reported data breaches, cyber-attacks or surveillance.

We need to acknowledge that as the awareness around data protection increases, business models will evolve. Privacy models empowering consumers with their data will come in. The Bill has already mooted the establishment of Consent Management platforms that shall empower users to monitor and control their data usage. It is about time that the power to monetise data shall shift completely to the data owner. In such a world with privacy at its core, businesses looking at AI to detect vulnerabilities in enterprises and turn privacy certification into opportunities could be earning as much as US$12 billion in revenues by 2025 according to the report published by Omidyar Network India and Monitor Deloitte.

As India embarks on this pioneering initiative, the country will witness an ecosystem through which the digital economy of the country will be regulated in a matured manner. Simultaneously, as the melting pot of ideas in data intensive sectors like AI, FinTech and ML is brewing, tech startups and IT companies can leverage the enormous opportunities in these domains by building world-class products apropos the mandate of regulations.

The author is the director general of Software Technology Parks of India.