Privacy as priority: India can’t afford any further delay in notifying data protection rules

A few days ago, Signzy, a popular Know Your Customer verification service used by India’s top banks and fintech firms, was affected by a cyber attack that may have exposed the sensitive personal information of millions. India’s Digital Personal Data Protection Act was passed six years after the Right to Privacy verdict in 2017. The Digital India Act, touted as a law to cover everything from social media regulation to AI governance, and the national cybersecurity policy last updated in 2013 are both essential to India’s data governance framework, but haven’t seen progress in the past four years. The government’s proposed measures in the DPDP Act include age verification for minors, a contentious topic that has seen experiments ranging from self-reporting a date of birth before accessing a service—mostly ineffective—to excessive and invasive modes such as AI-based age verification through photos or KYC checks. ‘Deemed consent’ provisions enable the processing of a user’s data without explicit consent under specific conditions, and if combined with the many exemptions made for the state, these may hollow out the protections for vulnerable groups who have little choice but to provide their data to the government for social protection and other essential services.