Data Governance in the Digital Age

In today’s digital age, data is a vital asset powering innovation, economic growth, and governance. Initiatives like Digital India have generated vast, granular datasets, while artificial intelligence enhances data analysis and insights. Unlocking this potential demands strong data protection and accountable institutions. India’s Digital Personal Data Protection Act 2023 and the proposed Data Protection Board aim to balance privacy, transparency, and innovation. Establishing effective frameworks is crucial to safeguard rights while fostering sustainable digital development and competitive advantage. 

Why is Data the New Oil in the Digital Age?  

• Data Fuels Digital Transformation: In today’s interconnected world, digital data has become the foundational asset of economic, social, and political systems. 
  • For instance, the Aadhaar digital identity program in India, with over 1.3 billion enrollments, is the world’s largest biometric ID system. 
    • It underpins digital payments (UPI), Direct Benefit Transfers (DBT), and e-KYC processes, streamlining both public and private sector services. 
  • This powers innovation, personalized services, efficient governance, and business decisions across sectors and industries. 
• Granular Data Enables Precision: Highly granular datasets are generated by government departments under programs like Digital India and public service digitization. 
  • Granular public data refers to detailed, fine-level datasets collected frequently, providing specific information across small geographic or demographic units for precise analysis. 
  • They include dynamic data on health, education, infrastructure, and taxation, often updated in real time. 
    • For example, In 2023-24, Unified District Information System for Education (UDISE)  covered 1.5 million schools, providing detailed data on enrollment, infrastructure, teacher attendance, and learning outcomes to support targeted educational interventions. 
• Alternative Sources Expand Value: Private firms use alternative data such as satellite imagery, transaction records, and open-source scraping for intelligence. 
  • This expands informational breadth and enriches decision-making with independent and real-world indicators. 
  • For example, private firms like CropIn use satellite and IoT data to provide real-time crop health analytics, serving over 5 million Indian farmers and improving precision agriculture and risk management. 
• AI Accelerates Data Analysis: Artificial Intelligence systems process vast datasets, detect patterns, and generate predictive insights with exceptional efficiency. 
  • These tools have democratized data access, especially aiding junior analysts in navigating complex industry value chains. 
• Public Data Enhances Governance: Publishing high-frequency, machine-readable public datasets supports transparency, accountability, and improved policy outcomes. 
  • The Open Government Data Platform India offers over 500,000 datasets, including real-time air quality, rainfall, and power data, helping NGOs monitor pollution and promote environmental compliance. 
• Unlocking Economic Potential: India’s public data hosts untapped economic value, enabling better macroeconomic forecasting and sectoral innovation. 
  • Tax datasets have already revealed important trends in India’s fiscal behavior and corporate tax dynamics. 
  • For instance, Goods and Services Tax (GST) data analysis revealed sectoral recovery post-pandemic, aiding targeted stimulus; the Finance Ministry reported a 15% GST revenue rise in FY2024, driven by manufacturing and e-commerce growth. 

How is India Responding Through Laws and Policies?  

• DPDP Act, 2023: India enacted the Digital Personal Data Protection Act, 2023 to regulate digital personal data and protect user rights. 
  • It defines roles for Data Principals (citizens) and Data Fiduciaries (processors), outlining their rights and duties. 
• Role of the Government: The Ministry of Electronics and Information Technology is responsible for drafting and notifying implementation rules. 
  • It released the Draft Digital Personal Data Protection Rules, 2025 for public consultation and feedback. 
• Functions of the Data Protection Board: The Data Protection Board of India (DPBI) will investigate data breaches, resolve disputes, and impose penalties. 
  • Appeals from DPBI decisions will lie with the Telecom Disputes Settlement and Appellate Tribunal. 
• Consent Framework and Data Rights: Consent is necessary for lawful processing, with exemptions for emergencies and state service delivery. 
  • Data Principals can access, correct, or erase their data and appoint nominees in case of incapacity or death. 
• Duties of Data Fiduciaries: Fiduciaries must ensure data accuracy, security safeguards, and erasure post-usage unless legally required to retain. 
  • They must report breaches to both the DPBI and affected individuals promptly. 
• Consent Managers and Grievance Redressal: The law introduces Consent Managers, registered entities that help users manage, withdraw, or modify consent. 
• Provisions for Children’s Data: Fiduciaries must obtain verifiable parental consent before processing data of persons below 18 years. 
• Regulation of Significant Data Fiduciaries: Entities processing large or sensitive datasets may be declared Significant Data Fiduciaries by the government. 
  • They must conduct Data Protection Impact Assessments, appoint Data Protection Officers, and undergo independent audits. 
• Scope of Exemptions and Government Powers: The Act exempts state agencies for national interest, judicial purposes, and research without user rights application. 
  • Such powers are discretionary and lack judicial oversight, raising concerns over regulatory overreach. 
• Cross-Border Transfers and Localization: The Act permits data flows outside India with restrictions on notified countries. 
  • It does not mandate data localization or specify data storage protocols, unlike other global regimes. 

What are the Key Challenges in Ensuring Data Protection?  

• Reconciling Privacy with Transparency: Balancing the fundamental right to privacy under Article 21 and the right to information under Article 19 is difficult. 
  • Section 44(3) of the Digital Personal Data Protection Act restricts information access even in larger public interest. 
• State Surveillance Concerns: The Act permits government exemptions for national security, sovereignty, and public order, enabling unchecked surveillance. 
  • Vague exemption clauses lack procedural safeguards and risk violating constitutional privacy protections. 
• Dilution of the RTI: The amendment overrides Section 8(1)(j) of the Right to Information Act, 2005, weakening its transparency mandate. 
  • It removes the provision guaranteeing public access to data not deniable to Parliament or State Legislatures. 
• Weak Regulatory Independence: The Data Protection Board of India has a two-year tenure for members, unlike five-year terms in regulators like the Securities and Exchange Board of India (SEBI). 
  • Government-heavy appointment committees limit institutional independence, undermining enforcement and public confidence. 
• Opaque Appointments and Processes: Lack of diversity in selection panels increases risks of partisan bias in appointments to regulatory institutions. 
  • Transparent processes, including publication of justifications for appointments, are absent in the current framework. 
• Delayed Rule Implementation: There was a 16-month delay in notifying the 2025 rules for implementing the 2023 Act. 
  • This stalled enforcement, left grievances unresolved, and delayed critical protections for citizens’ data rights. 
• Limitations of Consent-Based Model: The Act depends on notice-and-consent for data processing, assuming users understand risks and exercise informed choice. 
  • This is unfeasible given widespread digital illiteracy and information asymmetry between users and corporations. 
• Digital Manipulation Risks: Companies often deploy dark patterns and manipulative interfaces, invalidating genuine consent mechanisms. 
  • These practices exploit user behavior, reducing agency and choice in personal data governance. 
• Children’s Data Vulnerabilities: Mandatory verification of parental identity for children’s data is impractical and exclusionary. 
  • It disregards realities of undocumented families and exacerbates India’s digital divide. 
• Dilution of Child Protections: Provisions banning behavioural monitoring and profiling of children were removed from earlier drafts of the legislation. 
  • Current rules allow exemptions for ad targeting, undermining child data safety without adequate justification. 
• Undefined Criteria for Significant Data Fiduciaries: There’s no clear standard for who qualifies as a Significant Data Fiduciary under the law. 
  • This ambiguity allows inconsistent enforcement and limited accountability for high-risk data processors. 
• No Recognition of Emerging Harms: The Act does not address non-consensual harms like algorithmic discrimination, identity theft, or financial fraud. 
  • Unlike the European Union’s General Data Protection Regulation, India’s law lacks a comprehensive harm mitigation framework. 
• Loopholes in Cross-Border Data Regulation: Data can be transferred overseas, with the government only specifying restricted jurisdictions without clear criteria. 
  • This weak regulation exposes citizens to privacy violations and weakens international data sovereignty. 
• RTI Web Portals Violate Privacy: State-run RTI portals in states like Punjab, Odisha, and others demand Aadhaar or device location, violating privacy rulings. 
  • Such mandatory disclosures breach Supreme Court judgments on proportionality and necessity of data collection. 

What Should Be the Way Forward for a Robust Data Governance Framework? 

• Adopt Global Standards for Data Transfer: India should adopt best practices like the European Union-United States Data Privacy Framework for secure data flows. 
  • This will enhance global interoperability, promote trust, and enable cross-border digital trade. 
• Strengthen Institutional Independence: Data Protection Board of India must be restructured for autonomy and accountability through longer tenures and diverse appointments. 
  • Inclusion of judiciary, legislature, and civil society ensures impartiality and enhances stakeholder confidence. 
• Form an AI-Privacy Task Force: A dynamic Artificial Intelligence and Privacy Task Force (like United States’ National Conference of State Legislatures (NCSL)) can identify emerging risks and co-develop regulatory measures. 
  • This would ensure India's data regime remains adaptive and technology-neutral in a fast-evolving landscape. 
• Define Government Exemptions: Terms like “public order” and “sovereignty” must be legally defined and judicially reviewable to avoid abuse. 
  • Transparent procedures for granting exemptions are essential to balance privacy with national interest. 
• Revise Protections for Children’s Data: The government must prohibit behavioural monitoring, profiling, and targeting of children’s data without exemptions. 
  • Like the Children’s Online Privacy Protection Act (COPPA), United States law bans collecting or using personal data from children under 13 for behavioral tracking or targeted ads without verified parental consent. 
• Clarify Significant Data Fiduciary Norms: Provide detailed criteria and obligations for Significant Data Fiduciaries to ensure accountability. 
  • Specify AI-related due diligence, including audit trails and transparency in automated decision-making systems. 
• Fix RTI Portal Privacy Violations: Aadhaar or device location requirements must be eliminated from Right to Information web portals. 
  • Data minimization and privacy-by-design must govern digital interfaces for civic access. 
• Timely Rule Notification and Enforcement: Pending delays in rules undermine public confidence and legal enforceability. 
  • A fixed timeline for notification and implementation must be embedded in the regulatory architecture. 

Conclusion 

Robust data governance is essential for safeguarding privacy, enhancing transparency, and driving innovation. As India’s Prime Minister recently said, “Today it is said that data is the new oil. I will also add that data is the new gold.” India must strengthen institutional independence, adopt global best practices, and ensure timely implementation of laws. Balanced policies will empower citizens, foster trust, and position India as a leader in the evolving digital economy and AI-driven future. 

Drishti Mains Question: What are the key challenges to data protection and privacy in India’s digital era, and how can policy reforms balance transparency, security, and innovation?