Analyzing the Union Budget’s Impact on Data Protection and Privacy in India

The Union Budget for FY 2023-24 reflects a new focus on technology and digitization in India, with a significant increase in allocation from the exchequer. The Digital India program has been allotted INR 4,795.24 crore, while the Ministry of Electronics and IT has seen a 1000 percent increase in funding for its Artificial Intelligence and Digital Intelligence Unit.

However, this push towards digitalization comes with unprecedented challenges. Expanding digital networks requires the collection, storage, and sharing of vast amounts of data, including personal information such as biometrics, financial data, and health records. Unfortunately, legal frameworks have not kept pace with this rapid digital transformation, leaving privacy and cybersecurity systems lagging behind.

To address these issues, the government is set to introduce a new National Data Governance Policy that will allow access to anonymized data. Anonymized data refers to data that does not contain Personally Identifiable Information (PII), such as names, addresses, ages, and phone numbers, or data from which PII has been removed. However, various research studies have demonstrated that it is relatively easy to reverse-engineer anonymized data to identify individuals. For instance, in 2019, a study successfully reidentified 99.98% of Americans in an anonymized dataset, including over 11 million individuals’ details held by the US government.

The use of anonymized data to inform decision-making has become increasingly popular in India. However, current methods of anonymization are not always effective in protecting individuals’ privacy. To ensure that India can safely utilize anonymized data, the country needs a robust data protection law.

Unfortunately, the current Digital Personal Data Protection Bill for 2022 is not comprehensive enough and lacks key safeguards that were proposed in earlier consultations and previous versions of the Bill. For instance, the 2021 Draft included a penalty for intentionally reidentifying an individual from their anonymized personal information. However, this provision has been removed, raising concerns about inadequate privacy protections.

Without a strong data protection law, individuals’ personal information will be at risk of misuse or unauthorized access, which could have significant consequences for their privacy and security. To ensure that the government can make informed decisions while safeguarding citizens’ personal information, it is imperative to prioritize the development and implementation of a comprehensive data protection law that provides sufficient safeguards and penalties for violations.

The Union Budget proposes changes to Income Tax search and seizure provisions to keep up with technological advancements. However, this raises concerns about potential violations of privacy. With these changes, IT officials could seek assistance from experts to access digital devices and encrypted data, potentially giving them access to private communications, photos, and videos. The absence of legislative limitations and safeguards, combined with the lack of oversight and restrictions on when or how these powers can be used, creates a risk of arbitrary or abusive behavior.

Allowing access to personal devices and encrypted data, which often contain a significant amount of an individual’s personal life, without a data protection system that ensures necessity and proportionality, is concerning for a democracy that guarantees the fundamental right to privacy in its constitution.

The Union Budget also proposes to expand the functionality of DigiLocker, a cloud-based platform that stores, shares, and verifies documents and certificates. The aim is to make it a comprehensive solution for identity and address verification, with Aadhaar as the foundational identity. However, to achieve the goal of “Trust Based Governance,” two critical issues need to be addressed.

Firstly, the cybersecurity infrastructure must be strengthened to inspire people’s confidence in the system and prevent incidents such as the 2020 DigiLocker account breach, which affected 3.8 crore users. Without robust cybersecurity measures, there is a risk of data breaches and other security incidents, which can undermine public trust in the system.

Secondly, it is essential to limit the expansion of Aadhaar to prevent it from becoming mandatory for exercising fundamental rights such as voting. The extensive use of Aadhaar has led to numerous human rights concerns and data breaches in the past. Therefore, it is critical to ensure that Aadhaar is used only where necessary and that alternatives are available for those who do not wish to use it.

It is crucial to establish effective regulations that create accountability mechanisms and strengthen digital rights in tandem with digitization efforts. Presently, the focus is primarily on quickly implementing digital technologies, with inadequate emphasis on ensuring accountability and safeguarding digital rights. This approach must be reoriented to ensure that digitization benefits are balanced with adequate privacy and security protections.

The World Economic Forum’s Global Cybersecurity Outlook 2023 states that cybersecurity and data privacy regulations are effective in mitigating cyber risks. This year, several new laws have been enacted on data protection, telecommunications, internet governance, and cybersecurity. However, these laws’ drafts fall short of global best practices and international rights frameworks. As India prepares to lead in this area during its G20 presidency, it is essential to prioritize the development of privacy and cybersecurity regimes that respect individuals’ rights and serve as an example to the rest of the world.

As India’s stance on data protection and privacy undergoes changes, it is crucial for businesses to ensure their compliance with the relevant regulations. Rainmaker offers comprehensive solutions to help address your compliance concerns. Our e-modules and workshops ensure that your employees are well-versed in matters related to data protection and privacy, thereby easing your compliance burden. Reach out to us to learn more about our offerings.

Author: Kevin Davis, Research Associate, Law, Rainmaker Contributions and Directions: Akanksha Arora, AVP-Legal, Rainmaker

Disclaimer : No information contained in this website may be reproduced, transmitted, or copied (other than for the purposes of fair dealing, as defined in the Copyright Act, 1957) without the express written permission of Rainmaker Online Training Solutions Pvt. Ltd.