The pertinent dilemma with India’s data policy

The private sector may be granted access to select databases for commercial use.
Image © Analytics India Magazine
Listen to this story

Last February, the Ministry of Electronics and Information Technology (MEITY) released the ‘Draft India Data Accessibility & Use Policy, 2022’. The document showed MEITY has plans to set up an India Data Management Office (IDMO) to oversee the metadata frameworks and their implementation. It also suggested forming a regulatory body, India Data Council (IDC). The IDMO will consult with relevant ministries and state governments to revise the National Data Governance Framework rules. 

Internet consumption in India. Source: CISCO


Sign up for your weekly dose of what's up in emerging technology.

Why do we need data regulation laws?

“The private sector may be granted access to select databases for commercial use. Given that the private sector has the potential to reap massive dividends from this data, it is only fair to charge them for its use,” noted the 2019 National Economic Survey. The Draft India Data Policy aligns with the government’s data monetisation push.

The idea is to keep all the datasets open by default, except for a few that will be marked ‘negative’. The India Data Council will sort the high-value datasets based on their “degree of importance in the market, degree of socio-economic benefits, impact on India’s Al strategy and performance on key global indices.” The IDC has the power to determine the metadata and data standards for every central department. Last October, Karnataka became the fifth state after Telangana, Odisha, Sikkim and Punjab to monetise citizen data. 

  Number of connected devices (in millions) in India. Source: Ericsson Mobility

Privacy protection

The policy proposal drew flak over the lack of data protection laws. While the policy promised anonymity, there was no regulatory framework to support it. The Non-Personal Data Governance Framework had been on the backburner since 2020. 

The government is working on a ‘Digital India Act’ to replace the Information Technology Act 2000. The act will replace the Personal Data Protection Bill. The PDP bill tried to introduce data localisation– inspired by GDPR–to restrict information flow geographically. However, the data localisation was promptly rejected by corporate stakeholders as it would require companies to overhaul their data architectures. 


The draft has been revised to include anonymisation standards in the wake of the backlash. MEITY has also noted that private companies must be “encouraged” to share non-personal data with startups and Indian researchers through a proposed initiative called the India Datasets programme. 

“The constitution of an Appellate Grievance Redressal Committee is another major highlight of the proposed amendment. This is a crucial and positive policy action that will provide adequate recourse for users against the decisions of grievance officers. However, to ensure adequate checks and balances on the powers of the committee, the Rules must also envisage mandatory public disclosure of their orders and its periodic review by an oversight body as prescribed in the Blocking Rules. It will also be important to envisage a robust appointment process with an adequate number of judicial and technical members in the committee to ensure an informed decision making process,” said Kazim Rizvi, founding director of the public policy think tank, The Dialogue

Rizvi said, while the introduction of the updated regulations was the right direction, changes are due. “The proposed amendment to the IT Rules, 2021 is a progressive step that will ensure that our laws and policies remain updated to cater to the emerging challenges in the digital space. We welcome the Ministry’s invitation for inputs on the proposed amendments and hope that this exercise will be helpful in understanding the concerns on other key aspects of the Rules as well and create a more inclusive regime for Platform Regulation. 

The proposed changes effectuate the objective of greater transparency and accountability in the digital ecosystem which is critical for realising the goals of a free and rights enabling online space. The introduction to the draft also notes that the changes will not impact startups and will only be applicable to the Big Tech platforms. This step reverberates the government’s commitment to ease entry barriers in the sector and promote Ease of Doing Business. However, appropriate change must also be made to the relevant Rule 3 of the IT Rules given that its title still reads that the mandate is applicable to all digital intermediaries.

The proposed amendments themselves emphasise on the duty of the intermediaries to respect constitutional rights. It is imperative to realise that stringent timelines without content gradation according to the anticipated degree of harm can lead to chilling effects on online free speech of the citizenry, a concern well discussed by the Hon’ble Supreme Court in the Shreya Singhal judgement. A risk based approach needs to be adopted and the timelines for takedown should be revisited accordingly,” he added.

Global data protection laws 

Most countries have strict data protection laws. The European Data Protection Board (EDPB) drafted rules for transferring sensitive and personal data outside EU countries. Organisations were required to take consent from individuals before transferring their personal data. Post-Brexit, Britain had to adopt GDPR to facilitate the free flow of data between the former and the EU. 

China also drafted its Personal Information Protection Law (PIPL) in the second half of 2020. The PIPL granted the residents the power to withdraw permission to share their data and the right to delete data while ensuring protection during cross-border data transfers. Canada is revamping its data protection laws to include the private right to action and hefty fines. In sum, India has a lot of catching up to do.

More Great AIM Stories

Poulomi Chatterjee
Poulomi is a Technology Journalist with Analytics India Magazine. Her fascination with tech and eagerness to dive into new areas led her to the dynamic world of AI and data analytics.

Our Upcoming Events

Masterclass, Virtual
How to achieve real-time AI inference on your CPU
7th Jul

Masterclass, Virtual
How to power applications for the data-driven economy
20th Jul

Conference, in-person (Bangalore)
Cypher 2022
21-23rd Sep

Conference, Virtual
Deep Learning DevCon 2022
29th Oct

3 Ways to Join our Community

Discord Server

Stay Connected with a larger ecosystem of data science and ML Professionals

Telegram Channel

Discover special offers, top stories, upcoming events, and more.

Subscribe to our newsletter

Get the latest updates from AIM

What can SEBI learn from casinos?

It is said that casino AI technology comes with superior risk management systems compared to traditional data analytics that regulators are currently using.

Will Tesla Make (it) in India?

Tesla has struggled with optimising their production because Musk has been intent on manufacturing all the car’s parts independent of other suppliers since 2017.

Now Reliance wants to conquer the AI space

Many believe that Reliance is aggressively scouting for AI and NLP companies in the digital space in a bid to create an Indian equivalent of FAANG – Facebook, Apple, Amazon, Netflix, and Google.