Media Inquiries

United States

Carolyn Posner

Phone: +1 202-281-7345



Priyanka Sethi

Phone: +91 9899487687



Ryan Miller

Phone: +1 202-725-8257


Michael Ridings

Phone: +1 202-463-3132


India’s Privacy Policy Needs to Focus on Interoperability & Compatibility with Global Norms

Following the Indian Supreme Court ruling in August 2017 that declared privacy as a fundamental right, India is gearing up for a legislation on a privacy framework that will have an impact across sectors. India is not alone in its efforts to develop privacy regimes. As evidence of the challenge of striking the right balance, of the more than 85 countries with privacy laws in place, 68 are currently updating or revising their regulations, and many jurisdictions are creating entirely brand-new laws. The institutions and authorities concerned with framing the policy should focus on developing and implementing a privacy policy that not only adheres to an evolving legal standard, but also balances the socio-economic benefits of innovation and efficiency with law enforcement and national security. But perhaps most importantly, this undertaking will frame the opportunities and limits of the Prime Minister’s Digital India vision.

Data is the currency of the digital economy. The ability to move data freely across borders would be key to India’s competitiveness at the international level and will be pivotal to the development of India’s ICT sector. India’s economy has benefitted greatly from the increase in connectivity brought about by market liberalization and the growth of India’s IT and BPO industries. Now, as India seeks to achieve leadership in areas such as cybersecurity, Internet of Things (IoT), cloud computing, and artificial intelligence, it is essential to enable flexible approaches to the use of data and cross-border data flows. The Government should be mindful of the fact that a restrictive data protection framework could put the economy at risk, disrupting not just IT but every industry that depends on information flows.

Moreover, an overly prescriptive framework will drive up the costs of doing business in India and create entry barriers for SMEs and entrepreneurs, many of who hold the solutions to India’s socio-economic challenges such as ICT penetration, and access to healthcare facilities and education. Over-regulating the market could interfere with the freedom of commerce guaranteed under the Indian Constitution; dis-incentivize competition, investment, and trade; and create unreasonable obstacles for business. While developing the data privacy framework for India, policymakers should therefore give due consideration to consumer benefits, business innovation, and the country’s economic growth.

The U.S.-India Business Council (USIBC) supports a light-touch privacy framework that is balanced, flexible, globally interoperable, and which allows the free movement of data, but more importantly, protects the citizens. The framework should allow for risk-based solutions that consider both the nature and the purpose of the data being collected. Developing such a privacy regime will require a judicious and thoughtful approach that draws on the best global privacy principles while continuing to work within India’s existing legal structure.

Help, should it be needed, is at hand. The Organization for Economic Cooperation and Development (OECD) and the Asia-Pacific Economic Cooperation (APEC) have laid out useful principles on privacy, and APEC the Cross Border Privacy Rules (CBPR) offers a forward-thinking implementation models that protect privacy and facilitate the cross-border transfer of data and connectivity that underpins modern economies. Five nations have joined the CBPR system — Canada, Japan, Mexico, South Korea, the United States – with a pending sixth application from Singapore. The Indian government could draw from APEC guidelines and regulatory experiences of states with similar economic and developmental positions to India’s own, and develop a framework which suits its own unique requirements, culture, and economic aspirations.

USIBC suggests that India’s policy framework should be based on three broad guidelines:

a) The privacy regime should outline an overarching set of norms that apply horizontally across different industries and data-processing activities, rather than have numerous regulatory bodies regulating different industry sectors. Such a framework could also be tailored in limited circumstances to apply special protections to sensitive data, as needed.

b) The new privacy regime should ensure compatibility and portability with emerging global norms to develop an Indian jurisprudence that integrates India into global digital global markets. India should, therefore, avoid laying out restrictive models, norms, or prescriptive measures that could stifle innovation, sub-optimize economic benefits, and digital commerce. Global standards should be leveraged to the fullest extent practicable before the Government considers adding other data protection obligations.

c) The privacy norms should allow digital innovation and enable India to maintain its leadership in the global digital economy without impeding the free flow of data. USIBC recommends the Indian Government consider adding the topic of “privacy” to the US-India ICT Working Group (ICTWG) to ensure compatibility of the two countries’ privacy regimes. Approaches to privacy must remain collaborative, flexible, and innovative over the long term. This will enable solutions to evolve at the pace of the market while meeting the needs of the nation and its people.