Data Flows and Tech Policy in India

Through a new program on Platform Futures, the Digital Asia Hub aims to convene a network of academics and experts studying multiple aspects of platforms, and to create a space for dialogue on opportunities, challenges, and governance best practices in the APAC context.


Smitha Krishna Prasad has been working with the Centre for Communication Governance at National Law University, Delhi where her research has focused on issues around privacy, data protection and surveillance. She also works on questions of emerging technology and law, and the expansion of tech regulation through legal and economic policy making initiatives. Previously, Smitha was a member of the Technology, Media and Telecoms, Intellectual Property and International Commercial Laws practice group at a leading law firm in India. During this time, she was regularly involved in advising on matters dealing with data protection and privacy laws, regulatory and legal issues in relation to big data and data analytics, digital and new media matters, and regulatory issues and laws applicable to e-commerce businesses, and payment systems and mechanisms in India.

DAH: You’ve recently launched a new project to create a privacy archive/repository. What was the gap or problem that it was intended to fix, and how do you anticipate users will engage with this platform?

SP: The past 3-4 years have been big for the community of researchers, lawyers, and advocacy groups working on issues relating to privacy and data protection in India. In 2017, a landmark judgment by the Supreme Court, in Puttaswamy v Union of India reassured Indians of a fundamental, constitutionally protected right to privacy. However, a lot of work remains to ensure that we are in fact able to exercise this right as we go about our daily lives.
A data protection law is one step towards this goal. However, data protection is also just a subset of privacy regulation. Our privacy is impacted at so many junctures – as we’ve seen in the context of important cases dealing with the de-criminalisation of same sex relationships, or discrimination against the transgender community. These developments, whether at the Supreme Court or in Parliament in one country, equally also impact how the right to privacy is viewed and upheld in others.
As we engaged in research and writing on these issues at the Centre for Communication Governance at National Law University, we observed that there were no dedicated resources that comprehensively looked at the various legal issues around privacy and its many facets. The Centre’s Privacy Law Library aims to build a repository of privacy law and case law from India, and across the world to help researchers, lawyers and policy makers in their efforts to build on privacy friendly law and policy both in India and abroad.

DAH: A personal data protection law in India has been on the cards for a long time. What’s the current status? What are the implications for technology platforms, and for the data flows that they facilitate?  

SP: The Personal Data Protection Bill, 2019 is currently being discussed by a specially constituted parliamentary committee, consisting of members from both houses of Parliament. The committee is expected to submit a report consisting of its recommendations in the next month or so. The Bill was published in 2019, and reporting around the parliamentary committees deliberations suggest that we can expect some significant changes.

However, at a broad level, having a comprehensive data protection law along the lines of the Bill of 2019 would mean that technology platforms have to show operational compliance with a number of widely accepted data protection principles. For instance, while the Bill does focus on consent as one of the grounds on the basis of which personal data can be collected, the terms for valid consent are elaborate, and there are several individual user rights and requirements under the law that a data fiduciary (the equivalent of a data controller under the GDPR), cannot overwrite through contractual terms.

The larger platforms can also expect higher thresholds for transparency and accountability, and will be expected to conduct impact assessments before processing personal data on a large scale basis, or using new technology.

A lot of questions also remain on some of the more controversial policies suggested over the past few years around mandatory data localisation and data sharing requirements aimed at foreign platforms operating with large user bases in India.

DAH: The pandemic has forced even more activity onto digital platforms, especially in areas like health care and education. Is there an added urgency to assess potential harms and plug gaps? How is the debate about trade offs playing out?

SP: In the early days of the pandemic, we saw a lot of discussion around the Indian government’s contact tracing app ‘Aarogya Setu’, that relied on assurances more than law and policy in the collection and processing of personal data of millions of citizens.

As the realities of living in a locked down world set in over the next few months, it became increasingly obvious that these questions on the safe use of personal data extended to the many private platforms that were now providing indispensable services online. It is crucial to consider the impact of moving services such as healthcare and education online. In the first case, we end up providing the most intimate and sensitive of information through new online channels that are likely unfamiliar to many users. In the second case, it is often information about children that is provided to online education service providers and third parties that facilitate such services. This could include basic demographic information for, or in the case of more sophisticated services, detailed profiles about these children.

Today, almost a year into the pandemic, it is clear that a pause on offline / in person services cannot mean no services at all. People cannot be expected to go without services such as healthcare, or basic education for their children for months on end. As services move to online platforms and become more data-intensive, the absence of stronger legal protections, has meant that the conversation around trade-offs has become more public – a big step forward.

DAH: The Indian government is prioritising digital public infrastructure through several initiatives. What is the thinking behind these efforts, and how does this public layer interact with citizens and private companies?

SP: The ‘Digital India’ scheme launched in 2015 ties together many government initiatives that aim to promote ‘digital’ services across sectors. This includes a huge emphasis on building platforms that enable access to government services online. These platforms and initiatives go hand in hand with efforts to increase internet penetration in rural areas, and are meant to facilitate last-mile delivery of government services – an exercise that is largely marked by corruption and discrimination in the offline world. The platforms are also supposed to be built in an open and transparent manner, using open source software (promoted, and even mandated, by the Indian government for several years now).

However, many of these initiatives have also become increasingly controversial, and while these are not platforms as we most commonly understand them (large multinational private entities), the governance of these platforms is an equally big question. On the one hand, they involve public private partnerships that are seen to lack transparency and accountability in terms of procurement of services, and actual operations. The other, often more pressing, concern is that once digital services are available, they are often made mandatory. In a country where a large majority of the population came to the digital / internet world ‘mobile first’, and does not have clear and easy access to the Internet, or the digital literacy to understand the implications of their own or third party actions, such blanket efforts are concerning.

DAH: If you had to pick two or three tech policy issues that will shape India’s approach to platform governance, what would they be and why? Apart from challenges in the short- to mid- term, what “questions from tomorrow” should scholars and practitioners start engaging with?
SP: I think one of the key issues that will continue to be critical in India is that of localisation – while India’s proposal on data localisation has of course been much discussed, these questions go well beyond the local storage of data. We’re now seeing more attempts to ensure that platforms have local offices, and are answerable to local government. This can be a double-edged sword – on the one hand, big tech platforms have constantly been criticised for not taking local context into account in their actions. On the other hand, local law, or attempts to change and implement local law and policy, have also been criticised for not meeting rights standards.

The other big question is that of sharing of data at scale for public purposes, especially in a post-pandemic world. Proposed policies around the mandatory sharing of non-personal data have already addressed some of these issues. However, as seen from our experiences with Covid-19, whether in the context of digitising contact tracing, or understanding ‘informed consent’ in clinical trials, there’s a gap between (a) privacy researchers and advocates, (b) the researchers, scientists and broader community that requires evidence-based research to propose and implement useful policy and solutions and (c) the community of technologists who are building public digital services.


Main logo2-1Through a new program on Platform Futures, the Digital Asia Hub convenes a network of academics and experts studying multiple aspects of platforms, and to create a space for dialogue on opportunities, challenges, and governance best practices in the APAC context.

For more information about Digital Asia Hub and Platform Futures visit

Smitha Prasad
Latest posts by Smitha Prasad (see all)