ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Growing Global Spotlight on Privacy, GDPR, Resonating in India

Growing Global Spotlight on Privacy, GDPR, Resonating in India

Sandeep Godbole, CISA, CISM, CGEIT, CISSP, CEH, Past President of ISACA Pune Chapter
| Posted at 3:01 PM by ISACA News | Category: Privacy | Permalink | Email this Post | Comments (1)

Sandeep GodboleIndia is a country at the cross-roads of transformation. As one of the fastest-growing economies, it is expected to be the most populous country in the world in a few years, potentially home to about 20 percent of the world population. Therefore, events in India are becoming increasingly relevant from an economic as well as geopolitical perspective.

The advent of the General Data Protection Regulation (GDPR) has brought significant focus globally and in India on privacy. The interest in privacy goes beyond the transactional and operational aspects. It explores deeper into the basis and relevance for privacy.

It is in this context that a landmark judgment delivered in August 2017 by The Supreme Court of India assumes significance. A nine-judge bench of the Supreme Court delivered the order that privacy is a fundamental right and an intrinsic part of the right to life and personal liberty guaranteed by the Constitution of India. The judgment has settled the debate on the matter and has meant that initiatives and activities of the government, as well as those of private enterprises and organizations, will need to ensure that privacy of individuals is protected.

A committee was formed by the Indian government in 2012 under the chairmanship of the former Chief Justice of the Delhi High Court to draft a paper that would facilitate the authoring of a privacy law for India. The committee suggested a detailed framework to serve the conceptual foundation for the proposed privacy law and mentioned the following features that should be included:

  1. Technological neutrality and interoperability with international standards. This feature recognizes the need to preserve privacy in the face of ever-changing technology. It also recognizes the need to be in harmony with international regimes to create trust for cross-border data flow.
  2. Multi-dimensional privacy. This aspect recognizes that privacy protection involves different types of data and different methods of communication and storage.
  3. Horizontal applicability. The frameworks should not discriminate between the government and private enterprise in matters related to protection of privacy.
  4. Conformity with the privacy principles. The committee has laid down privacy principles that are in conformity with globally recognized principles such as choice, collection limitation, etc.
  5. Co-regulatory enforcement regime. The committee has recommended a structure for regulators and emphasized the need for self-regulatory industry or sector-specific bodies.

India has now set into motion discussions for a data protection law. The government has assembled a committee to study various aspects needed to create a bill under the chairmanship of Justice Srikrishna, former Supreme Court judge. The proposed law is expected to address data privacy in a holistic manner. The committee had issued a white paper to solicit opinion from various stakeholders and the public on multiple aspects, including the content of the law.

GDPR has been a significant step that has spurred discussions around data protection and privacy across the globe, and India is no exception. Given the significance of information technology to India’s growth, the interest is natural. In terms of population, India is about 2.5 times that of the EU. The impact and significance of the data protection law in India is likely to be even higher. It is certain that India is on a path that is in sync with the global direction.

Editor’s note: To view ISACA’s resources on GDPR, visit


Privacy Concerns Not Resonating Loudly Enough in India (With the People that Matter)

The Indian government’s actions seem to belie its words. In May 2017, the Government told the Supreme Court that citizens could not claim "absolute" right over their body parts. The Attorney General (AG) told the Supreme Court that “no fundamental right of privacy is guaranteed under the Constitution.” The AG also told the Supreme Court that privacy “is an elitist right for people in developed countries. India is a poor developing country” (and hence cannot dream of such elitist rights).

How serious the government is about privacy can be gauged from the fact, that the Employees Provident Fund Organisation (EPFO) gave 2 private researchers access to around 60 gigabytes of the EPFO database that included employees’ names, dates of birth, permanent account numbers (~US Tax Identification Number), provident fund contributions, and industry names, for a period between January 2015 and November 2017 – just so that the researchers could write a favourable piece on job creation for the government.

The committee setup by the government appears to lack balance and is stacked with members from various government ministries (all these ministries are busy promoting the Aadhaar biometric project in a big way), the CEO of UIDAI (The agency that has coerced and threatened 1.2 billion Indians to part with their biometrics). A private think tank (Vidhi Centre for Legal Policy), funded by the wife of the “architect” of the Aadhaar project is part of the committee. This think tank drafted the Aadhaar Act and also represented the UIDAI in the Supreme Court. No members of civil society or privacy advocates appear to be part of this committee.

Considering the constitution of the committee, it is unlikely that data privacy will be addressed in a holistic manner or that India will be in sync with the global direction.
Shahvir at 3/2/2018 11:04 AM
You must be logged in and a member to post a comment to this blog.