Table of Contents


India has witnessed rapid digital growth in a short time span. This has resulted in technological advances, new governance regimes, and bespoke, India-only digital policies. Taken together, these changes have come to define the Indian model of data governance. In turn, this model aims, from an Indian perspective, to empower citizens.

As the pace of government adoption of new technologies and services has picked up, public debates in India about the need to balance data rights with digital innovation have accelerated in lockstep.1 This trend has been driven by India’s rapid digital expansion and concerns that citizens unfamiliar with the potential harm that could arise from the misuse of data will suffer. Despite these concerns, India does not yet, as of August 2022, have a uniform, comprehensive data protection law, even though data has become central to most private enterprises and public initiatives.


Rahul Matthan
Rahul Matthan is a partner with Trilegal and heads its technology, media, and telecommunications practice. He serves on the board of the firm. He is also a fellow with the Takshashila Institution’s Technology and Policy Research Program.

Since data storage is cheap, Indian and foreign entities can amass, day after day, year after year, vast volumes of information on the off chance that it will be of use someday, rather than risk not having it on hand when they need it.2 However, since these data are siloed and usually only available to those who have harvested it, little is being done to unlock the full value of the data. Worse, the Indian citizens to whom the data pertains have almost no say in its use.

Indian data policies have focused on addressing both these challenges. In addition to traditional approaches to minimizing privacy risks and the potential misuse of data, these Indian policies are also meant to provide individuals with a practical means by which they can access, control, and share their data for their own benefit.


Shreya Ramann
Shreya Ramann is a consultant at Trilegal and is part of the technology, media, and telecommunications practice group. She has worked on legal structuring and advisory services for various clients in e-commerce, telecoms, payment and settlement systems, healthcare, and cybersecurity.

India’s approach to data governance has evolved in light of India’s domestic priorities and international position. This analysis specifically describes and assesses the evolution and implementation of various regulatory and technological advances in India and how such models can be used to build on data governance initiatives around the world.

The sections below examine new initiatives and policies, evaluate the effects of India’s regulatory approach on the country’s domestic growth and global position, and look at the role these initiatives play in the broader data governance ecosystem worldwide.

The first section discusses India’s digitization and the data boom that followed, a period that began in earnest in the 1990s. It looks at the increasing proliferation of digital services and examines how data has and will continue to affect the growth of the Indian economy. The second section looks at the existing and future legal framework for data governance in India. It covers both existing regulations as well as notable public policy proposals on personal, nonpersonal, and government data. The third section examines the technology infrastructure that the Indian government has put in place to augment legal frameworks for effective data sharing. With a focus on the implementation of the Data Empowerment Protection Architecture, this section describes India’s technolegal solutions for empowering individuals to wield control over the data they generate. The fourth section concludes by weaving together themes from India’s data governance strategy. It contextualizes India’s proposed initiatives in relation to other global approaches to data governance. Issues such as data sovereignty and data colonialism are analyzed to assess how they affect India’s standing in the global data market.

India’s Data Economy

In the 1980s, India’s information technology (IT) sector was focused primarily on software exports and services and was valued at only $25 million, constituting approximately 0.01 percent of India’s GDP at the time—primarily because the sector was closed to the world and subject to high import tariffs.3 Software was not a government-recognized industry, and Indian exporters were unable to convince banks to finance their activities.4 The country’s early IT industry thrived despite the government—not because of it.

By contrast, India’s IT industry and related sectors currently have annual revenues of $200 billion and account for 13 percent of the country’s GDP.5 India long has been known as a global powerhouse in exporting IT services, but the country’s IT sector is no longer solely dependent on exports for growth. Over the past decade, domestic demand for IT services has grown rapidly,6 with the aggregate value of domestic demand for digital services in India outpacing the total value of exports.7 Today, digital services are used more widely than ever in India. This change was made possible by the deep penetration of mobile internet access through all strata of Indian society—including into the country’s rural hinterland. More than 750 million Indians use smartphones, or approximately 54 percent of the country’s total population, allowing them to access entertainment, information, and public services on the go.8

In addition, over the past ten years, India has rolled out digital infrastructure on a commensurate scale, enabling residents to make rapid strides toward a paperless virtual existence, allowing them access to digital services from anywhere in the country without having to carry physical documentation or visit specific service-delivery locations. Today, more than 5.4 billion digital payments take place each month over India’s Unified Payment Interface (UPI), a digital payment system that makes it easy to transfer money between bank accounts, mobile money accounts, and digital wallets.9 These transactions range from small purchases of chai and biscuits from pushcart street vendors to substantial e-commerce payments for goods and services. The interface has also made it possible for microlevel entrepreneurs and small businesses alike to identify and take advantage of commercial opportunities that were previously unavailable to them.

A similar revolution is poised to unfold in new data services, enabled by a new digital framework in the financial services sector.10 Other sectors (such as healthcare and education) are similarly expected to benefit from this framework.11 Finally, work is underway to unbundle location-based digital commerce, allowing different elements across the commercial ecosystem to interact more efficiently and opening the door to greater competition between players.12 When rolled out, this open network of digital commerce will likely reduce the dependence of consumers and smaller retailers on vertically integrated platforms in favor of a more disaggregated, decentralized approach.

Each of these projects has contributed to the widespread use of data and illustrates the importance of effective and efficient data governance. However, before getting into the details of India’s data governance regime, it is necessary to first understand how the IT sector has evolved and grown to its current size and state.

India’s Promotion of Information Technology

Three critical factors enabled the development of India’s IT industry starting in the 1990s: the economic liberalization of 1991, industry-specific measures such as the establishment of software technology parks in 1989, and intensive government procurement of IT equipment and services. This welcoming environment encouraged several multinational companies to set up shop in India, a development that in turn sparked an IT services export boom.13 By 2000–2001, India’s total software exports grossed $6.4 billion.14

Economic reforms, liberalization, and the steadily increasing presence of foreign multinational companies in India led to several ancillary developments, including the launch of cable internet and the passage of India’s first IT-related legislation.15 In 2015, the Digital India initiative was launched.16 This ambitious, multifaceted program aimed to transform the country’s digital infrastructure into a public utility—facilitating digital governance and empowering citizens. Several additional programs have been launched under the broad umbrella of Digital India, including BharatNet (a program to provide internet access to all villages in the country), Universal Access to Mobile (a program designed to provide mobile connectivity to over 55,000 villages in India that previously lacked mobile access), and the Smart Cities Mission (a program to transform all Indian cities into smart cities).17

Increased digitization, the proliferation of online services aimed at Indian customers, and the use of new technologies have dramatically increased the volume of data in circulation. According to government projections, emerging technologies in India could conceivably generate as much as $1 trillion in economic value; the wealth of data in India could be harnessed to achieve the country’s ambitions of becoming a $5 trillion dollar economy in overall terms by 2025.18

Digital Infrastructure

Over the last decade, India’s digitization efforts have been greatly accelerated by the deployment of population-scale digital infrastructure. These open protocol–based frameworks, layered one on top of another, form a digital stack. At the base are foundational elements such as digital identity markers, while specific applications (including payments, consented data sharing, and unbundled commerce) are layered on top. These complementary levels of digital infrastructure are commonly referred to as India Stack (see figure 1).19

Digital means of identification. India Stack began in 2010 with the issuance of unique identification numbers to all Indian citizens as part of the national identification program known as Aadhaar. Before the program was established, an estimated 400 million Indian citizens did not possess any form of identification.20 As a result, citizens, particularly in the country’s lower socioeconomic classes, struggled to access the government funds and subsidies to which they were entitled. This problem was exacerbated by the ease with which funds could be diverted by malicious actors. All told, depending on the program, between 10 percent and 60 percent of funds earmarked for subsidies and social welfare services fell prey to leakage or misuse, according to one study.21

Aadhaar was meant to provide all Indian residents with a unique identifier, making it possible to more accurately deliver services to the right people. Since the identifier was digital, it could be linked to technology-based solutions that leveraged digital verification to offer services that are presenceless, paperless, and more efficient.

The widespread adoption of Aadhaar has led to improvements in digital service delivery across India. The Indian government has issued around 1.3 billion Aadhaar cards since 2016, covering nearly 96.4 percent of the country’s population.22 This has allowed the government to make large-scale wealth transfers in an efficient manner. For instance, during the coronavirus pandemic, nearly $44 billion has been disbursed to farmers and other marginalized groups using India Stack.23 And it is estimated that the government has saved almost $30 billion as of March 2021 by eliminating duplicate beneficiaries.24 The adoption of Aadhaar also exposed millions of rural Indians to digital transactions and led to an uptick in digital literacy and digital penetration across the country.

Aadhaar has led to the creation of various means of authentication, including an e-authentication process in which a service provider uses an Aadhaar number to query the Aadhaar database, which is managed by the Unique Identification Authority of India. Authority officials respond to such requests by indicating if the database contains a record that matches the Aadhaar number and the details contained in the request, thus providing an accurate means of identity verification. Aadhaar’s electronic know-your-customer service, which uses this authentication method, has already carried out around 75 billion identity verifications, in response to requests from the government and other institutions in finance, telecommunications, and other utilities.25 Similarly, Aadhaar’s e-sign capability allows any Aadhaar number holder to generate a legally valid, verifiable digital signature.

As the Aadhar program and related services matured, the share of India’s population with a bank account jumped from 35 percent in 2011 to 80 percent in 2017.26 The World Bank estimates that Aadhaar’s know-your-customer service brought down the costs of customer onboarding for an Indian bank from $23 to just $0.15.27 Aadhaar-based customer verification provided telecommunications companies with a huge boost in terms of customer acquisition, specifically in rural markets where there was immense untapped potential. Faster, cheaper, and simpler onboarding led one company—Reliance Jio, a late entrant to the Indian telecoms market—to decide to make Aadhar the only way for new subscribers to acquire a SIM card. Jio acquired 16 million subscribers in the first month after it opened for business and 50 million in under ninety days.28

Digital payments. With the penetration of mobile phone connections and bank accounts across India, policymakers needed to make bank usage cheaper and more accessible. This need prompted the design of the next layer of India Stack: UPI.29 In simple terms, UPI is a payment markup language that runs on a central switch operated by the National Payments Corporation of India. Since all licensed banks are connected to the National Payments Corporation of India’s server, payment messages can be sent to and from these entities, allowing payment transactions to take place almost instantly.

UPI is itself a three-level stack. The base layer is built and operated by the National Payments Corporation of India, and it consists of the switch that handles the routing of payment messages. The next layer involves banks and other regulated financial entities that are permitted under law to hold user funds and pay and receive amounts into these accounts. The third and top layer is made up of payment apps operated by lightly regulated fintech players that create customer interfaces that allow ordinary users to access the payment ecosystem. Given the fundamental interoperability of these protocols, every participant in the payment stack can interact with every other participant using the same universal set of application programming interfaces (APIs). As a result, the Indian payment ecosystem has avoided having to laboriously establish one-to-one relationships between banks to make it possible for customers to transfer money to each other.

Another UPI innovation is its use of a virtual payment address (VPA), a unique identifier that maps a given user’s bank account to an easily memorized string of names, letters, and numbers that can be shared for the purpose of receiving payments. While this method offers the advantages of privacy and security (because knowledge of a VPA offers no information whatsoever about the associated bank details), since the VPA is ubiquitous throughout the ecosystem, the VPA is agnostic to payment apps, allowing money to be exchanged even between users on different payment apps.

In June 2022, an estimated 5.9 billion transactions, amounting to about $127 billion, were conducted using UPI, and it has been a recognized success both in India and abroad.30 A wide range of internet and mobile offerings have been integrated into the UPI ecosystem, with foreign players such as Amazon, Google, Meta, and Walmart relying on it in India.31 Countries like the United States have also been considering adopting UPI features within their own domestic payment systems.32 UPI has emerged as a leading homegrown payment system with the potential to give India self-sufficient alternatives to reliance on global payment solutions.

Data sharing. Having built widely trusted identification and payments systems, India consequently began to generate vast amounts of transaction data. The next logical step was to use this data for empowering citizens eager to use e-commerce and e-government services, particularly those who had no other means of accessing the formal financial system.

The third layer of India Stack, called the Data Empowerment and Protection Architecture (DEPA), was designed to facilitate consented data sharing. Unlike previous layers that were predominantly technological, DEPA is, by its design, a technolegal architecture that individuals can use to exercise greater autonomy over how their personal data are used. It offers technological tools for people to invoke the rights made available to them under applicable privacy laws. Framed differently, it is a technological system that ensures that all transfers of a person’s data from one data fiduciary to another take place through an encrypted digital workflow that is only triggered after that person’s consent has been electronically obtained.

DEPA has already been rolled out in the financial services sector, and work is underway to implement it in the healthcare system. It is not hard to envision how this framework can be applied across a range of sectors such as education, telecommunications, and more. The data governance principles inherent in the technological design of the DEPA framework are examined in more detail below.

India’s Need for Data Governance

With the launch of Digital India and the India Stack, the prevalence of smartphones in rural India grew from 9 percent to 25 percent by 2018, the number of Indians who use social media jumped from 142 million in 2015 to 326 million by that same year, and between 2015 and 2018 average data usage each month increased by 129 percent (assuming a compound annual growth rate).33 The direct impact of the aggressive digitization of the Indian economy has been the unprecedented volumes of data that have been and continue to be generated. India’s online population is expected to increase by nearly 45 percent in the next few years, growing from approximately 622 million in 2020 to 900 million in 2025.34 The amount of wireless data Indian consumers use increased by leaps and bounds to reach over 30,000 petabytes in the first quarter of 2021–2022. At the same time, the average consumer went from using 1.2 gigabytes of wireless data in 2017–2018 per month to a staggering 14.1 gigabytes in 2021–2022.35 Monthly data consumption is also expected to climb to up to 50 gigabytes per smartphone by 2027.36

India is now digitizing faster than most other economies, creating a rapidly growing consumer base that is being targeted by both domestic and foreign companies. It goes without saying that, without an appropriate system of governance, the benefits that are being derived from all this data might not be enjoyed by all Indian citizens. India is looking to bridge the regulatory gap between burgeoning data creation and the need to regulate and leverage available data. In doing so, India has developed frameworks for both data protection and data sharing, measures that aim to further both government and private-sector use of data for socioeconomic benefits.

Legal Frameworks for Data Governance in India

While there are several types of data in circulation and various issues pertaining to the governance of each kind, this analysis exclusively deals with data types that the Indian government is actively looking to regulate, such as personal data generated from individuals and nonpersonal data, which in some cases may also be derived from personal data but also includes data with no relationship to individuals. This research does not examine how other types of data—including scientific data, commercial data, and the like—are shared, though these kinds of data are equally important to broader discourse on data governance. Indian data governance practices will primarily be analyzed in terms of data sharing between government entities, businesses, communities, and ordinary people for both public-good and business purposes.

It is also important to set out the different stakeholders in the Indian data ecosystem so as to better understand the interplay between them. The priority of the Indian government is to use digital technologies for domestic development, leveraging data for the benefit of its citizens and for their protection. The private sector, which is largely focused on commercial gain, used to view data governance as a hindrance, but in more recent times companies have come to appreciate that customers view good data governance practices positively. Finally, individual citizens and the communities that they are a part of have an interest in ensuring that they can exercise meaningful control over their data to protect themselves against potential harms.

Around the world, data governance is implemented by regulating the collection and use of personal data. In most countries, such regulations have taken the form of data protection legislation that sets out what can and cannot be done with personal data and strives to ensure that citizens have a greater say over how their data are used. In recent times, other aspects of data governance have also come into focus. The European Union’s Digital Strategy, for example, attempts to regulate digital markets in goods and services to promote greater competition while facilitating the creation of so-called data spaces within which data can be shared.37 Similar efforts are underway to regulate the use of data for developing artificial intelligence systems and to mitigate the effects of such systems on personal privacy.38

Though India has made considerable strides in digitizing its economy, Indian legal frameworks have not kept pace with this rapid growth. India does not yet have a comprehensive legal framework for data governance. A draft data protection law had been introduced before the parliament, but it was recently withdrawn.39 It is likely that a simplified and more comprehensive version of the draft bill will be introduced, but the timeline is unclear.

Delays in establishing a comprehensive legal framework for data governance could play to India’s advantage if it can learn from the experience of other countries and use that knowledge to implement a modern framework for data governance. This could include some of the proposals being discussed in Europe as well as other novel solutions aimed at addressing these issues. India’s DEPA framework (described in more detail in the next section) is one such novel solution: this technolegal governance regime embeds data protection principles into a technology stack.

In the meantime, this section will discuss the legal frameworks that India has put in place for data governance as well as the proposals for new legal frameworks that are being considered. The subsequent section will then examine the technological frameworks that have already been implemented for data governance in India.

Data Governance in India

At present, India regulates personal data through the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which serve as a basic framework for regulating sensitive personal data.40 These rules do not provide a comprehensive framework for data protection along the lines of most data protection laws in other jurisdictions. (They do not, for instance, regulate children’s data rights or cross-border data transfers, nor have they even established a data protection regulator.) Instead, these rules are limited primarily to the collection, possessing, storage, handling, retention, transfer, and disclosure of sensitive personal data by corporations through the introduction of a consent requirement for all such activities. The law also prescribes certain “security practices and procedures” for the handling of sensitive data.41

Although these rules came into force more than a decade ago, delays and insufficient administrative and adjudicatory mechanisms have plagued its implementation.42 Since 2011, there has been little or no regulating carried out under its provisions. Companies comply with its provisions but have received little or no guidance on how to handle the many ambiguities that have arisen.

Indian citizens and civil society, however, have grown increasingly aware of the harms that are inherent in the collection, generation, and processing of personal data. In 2018, a landmark Supreme Court judgment, which upheld the use of India’s Aadhaar digital identification numbers, had to address concerns around government profiling and surveillance. The Supreme Court in another judgment in 2017 had held that the right to privacy is a fundamental right that—while not specified in the Indian Constitution—is derived from the right to life and personal liberty.43 These rulings focused public attention on the rights of individuals to have autonomy over what is done with their data.

India’s approach to data governance is proceeding along three different tracks. First is the regulating of personal data in ways that draw heavily on the principles set out under the EU’s General Data Protection Regulation (GDPR) as well as other international regulations on personally identifiable information. Second, India is in the process of establishing a nonpersonal data framework—a path down which no other country has yet embarked. The broad contours of this policy can be gleaned from draft reports released by a Committee of Experts known as the Gopalakrishnan Committee.44 The third aspect of this work has to do with the governance of government data, which is covered under the National Data Sharing and Accessibility Policy.

Personal Data

While the Supreme Court was still considering the constitutionality of the Aadhaar program, the Indian government established a committee, chaired by retired justice B.N. Srikrishna, to look into the establishment of a personal data protection law for the country. The committee issued its report in 2018 along with draft legislation.45 In December 2019, the Ministry of Electronics and Information Technology introduced in the Indian parliament a slightly revised version of the legislation called the Personal Data Protection Bill, 2019.46 The bill was referred to a joint parliamentary committee for further consideration. After consulting with various stakeholders, the joint parliamentary committee published a December 2021 report, along with yet another draft bill.47 The revised law was called the Data Protection Bill, 2021 (DP Bill). While the bill has now been withdrawn, its provisions signaled the government’s approach and likely policy shifts with respect to personal data. The key features of the bill are highlighted below.

The DP Bill defined personal data as information “about or relating to a natural person who is directly or indirectly identifiable” (by “natural person,” the bill meant a human being as opposed to a nonhuman juridical person such as a corporation or a government agency).48 Such data specifically is information pertaining to a feature of identity (virtual or physical) or a combination of such features, including “inferences drawn from such data for the purpose of profiling.”49 This definition is largely in line with those of similar laws elsewhere, like the EU’s GDPR.50 The DP Bill also defined sensitive personal data, a separate class of data subject to enhanced compliance thresholds. Sensitive personal data include financial data, healthcare data, official identifiers (including government-issued identifiers such as social security numbers or Aadhaar numbers), information on gender identity and sexual orientation, biometric data, genetic data, caste or tribe affiliations, religious or political beliefs or affiliations, and any other category of information so designated in the future by the relevant authorities.51

As for the entities involved in data processing, the DP Bill defined a data fiduciary along similar lines as GDPR defines a data controller.52 The DP Bill referred to the individual whose personal data is being gathered as the “data principal,” a term equivalent to the concept of a “data subject” in GDPR.53 Consent remains the primary grounds for processing personal data.54 However, similar to other privacy legislation, the DP Bill also specified a few nonconsensual grounds for data processing.55 In line with both the Indian government’s aim of ensuring individual autonomy over data as well as global norms, data principals have been accorded various rights with respect to their data under the control of a data fiduciary; these provisions include the rights to access, erasure, correction, and portability, as well as the right to be forgotten.56

The DP Bill also introduced the concept of consent managers—a new category of data fiduciaries to operationalize consented data flows.57 Data principals were meant to provide consent through these consent managers to share information with various data fiduciaries.58 This construct would support the DEPA framework, as discussed in the third section.

The DP Bill aimed to create a Data Protection Authority to govern implementation and enforcement of the law. In theory, the Data Protection Authority could designate certain entities as “significant data fiduciaries.”59 Such determinations were to be made based on criteria like how much personal data has been processed, how sensitive it is, the scale of the fiduciary’s annual turnover, the “risk of harm” from data processing, the employment of new technologies, or whether the entity processes children’s data or provides services to minors.60 Social media platforms that have more than a specified number of users or ones whose actions “are likely to have a significant impact on electoral democracy, state security, public order, or India’s sovereignty” also may have been designated as significant.61 Significant data fiduciaries would have been subject to greater compliance obligations including the need to undertake mandatory data protection impact assessments as well as record keeping and audit requirements.62 They also must appoint a data protection officer.63 India is among the first nations to press heightened obligations on a certain class of data fiduciaries, with parallels only now appearing in regulations such as the EU’s Data Governance Act.64

The DP Bill deviated from other countries’ data protection legislation in certain key aspects. Prominent among these is the fact that, under the DP Bill, a child was defined as a data principal under eighteen years of age.65 This is a higher age cutoff than has been prescribed in most other jurisdictions.66 Data fiduciaries have an obligation to confirm the age of minors and to get parents’ consent to process their data.67

The DP Bill did not subject personal data to any transfer restrictions. Its terms “allow transfer of sensitive personal data, for the purpose of processing and with the explicit consent of the data principal, to any countries with certain safeguards.”68 The DP Bill also empowered the central government to designate certain types of personal data as “critical personal data,” which could only be processed in India and could only be transferred outside the country for limited purposes.69 What constitutes critical personal data still remains undefined.

The DP Bill also allowed for compensation to be paid to data principals for harm caused to them by a data fiduciary because of a violation of the bill’s provisions.70 The definition of harm under the DP Bill was very broad and extended to all types of evaluative decisions regardless of human involvement.71 Notably, the concept of harm is defined more specifically in data governance laws in other jurisdictions such as the EU’s GDPR and the draft of the United Kingdom’s Online Safety Bill. The definition of “content that is harmful” in the draft UK bill is very specific regarding the parameters within which harm must be assessed. The law provides definitions and further context on the scope of what harm means and key definitions, including terms such as “reasonable grounds” and “material risk,” as well as factors to take into account when making such an assessment.72

Once India passes a data protection law, there will likely be a transition period during which data fiduciaries will have to prepare themselves for the new regulatory regime. This is also when the Data Protection Authority will be established and tasked with setting up the administrative framework for implementing the new law. This task would include issuing codes of practice establishing, through subordinate legislation, many of the substantive and procedural details required to bring the law into force.

Several provisions of the DP Bill prompted a strong response from governments and businesses around the world. The U.S. government, for instance, sees the Indian government’s push for data localization as a significant barrier to digital trade between the two countries.73 U.S. officials have suggested that the requirement would result in increased costs for businesses that presently store and process data outside India and in particular would act as a market access barrier for small foreign firms.74

Industry bodies such as the U.S.-India Business Council, the U.S.-India Strategic Partnership Forum, the Information Technology Industry Council, BusinessEurope, and the Japan Electronics and Information Technology Industries Association, as well as major technology players that provide services in India such as Microsoft, Apple, Amazon, Google, and Dell have raised concerns (in addition to the localization issue) about provisions such as the inclusion of nonpersonal data in the bill and mandatory hardware certifications.75 They argue that such provisions are not in line with global best practices for data protection and that such stipulations would create disincentives for innovation in India by reducing operational efficacies and lessening the ease of doing business.

Nonpersonal Data

Various public and private entities have also accumulated vast, proprietary sets of nonpersonal data that they can leverage to their competitive advantage. If such nonpersonal data could be liberated from the exclusive control of their current holders, it is believed that this information could be redeployed for the public good.

The need to regulate nonpersonal data was first expressed in the report by the Srikrishna Committee on personal data protection. The early draft of the law also referred, albeit by exclusion, to the concept of nonpersonal data. In the fall of 2019, the Ministry of Electronics and Information Technology convened the Gopalakrishnan Committee to brainstorm how India should govern nonpersonal data. The committee was tasked with studying various issues related to nonpersonal data and making specific recommendations on how the central government should regulate nonpersonal data.

The latest draft of the committee’s report was released for public consultation in November 2020.76 While the committee’s final findings are not yet public, the latest draft report suggests that the governance framework for nonpersonal data in India will cover the following ground.

The Gopalakrishnan Committee defined nonpersonal data as data that never related to an individual (such as weather conditions or data generated from public infrastructure, to cite a few examples) and information that was once personal data and subsequently was anonymized in such a way that it cannot be used to identify an individual (such as anonymized healthcare records of patients). Nonpersonal data only refers to these two categories of data. The committee’s report classified entities (whether government bodies or private organizations) that collect, process, store, or manage data as data businesses. These entities hold nonpersonal data that the proposed governance framework seeks to unlock for public benefit.

The report also gave communities rights over data that are relevant to them. A community is defined in the report as any group of persons bound by common social or economic ties, territorial parameters, or another interest or purpose. The Gopalakrishnan Committee expressed the belief that communities should be allowed to benefit from data that pertains to them and allowed to protect themselves from any harms that could arise when data businesses process their data.

The Gopalakrishnan Committee recommended the establishment of a separate Nonpersonal Data Authority. This authority would be required to work closely with the Data Protection Authority that the DP Bill sought to establish. While this suggestion indicates that the Gopalakrishnan Committee supports a framework for the regulation of nonpersonal data that “is separate and distinct from [that for] personal data,” the DP Bill appeared to also regulate nonpersonal data.77 Two provisions in the DP Bill mentioned nonpersonal data: clauses on breaches involving nonpersonal data and those on the obligation of data fiduciaries to provide the central government with nonpersonal data for the “targeted delivery of services” or “evidence-based policy making.”78

To protect the rights of communities in relation to their nonpersonal data, the Gopalakrishnan Committee recommended the creation of data trustees (either government entities or private nonprofit organizations) for this purpose. After all, “data trustees have a duty of care” to ensure that nonpersonal data are used only in the interests of these communities.79 To effectively protect communities’ data rights and ensure public benefits are derived from nonpersonal data, the report recommended that data trustees become the repositories for high-value data sets created from community data.

One of the report’s core recommendations was the creation of high-value data sets. All data businesses will be required to submit metadata pertaining to all the nonpersonal data under their control. This metadata will be stored in a single metadata directory and managed by the Nonpersonal Data Authority. The directory will be made available for anyone to access, allowing data trustees to identify opportunities in which such data could be used for public good. Data trustees will have the right to request access to relevant data subsets to create a high-value data set. The relevant data business must provide such data by a specified date.

Crucially, high-value data sets could only be created with the approval of the Nonpersonal Data Authority, a body set up for the supervision of nonpersonal data sharing. The authority would approve applications based on their projected impact on the public interest, the data trustee’s capacity to undertake its obligations, adequate buy-in from the relevant community, and public consultation. This purpose-driven approach to data sharing focuses heavily on the manner in which nonpersonal data can be used and predicates data sharing on the basis of advancing the public good. The report clarified what constitutes a high-value data set that serves the public good, with examples of such purposes including research and education, healthcare, agriculture, and poverty alleviation, to name a few. Parallels may be drawn with the United States’ Demand-Driven Open Data model, which regulates data-sharing requests based on specific use cases.80 This demonstrates the government’s intent to create a framework that focuses not only on protection from harm but also on the societal benefits that can arise from the sharing of nonpersonal data in a regulated ecosystem.

As for data that was once personal but has since been anonymized, the report recognized the rights of the original data principals. The report recommended that, when the personal data are collected, data principals decide whether to provide consent for a data business to anonymize their data. Such consent should also be revocable.

With regard to nonpersonal data that is derived from personal data, the report suggested that such data would “inherit the sensitivity of the underlying personal data” for the purposes of complying with localization requirements.81 For example, based on the DP Bill, a copy of nonpersonal data derived from sensitive personal data has to be kept in India.82

India’s nonpersonal data governance framework is novel. While the principles enshrined in the DP Bill protected personal data from misuse by data fiduciaries, the framework for nonpersonal data was designed to free up data that is not personally identifiable so that it can be used for the sake of wider societal benefits. Whereas on the one hand the data protection framework would lock down data that ought to be kept private, the nonpersonal data framework would unlock data that can be used for public good from the confines of the data silos in which they are stored.

Concerns have been raised about the imposition of mandatory data sharing. At the same time, businesses have questioned whether such a regime would be able to address skewed market powers favoring large technology companies who hold vast amounts of nonpersonal data.83 Some have argued that data-sharing requirements of this kind have the potential to obstruct innovation, thereby hampering India’s digital growth.

Government Data

Even though nonpersonal data held in government hands is expressly accounted for in the proposals of the Gopalakrishnan Committee, the Indian government has separately created a policy to deal with the sharing of such data for the public good. The National Data Sharing and Access Policy makes disparate government data assets available for the public to access.84

The policy applies to all nonpersonal and nonsensitive data generated using public funds across all levels and departments of the government and its authorized agencies. The data that must be provided under this policy include all digital, analogue, machine- and human-readable formats, and suitable payment structures have also been set up to incentivize data sharing. The government has taken a technolegal approach to this task by developing the Open Government Data Platform on which data shared under the National Data Sharing and Access Policy are made publicly available.

Since the launch of the Open Government Data Platform in 2012, several other open data platforms have been launched. As Sam Neufeld has pointed out, examples include the India Urban Data Exchange of the Ministry of Housing and Urban Affairs (an open-source data exchange for citywide data among various stakeholders), Open Budgets India created by the Centre for Budget and Governance Accountability (which includes data on central and state budgetary allocations and spending), and the proposed National Data and Analytics Platform by NITI Aayog, a platform that aims to improve the user experience on data retrieval by standardizing data across government sources for improved research, innovation, and public consumption.85

While the Open Government Data Platform offers more information and data to users, as well as functionalities for social media, data visualization, and data suggestion, there are many opportunities to strengthen its utility. For instance, standardizing data-sharing and release processes, anonymization and deidentification processes, metadata quality, licensing structures, and the pricing and valuation criteria for data sets will encourage more data-sharing efforts by Indian government departments.

To this end, the Indian government has introduced a revised draft of the India Data Accessibility and Use Policy and a draft of the National Data Governance Framework Policy,86 which aim to build upon the National Data Sharing and Access Policy and increase access to government data by leveraging emerging technologies. The draft of the National Data Governance Framework Policy focuses on the sharing of nonpersonal data collected by the government from Indian citizens and residents through the India Datasets Program. This policy introduces a new framework for the governance of citizens’ data that will include the creation of the Indian Data Management Office to establish a large repository of Indian data sets and set standards for storing and collecting such data sets.

The Indian Data Management Office expects private entities to contribute to the data sets as a part of this program. This office will be responsible for ensuring that data principals retain ownership over all such data. Any requests by third parties for nonpersonal or anonymized data sets will be vetted by the Indian Data Management Office before the data are dispersed. The office can receive and vet requests for these data sets from researchers, startups, and private companies, and it has the ability to limit the number and range of data requests from an entity. These policies are in the drafting stage and are awaiting public comments.

Technological Frameworks for Data Governance in India

The last section discussed the legal frameworks that are being developed in India for data governance. These frameworks are already novel in that they not only look to regulate the processing of personal data but also seek to unlock nonpersonal data from isolated silos to advance the public good. However, the Indian approach to data governance has one additional nuance—namely, DEPA. This is a technolegal framework for consented data sharing between data fiduciaries, as articulated in the DP Bill.87 The framework would embed legal principles in technological infrastructure developed for the DEPA, offering novel solutions to data regulation challenges that have vexed countries around the world.

What Is DEPA?

Even though privacy laws recognize the rights that data principals have over their data, they often lack a means for principals to exercise meaningful control over their personal data. For instance, citizens trying to use financial products and services that require evidence of creditworthiness often suffer if they are unable to effectively access their own data. The process often involves physically gathering one’s own data from financial institutions, a cumbersome task that involves physical printouts, notarization, and manual submission. Digital mechanisms to implement data portability are hamstrung by the existence of multiple differing data storage formats and a fundamental lack of standardization across the ecosystem.

To address this, India is seeking to implement DEPA, a technolegal solution that uses an electronic, consent-based framework to put data principals at the center of data sharing in certain sectors, including finance and healthcare. DEPA gives individuals greater agency over how their personal data are transferred, helping them use data in ways that will ultimately empower them. Central to the privacy-enhancing nature of the framework is its use of institutional intermediaries to facilitate consent (called consent managers). This makes it possible to disaggregate the consent flows from the data flows: data providers are primarily responsible for data and consent managers are primarily responsible for consent. This arrangement enables a double-blind data-sharing environment that maximally protects the private information of data principals.

In figure 2 below, entities requesting access to data (known as data users) have been arrayed on the right while the entities that have the data that the data users require (data providers) have been arrayed on the left. In the middle is the consent manager, and right on top is the data principal.

This model has been fully implemented in India’s financial sector under the Reserve Bank of India’s Nonbanking Financial Company Account Aggregator Directions, 2016.88 It implements consented data sharing between different parties in the financial ecosystem including banks, insurance companies, pension funds, and all entities regulated by the country’s securities regulator. Specific financial entities have been permitted to register as account aggregators, which play the role of consent managers and oversee financial data flows between service providers in the sector.

First, any data principal who wishes to transfer their financial data between various fiduciaries so as to use various financial services must first enroll with an account aggregator (or consent manager). At this stage, the data principal provides the consent manager with a list of all the financial service providers (that is to say, data providers—including insurers, banks, brokers, credit rating agencies, and others) with whom the person has an account. The consent manager then creates links to all these data providers; this way, when a data transfer request is received, it has an approved list of data providers from which data can be requested. At no stage does the consent manager have any visibility into the contents of these accounts or into any of the personal or financial data of the data principal. After this initial preparatory work, the data principal is ready to approve financial data transfers using the DEPA infrastructure.

To initiate a data transfer, financial institutions that require customer data to provide services can direct such a request (step 1) to the consent manager. The request is made using a digital consent artefact, a “machine-readable document” that records the details and specifications of consent provided alongside a data-sharing request.89 A digital consent artefact requires the data user to provide details on the information sought, the purpose for the request, the duration for which the information will be retained, and the financial institution seeking this information. The consent manager then sends this request to the data principal (step 2) and, if the data principal consents to the data transfer (step 3), sends the digitally signed request for data to the data provider (step 4). Having verified that the data transfer request was approved by the data principal, the data provider then transfers the required financial data in accordance with the request. The data are encrypted and transferred from the data provider to the data user through the consent manager (step 5).

As of August 2022, six nonbanking financial companies have been given a license to operate as authorized aggregators, and five of them have launched client-facing mobile applications.90 At this time, the authorized aggregator ecosystem has successfully fulfilled more than 1 million consent requests.91

Privacy by Design

Many data protection laws around the world are broadly aligned around a common set of what are known as privacy by design principles.92 DEPA implements a technological framework that supports and complements each of these privacy principles.

Notice and consent. Encoded in the electronic consent requests are all the notice requirements that most international privacy laws require. Consent is specifically collected for each data transfer request. In this way, DEPA offers data principals the opportunity to provide more meaningful consent than is otherwise possible.

Purpose limitation. Data users are required to specify how they intend to use the data before it is collected and used. DEPA enables more effective purpose limitation since the data principal is notified of each data transfer request.

Data minimization. DEPA allows the purpose to be narrowly defined since it must be stated proximate to the time of the data transfer request.

Retention limitation. Each data transfer request under DEPA includes how long the personal data will be kept. Since the data are transferred only for as long as it is needed for processing and after that must either be transferred back or destroyed, data users are not permitted to retain such data any longer than specified.

Data integrity and confidentiality. Since all data transfers under DEPA are encrypted end-to-end, data confidentiality is built into the system’s design. DEPA was designed with privacy at its core. Consent managers are, as a matter of design, data blind and have no visibility into the contents of encrypted data packages. Since data requests are not made directly from data users to data providers, data principals’ privacy is protected vis-à-vis data users. Since consent managers are data blind, data principals’ privacy is also protected vis-à-vis consent managers.

The Digital Consent Artefact

Consent is processed using the digital consent artefact. The electronic consent artefact used by DEPA implements the so-called ORGANS principles: open, revocable, granular, auditable, notice, and secure (see below).

  • Open: the consent standard is designed to operate as an open standard ensuring that all institutions have the same interoperable approach to consent;
  • Revocable: the consent is designed to be revocable at any point in time by the data principal who provided it;
  • Granular: consent needs to be provided in each instance and must specify what data has been requested, how long it will be retained, and who will process it;
  • Auditable: records of all consents provided by a data principal can be retained in machine-readable logs;
  • Notice: data principals will be provided notice of how their data will be used, the parties that will process it, and the duration for which it will be retained; and
  • Secure: the digital consent artefact is secure by design.

When a data transfer request is made, verification by the consent manager happens only against the details contained in the consent artefact, and data users must store the data according to the consent artefact’s specifications.

When DEPA’s digital consent workflow is combined with the right to data portability provided to data principals under the DP Bill (or a similar piece of legislation) and applied to the healthcare and finance sectors, this development will help formalize the DEPA framework within and across all these sectors.

For instance, a core component of India’s healthcare digitization mission is the creation of digitized healthcare records that citizens can easily access and transfer to different service providers in the healthcare ecosystem, per their requirements. Citizens may need to transfer healthcare records from a hospital or clinic to their health insurance provider to file an insurance claim. Rather than reproducing their healthcare records or status, they can use DEPA to transfer their health records from the hospital (data provider) to the insurer (data user) through a data intermediary designed specifically for the healthcare sector (consent manager) to oversee the transfer of this sensitive medical data. This arrangement would go a long way toward facilitating constructive public health outcomes. The DEPA framework is being used for this purpose, ensuring the privacy and authenticity of healthcare data transfers.93

Another technolegal framework for data sharing is the Open Government Data Platform. The platform hosts all government data published under the National Data Sharing and Access Policy and enables public access to and the downloading of such data. Developed using open source stack, the platform contains multiple modules and APIs, including a module for data management that hosts data catalogues by various government agencies and a module for visitor relationship management, which collates and disseminates viewer feedback on various data catalogues.

Several state governments have launched their own open data portals using the Open Government Data Platform’s software as a service model, including the Open Government Data Portal by the state government of Sikkim and a portal by the Surat Municipal Corporation.94 India’s Open Government Data Platform is also packaged as a product and has been “made available in open source” for countries around the globe to implement.95

India’s Approach to Data Governance

India’s data governance regime has been shaped by the country’s historical development, the value evident from increased data generation, civil society activism, and digital innovation outside of the country. While India’s efforts at developing a data governance regime have been influenced by global regulations such as GDPR and the Asia-Pacific Economic Cooperation’s Privacy Framework, the Indian government is, at the same time, looking to chart its own path in certain respects.96

The passage of a new personal data protection law has assumed paramount importance. However, the protections proposed in the law additionally focus on improving data accessibility and availability, in contrast to GDPR, which is first and foremost about protecting individual privacy rights. These Indian policy frameworks on personal and nonpersonal data indicate that, while data protection is essential, data sharing and data empowerment are the most important drivers of India’s strategy on data governance.97

The Indian approach is also distinct from other global models due to the tools and mechanisms that support the proposed regulatory framework. The development of unique digital infrastructure projects such as the India Stack provides policymakers with the resources to implement unique citizen-centric solutions, while also offering important lessons to other nations.

The Technolegal Approach

A central feature of India’s data governance approach is its use of homegrown technolegal mechanisms. These regulatory frameworks and technical systems are used to implement policy objectives through technology design. India views frameworks like DEPA as necessary for data empowerment. Indian officials have even gone so far as to compare DEPA’s design to the development of Transmission Control Protocol/Internet Protocol for online communication and GPS for navigation.98 This approach is similar to that described by the U.S. legal scholar Lawrence Lessig, who has suggested that software and systems often can shape behavior and the adoption of technology at least as effectively as regulations.99

Technolegal solutions such as DEPA, the Nonpersonal Data Framework, and the Open Government Platform make it possible to develop markets for data transactions, creating interoperable grids for seamless data sharing. The role of technology in these mechanisms is clear. Entities that act as intermediaries in such ecosystems (the consent managers within DEPA and data trustees for nonpersonal data) should ideally be entities with considerable technology-related organizational capacity.100

India’s Push for Data Sovereignty

The development of these frameworks has been driven, in part, by the objectives of India’s digital policies. The Indian government is working to ensure that Indian data are domestically controlled and leveraged so that Indian citizens’ data serve national interests before those of foreign players.101 The government, supported by Indian industries, has moved to promote the domestic use of data while guarding against the threat of data imperialism (or data colonialism) by foreign technology companies.

This focus on data sovereignty stems from multiple policy goals. Given India’s increasing focus on the value of data as a tool for economic growth, there has been a push to retain data in the country so that such information can be used by domestic players. Similarly, there have been efforts to more aggressively regulate the activities of foreign technology players who have access to Indian data. Concerns that foreign tech giants have too much control over India’s technology landscape have led to further concerns about the misuse of and lack of access to Indian data that are stored overseas. In addition, concerns have proliferated about how market dominance leads to imbalances in bargaining power between foreign tech giants on the one hand and Indian citizens, businesses, and the government on the other.102

This thinking is evident in recent measures on data governance that the Indian government has introduced, the most significant of which is a cross-governmental push for data localization. Through sector-specific regulations in the banking, insurance, and telecom sectors; the DP Bill; and the nonpersonal data framework, the Indian government has made it clear that certain types of data will have to be stored within the country to enable domestic access. The primary policy goals in support of these measures are the need to overcome barriers faced by law enforcement personnel who struggle to access Indian data stored in other jurisdictions and the importance of ensuring the accessibility of Indian data to domestic players so that the relevant economic and social benefits can be tapped into.103

The nonpersonal data framework explicitly calls out this principle of data sovereignty, recognizing it as a key to unlocking economic benefits from nonpersonal data for India and its citizens, communities, and organizations. Other policy documents “reconceptualize the notion of community data as ‘societal commons’ or a ‘national resource,’ where the undefined ‘community’ has rights to access data but the government” retains ultimate control over the use of such data to advance the public welfare.104 The requirement for mandatory data sharing under the proposed nonpersonal data framework is also indicative of the government’s push to democratize the use of data and to disrupt the monopolization of data in the hands of a few companies.

That said, questions have been raised as to whether India’s decision to exert its right to data sovereignty by extending its data governance framework to also cover nonpersonal data is going too far. Nonpersonal data covers a broad swathe of information that would otherwise have been left untouched, potentially affecting the rights of commercial enterprises to their trade secrets and confidential business practices. There is also the question of how exactly nonpersonal data will be distinguished from personal data given the numerous examples of how, even after it has been anonymized, personal information has been reidentified.105 The still-awaited final report of the Gopalakrishnan Committee might hold answers to these questions.

India’s Approach in a Global Context

India’s approach to data governance should also be viewed within a larger global context. Many nations are starting to weigh in on the question of regulating cross-border data flows. Japan has advocated for the free flow of data across borders, a position formalized in its leadership on the Osaka Declaration on Digital Economy in 2019.106 The United States has adopted a laissez-faire approach that supports the unrestricted flow of data across borders. The United States does not have all-purpose federal legislation on data protection for either personal or nonpersonal data. In contrast, Europe has codified data governance through various directives and acts of legislation, which individual countries have implemented.107 Europeans have taken a human rights–based approach to data sharing by permitting cross-border sharing under specific circumstances to countries that meet the EU’s requirements.

China has a radically different approach to data governance. Its cyber sovereignty approach involves the use of advanced technologies for the aggressive enforcement of sovereignty, data localization requirements, and strict monitoring of domestic data.108 This approach has been adopted to varying degrees by other nations such as Russia and Egypt.109

In contrast, India declined to sign the Osaka Declaration promoted by Japan at the 2019 Group of 20 (G20) summit out of concerns that the negotiations conflicted with its policy priority for data localization.110 This has made it clear that economic, national security, and developmental ramifications can no longer be separated from domestic or international data governance efforts.111

There are lessons to be learned from the data colonization of African nations that suffered from the absence of robust data protection policies. Indigenous technology development on the African continent is heavily influenced by large technology giants from the United States and China.112 Several African nations, such as Nigeria and Rwanda, are now considering localization regulations of their own to counteract these effects.113

India is charting a new path for data governance. Given the size of the country’s population (a significant share of which has yet to come online), its growing technological prowess, and its novel governance solutions, India can play a decisive role in shaping global data governance.


1 Arvind Gupta and Philip E. Auerswald, “The Ups and Downs of India’s Digital Transformation,” Harvard Business Review, May 2019,

2 Telecom Regulatory Authority of India, “Consultation Paper on Regulatory Framework for Promoting Data Economy Through Establishment of Data Centres, Content Delivery Networks, and Interconnect Exchanges in India,” Telecom Regulatory Authority of India, Consultation Paper No.10/2021, The report states that—based on “the cost of manpower, real estate, and bandwidth”—data storage in India is “at least 60 percent cheaper” than in the United States or Singapore.

3 In 1985, the IT industry exported software and services worth $25 million. See Devesh Kapur, “Causes and Consequences of India’s IT Boom,” University of Pennsylvania India Review 1, no. 2 (April 2022),

4 Ibid.

5 United States International Trade Administration, “India - Country Commercial Guide,” United States International Trade Administration, October 22, 2021,

6 Kapur, “Causes and Consequences of India’s IT Boom.”

7 Ibid.

8 Deloitte, “Technology, Media, and Telecommunications - Predictions 2022,” Deloitte, February 2022,; and World Bank, “Population, Total - India,” World Bank, 2021,

9 National Payments Corporation of India, “UPI Product Statistics,” National Payments Corporation of India,

10 This can be seen in the use of the Data Empowerment and Protection Architecture in the Reserve Bank of India’s Account Aggregator Framework. See Reserve Bank of India, “Master Direction - Non-Banking Financial Company - Account Aggregator (Reserve Bank) Direction, 2016,” Reserve Bank of India, October 5, 2021,

11 NITI Aayog, “National Health Stack: Strategy and Approach,” NITI Aayog, July 2018,; and NITI Aayog, “Data Empowerment and Protection Architecture,” August 2020,

12 Indian Ministry of Commerce and Industry, “ONDC Project,” Indian Ministry of Commerce and Industry, April 2022,

13 Kapur, “Causes and Consequences of India’s IT Boom.”

14 Ibid.

15 India Code, “Information Technology Act, 2000,” India Code,

16 Digital India, “About Digital India,” Digital India,

17 Digital India, “Bharat Broadband Network (BBN),” Digital India,; Digital India, “Universal Access to Mobile Connectivity,” Digital India,; and Indian Ministry of Housing and Urban Affairs, “Smart Cities: Vision,” Indian Ministry of Housing and Urban Affairs,,that%20leads%20to%20Smart%20outcomes.

18 Indian Ministry of Electronics and Information Technology, “India’s Trillion-Dollar Digital Opportunity,” Indian Ministry of Electronics and Information Technology,; and Indian Ministry of Commerce and Industry, “Vision of a USD 5 Trillion Indian Economy,” Indian Ministry of Commerce and Industry, October 11, 2018,

19 Tanuj Bhojwani, “The Best Way Forward for Privacy Is to Open Up Your Data,” iSPIRT, August 21, 2017,; and India Stack, “India Stack,” India Stack,

20 Nandan Nilekani, “India’s Aadhaar System: Bringing E-Government to Life,” Chandler Institute of Governance, Governance Matters Magazine, 2021,

21 Ibid.

22 Unique Identification Authority of India, “Aadhaar Dashboard,” Unique Identification Authority of India,; and World Bank, “Population, Total – India.”

23 Deepa Krishnan, “What the World Can Learn From the India Stack,” Strategy and Business, December 6, 2021,; and National Portal of India, “Pradhan Mantri Garib Kalyan Yojana / Package,” National Portal of India, September 7, 2020,

24 Direct Benefit Transfer (DBT) Bharat, “Estimated Benefits/Gains From DBT and Other Governance Reforms,” DBT Bharat,

25 Unique Identification Authority of India, “Aadhaar Dashboard.”

26 World Bank, “Global Findex Database 2021: Financial Inclusion, Digital Payments, and Resilience in the Age of COVID-19,” World Bank, 2021,

27 World Bank, “Private Sector Economic Impacts From Identification Systems,” World Bank, 2018,

28 “Reliance Jio 4G Claims It Crossed 16 Million Subscribers in First Month,” Indian Express, October 10, 2016,; and “Reliance Jio Crosses 50 Million Subscriber Mark in 83 Days,” Indian Express,

29 National Payments Corporation of India, “Product Overview: Unified Payments Interface,” National Payments Corporation of India,

30 National Payments Corporation of India, “UPI Product Statistics.”

31 See PhonePe, “PhonePe,” PhonePe,; Google, “Google Payments,” Google,; WhatsApp, “WhatsApp Payments,” WhatsApp,; and Amazon, “Unified Payment Interface (UPI) - FAQs,” Amazon,

32 See this letter from Google to the U.S. Federal Reserve. Mark Isakowitz, “Re: Federal Reserve Actions to Support Interbank Settlement of Faster Payments, Docket No. OP 1670,” Google, November 7, 2019,

33 India Cellular and Electronics Association, “Contribution of Smartphones to Digital Governance in India,” India Cellular and Electronics Association, July 2020,; “India to Have 820 Million Smartphone Users by 2022,” Economic Times, July 9, 2020,

34 Kantar, “Internet Adoption in India: ICUBE 2020,” Kantar, June 2021,

35 Indian Ministry of Finance, “Economic Survey 2021–22,” Indian Ministry of Finance, 302,

36 Ericsson, “Mobile Data Traffic Outlook,” Ericsson,

37 European Commission, “European Commission Data Strategy: Next-Generation Digital Commission,” European Commission,

38 European Commission, “A European Approach to Artificial Intelligence,” European Commission, June 30, 2022,

39 Soumyarendra Barik, “Explained: Why the Govt Has Withdrawn the Personal Data Protection Bill, and What Happens Now,” Indian Express, August 6, 2022,

40 Indian Ministry of Communications and Information Technology, “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011,” Indian Ministry of Communications and Information Technology, April 11, 2011,

41 Indian Ministry of Electronics and Information Technology, “White Paper of the Committee of Experts on a Data Protection Framework for India,” Indian Ministry of Electronics and Information Technology,

42 Sreenidhi Srinivasan and Namrata Mukherjee, “Building an Effective Data Protection Regime,” Vidhi Centre for Legal Policy, 2017,

43 Supreme Court of India, “Justice K.S. Puttaswamy (Retd.) and Another Petitioner(s) Versus Union of India and Others Respondent(s),” Supreme Court of India, Judgement, September 26, 2018,; and Supreme Court of India, “Justice K.S. Puttaswamy (Retd.) and Anr. Versus Union of India and Ors.,” Supreme Court of India Writ Petition (Civil) No. 494 of 2012, August 24, 2017,

44 Indian Ministry of Electronics and Information Technology, “Report by the Committee of Experts on Non-Personal Data Governance Framework,” Indian Ministry of Electronics and Information Technology, December 16, 2020, mygov_160922880751553221.pdf.

45 Indian Ministry of Electronics and Information Technology, “White Paper of the Committee of Experts on a Data Protection Framework for India”; and Indian Ministry of Electronics and Information Technology, “Personal Data Protection Bill, 2018,” Indian Ministry of Electronics and Information Technology,,2018.pdf.

46 Parliament of India, Lok Sabha, “Personal Data Protection Bill, 2019,” Lok Sabha,

47 Parliament of India, Lok Sabha, “Report of the Joint Committee on Personal Data Protection Bill, 2019,” Seventeenth Lok Sabha, December 2021,,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf.

48 PRS Legislative Research, “Annual Policy Review 2021–2022,” PRS Legislative Research, May 2022,

49 DP Bill Section 3(33); and Lok Sabha, “Report of the Joint Committee on Personal Data Protection Bill, 2019.”

50 European Parliament and Council of the European Union, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons With Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation),” European Parliament and Council of the European Union, April 27, 2016, See Article 4.

51 DP Bill Section 3(41); and Pawan Bali, “Data Protection Draft Bill Holds Hope for Privacy,” Asian Age, July 28, 2018,

52 See DP Bill Section 3(15).

53 Ibid., Section 3(16); and Supreme Court of India, “Justice K.S. Puttaswamy (Retd.) and Another Petitioner(s) Versus Union of India and Others Respondent(s).”

54 See DP Bill Section 11.

55 Ibid., Chapter III.

56 Ibid., Chapter V.

57 Ibid., Section 3(11).

58 Ibid., Sections 21(1) and 23(3).

59 Ibid., Section 26.

60 Amber Sinha and Elonnai Hickok, “The Srikrishna Committee Data Protection Bill and Artificial Intelligence in India,” Centre for Internet and Society, September 3, 2018,

61 Arya Tripathy and Rishi Sehgal, “India’s New Data Protection Bill, 2021: Overview and Analysis of JPC Draft,” PSA Legal Counsellors, December 20, 2021,

62 DP Bill Sections 27 and 28.

63 Ibid., Section 30.

64 European Commission, “Proposal for a Regulation of the European Parliament and of the Council on European Data Governance (Data Governance Act),” European Commission, November 2020,; and Council of the EU, “Council Approves Data Governance Act,” Council of the EU, May 16, 2022,

65 DB Bill Section 3(8).

66 For example, under GDPR, data principals below the age of sixteen years are considered children, and member states may provide for a lower age up to thirteen years. See European Parliament and Council of the European Union, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons With Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation).”

67 DB Bill Sections 16(2) and 16(3); and Vikram Jeet Singh, “An Introduction to India’s New Privacy Regime,” International Bar Association, June 22, 2022,

68 DP Bill Section 34; and Deloitte, “Draft Personal Data Protection Bill, 2019,” Deloitte, January 2020,

69 DP Bill Section 33(3).

70 Ibid., Section 65.

71 Section 3(23) of the DP Bill defines harm to include “(i) bodily or mental injury; (ii) loss, distortion or theft of identity; (iii) financial loss or loss of property; (iv) loss of reputation or humiliation; (v) loss of employment; (vi) any discriminatory treatment; (vii) any subjection to blackmail or extortion; (viii) any denial or withdrawal of a service, benefit or good resulting from an evaluative decision about the data principal; (ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; (x) any observation or surveillance that is not reasonably expected by the data principal;” (xi) psychological manipulation which impairs the anatomy of the individual; or (xii) such other harm as may be prescribed. See DP Bill Section 3(23); and Vijayashankar Na, “PDPA 2021: Regulating the Human Perceptions,”, August 16, 2022,

72 UK Parliament, “Online Safety Bill (As Amended in Public Bill Committee),” UK Parliament, Bill 121, For more information, see Edina Harbinja, “The UK’s Online Safety Bill: Not That Safe, After All?,” Lawfare (blog), July 8, 2021,

73 Dia Rekhi, “Global IT Bodies Express Concern Over Data Protection Bill,” Economic Times, March 2, 2022,; and Surajeet Das Gupta, “India’s Data Localisation Rules to Be a Barrier to Digital Trade: US,” Business Standard, April 11, 2022,

74 Gupta, “India’s Data Localisation Rules to Be a Barrier to Digital Trade: US.”

75 Rekhi, “Global IT Bodies Express Concern Over Data Protection Bill.”

76 Unless otherwise noted, the insights from this part of the analysis come from the committee’s report. See Indian Ministry of Electronics and Information Technology, “Report by the Committee of Experts on Non-Personal Data Governance Framework.”

77 Dvara Research, “Comments to the Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill 2019 Introduced in the Lok Sabha on 11 December 2019,” Dvara Research,

78 DP Bill Section 92(2) and 94(2)(e); and Prahalad Sriram, “Reconciling Localization Mandate of the Personal Data Protection Bill, 2019 With International Trade Obligations,” Narsee Monjee Institute of Management Studies (NMIMS) Law Review 2 (June 2020): 273–284,

79 Indian Ministry of Electronics and Information Technology, “Report by the Committee of Experts on Non-Personal Data Governance Framework”; and Astha Kapoor, Sarada Mahesh, and Vinay Narayan, “Impact of the Non-Personal Data Governance Framework on the Indian Agricultural Sector,” Aapti Institute, February 2022,

80 U.S Department of Health and Human Services, “Demand-Driven Open Data,” U.S Department of Health and Human Services,

81 Cuts International, “Cuts Comments on the Revised Report of the Committee of Experts on Non-Personal Data Governance Framework,” Cuts International, January 31, 2021,

82 Centre for Information Policy Leadership and DSCI, “Enabling Accountable Data

Transfers from India to the United States Under India’s Proposed Personal Data

Protection Bill (No. 373 of 2019),” Centre for Information Policy Leadership and DSCI, August 2020,

83 “Why Non-Personal Data Governance Framework Needs a Rethink,” Financial Express, August 31, 2020,

84 Indian Ministry of Science and Technology, “National Data Sharing and Access Policy,” Indian Ministry of Science and Technology, 2012, 10–15,

85 India Urban Data Exchange, “Unleashing the Power of Data for Public Good,” India Urban Data Exchange,; Open Budgets India, “Making India’s Budgets Open, Usable, and Easy to Comprehend,” Open Budgets India,; NITI Aayog, “National Data and Analytics Platform: Vision Document,” NITI Aayog, January 2020,; and Sam Neufeld, “Deploying Open Government Data for AI-Enabled Public Interest Technologies,” Observer Research Foundation, July 21, 2021,

86 Indian Ministry of Electronics and Information Technology, “India Data Accessibility and Use Policy (Draft),” Indian Ministry of Electronics and Information Technology, February 2022,; and Indian Ministry of Electronics and Information Technology, “National Data Governance Framework Policy (Draft),” Indian Ministry of Electronics and Information Technology, May 2022,

87 For a detailed description of the DEPA framework, please see NITI Aayog, “Data Empowerment and Protection Architecture.” Also see Vikas Kathuria, “Data Empowerment and Protection Architecture: Concept and Assessment,” Observer Research Foundation, August 2021,

88 Reserve Bank of India, “Master Direction - Non-Banking Financial Company - Account Aggregator (Reserve Bank) Direction, 2016.”

89 National Digital Health Mission, “National Digital Health Mission: Health Data Management Policy,” National Digital Health Mission,

90 Sahamati, “Current List of AAs,” Sahamati,

91 Sahamati, “Live Dashboard,” Sahamati,

92 Ann Cavoukian, “Privacy by Design: The 7 Foundational Principles,” International Association of Privacy Professionals, January 2011,

93 NITI Aayog, “National Health Stack: Strategy and Approach.”

94 Open Government Data Platform India, Ministry of Electronics and Information Technology National Informatics Centre, and State Government of Sikkim, “Discover Datasets by Sector (Sikkim),” Open Government Data Platform India, Ministry of Electronics and Information Technology National Informatics Centre, and State Government of Sikkim,; and Surat Municipal Corporation Open Data Initiative, “Open Government Data Portal of Surat City,” Surat Municipal Corporation Open Data Initiative,

95 Open Government Platform, “Table of Contents,” Open Government Platform,; and Dimple Patel, “Research Data Management: A Conceptual Framework,” Library Review, July 4, 2016,

96 Anirudh Burman, “Will India’s Proposed Data Protection Law Protect Privacy and Promote Growth?,” Carnegie India, March 9, 2020,

97 Amba Kak and Samm Sacks, “Shifting Narratives and Emergent Trends in Data-Governance Policy,” Yale Law School Paul Tsai China Center, AI Now, and New America, August 2021,

98 NITI Aayog, “Data Empowerment and Protection Architecture.”

99 Lawrence Lessig, Code and Other Laws of Cyberspace (New York: Basic Books, 1999),

100 “MediaNama: Discussion on the Governance of Non Personal Data,” YouTube video, 3:55:20, posted by “MediaNama,” January 15, 2021,

101 Indian Ministry of Finance, “Economic Survey 2021–22.”

102 Indian Ministry of Electronics and Information Technology, “Report by the Committee of Experts on Non-Personal Data Governance Framework.”

103 Indian Ministry of Electronics and Information Technology, Committee of Experts Under the Chairmanship of Justice B.N. Srikrishna, A Free and Fair Digital Economy Protecting Privacy, Empowering Indians (New Delhi: Committee of Experts Under the Chairmanship of Justice B.N. Srikrishna,

104 Arindrajit Basu, “We Need a Better AI Vision,” Centre for Internet and Society, October 12, 2019,; and Indian Department for Promotion of Industry and Internal Trade, “Draft National E-Commerce Policy: India’s Data for India’s Development,” Indian Department for Promotion of Industry and Internal Trade, February 23, 2019,

105 For instance, a Netflix database was deanonymized by comparing rankings and time stamps with data sets from other sources. See Arvind Narayanan and Vitaly Shmatikov, “Robust De-anonymization of Large Datasets (How to Break Anonymity of the Netflix Prize Dataset),” University of Texas at Austin, February 5, 2008, For more examples, see “Re-Identification of Anonymised Data Sets,” DigiTorc, April 10, 2019,

106 Japanese Ministry of Foreign Affairs, “G-20 Osaka Leaders Declaration,” Japanese Ministry of Foreign Affairs, June 29, 2019,

107 See, for example, European Parliament and Council of the European Union, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons With Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation)”; and European Commission, “European Data Strategy: Making the EU a Role Model for a Society Empowered by Bata,” European Commission,

108 The Personal Information Protection Law restricts or bans data transfers if they harm China’s national security, which is defined more broadly than in most other countries. It also requires all data processed by national agencies and critical information infrastructure operators be stored in China. Entities that handle personal information reaching a certain threshold are also required to store user data within China. See Standing Committee of the Thirteenth National People’s Congress, “Personal Information Protection Law of the People’s Republic of China,” translated by Rogier Creemers and Graham Webster, Digichina (Stanford University), September 7, 2021,

109 Various Russian laws such as Federal Law No. 152-FZ on Personal Data contain data localization provisions and prescribe import substitutions for IT products used by government agencies, state-owned corporations, and critical infrastructure. See International Committee of the Red Cross, “Federal Law No. 152 FZ on Personal Data, 2006,” International Committee of the Red Cross, July 27, 2006, In Egypt’s case, Law No. 151 of 2020 prohibits the transfer of personal data to recipients located outside Egypt except with the permission of the Egyptian Data Protection Center. See International Labour Organization, “Law No. 151 of 2020: Promulgating the Personal Data Protection Law,” International Labour Organization, 2020,

110 Indian Ministry of Commerce and Industry, “Shri Piyush Goyal Participates in the G-20 Meeting of the Trade and Investment Ministers,” Indian Ministry of Commerce and Industry, September 22, 2020,

111 United Nations (UN) Conference on Trade and Development, Digital Economy Report 2021: Cross-border Data Flows and Development: For Whom the Data Flow (New York: UN Conference on Trade and Development, 2021),

112 Nima Elmi, “Is Big Tech Setting Africa Back?,” Foreign Policy, November 11, 2020,

113 Nigeria has required all subscriber and consumer data of ICT service providers as well as all government data to be stored locally within the country since December 2013 through the Guidelines for Nigerian Content Development in ICT. See Nigerian National Information Technology Development Agency (NITDA), “Guidelines for Nigerian Content Development in Information and Communication Technology (ICT),” NITDA, August 2019, In Rwanda, the concept of data sovereignty has been at the core of the government’s Data Revolution Policy, which requires that national data should be hosted locally. See Rwandan National Institute of Statistics, “Data Revolution,” Rwandan National Institute of Statistics,,open%20license%20and%20technical%20standards. A 2012 law states that all critical information data within the government should be hosted in one central national data center. See Rwanda Law Reform Commission, “Ministerial Order N°001/MINICT/2012 of 12/03/2012 (Ministerial Instructions Related to the Procurement of Information and Communications Technology Goods and Services by Rwanda Public Institutions,” Rwanda Law Reform Commission, March 12, 2012,