Back to Blog

Data, privacy and what is its current state?

Sahil Mathur

“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.”

Benjamin Franklin, Memoirs of the life & writings of Benjamin Franklin

What Benjamin Franklin meant by those words is debatable, though the fact remains that for much of history, humanity has traded off privacy for its need for survival, luxury or safety.

Privacy was first pioneered by saints and yogis of the past. They devised the way of isolation, where they secluded themselves from the world to achieve inner peace and ultimately, nirvana.

Privacy was always an outcome rather than a way of being. In some communities in North America and Africa a desire for privacy is viewed to be profoundly rude.

Privacy is “a state in which one is not observed or disturbed by other people”-Cambridge Dictionary

Privacy – World Order

The proliferation of the internet made it easy for consumers to access a vast amount of information, buy goods, get in touch with people from around the world all by touch of a button.

It also allowed companies to access and gather vast amount of personal information of the consumers. This information included everything from their name, address, to their browsing history, online preferences and behaviours; often stored in unsecured locations prone to misuse from individuals with malicious intent.

Privacy as we now know it came into being, not more than 200 years ago and it only became a point of concern at the beginning of 19th century.

Eventually, as computers and internet became increasingly important in federal functioning, so did the concern over privacy and protection of the data that was stored in these devices.

In fact the first data protection law was passed in 1970, in the federal state of Hesse, Germany much before the advent of internet in the 1990’s. This very first data protection law was aimed at protecting states secrets rather than that of individual liberty.

Misuse, breach and loss of private data led to implementation of strict data protection laws around the world including GDPR in European Union and new public understanding of what Data privacy meant.

Cambridge Analytica – Facebook data scandal for example is the poster child of such misuse and breach of individual privacy. Cambridge Analytica harvested personal information of millions of Facebook users to understand their behaviour and manipulate them in favour of organisations and politicians that worked with it.

Data privacy is defined as the relationship between the collection and dissemination of data, technology, the public expectation of privacy,  legal and political issues surrounding them -Wikipedia

When it comes to privacy or in this case data privacy, there exists 3 schools of thought:

  1. Europe – Customer owns the data and companies are responsible for it.
  2. US – Everything is owned by the organisation
  3. What lies in between?

Europe – GDPR

As one of the strongest and most comprehensive data protection law ever to come in existence for European union. It makes sense to talk about GDPR here.

GDPR did 3 things:

  1. It gave consumers, end users and clients the power to ask businesses to reveal and delete any personal data they had.
  2. Made businesses accountable to consumers, whose data they collected and stored. It also imposed harsher punishments to the businesses that failed to comply.
  3. It allowed regulators to streamline their operations by giving them a single data protection law throughout the European union.

One of the most important parts in GDPR is the requirement of consent, which is an active agreement by the consumer instead of the opt-out or pre ticked checkboxes still being used today.

The counter argument to GDPR especially when it came to businesses was based on the fact that GDPR puts the responsibility of the data protection completely on the business acquiring it and removing the onus from the individuals who shared it online, this creates an unreasonable expectation of privacy and false sense of security among the consumers of online services.

Plus processes as required by GDPR are expensive and puts small and medium businesses at a disadvantage when compared to there large enterprise counterparts.

Though, GDPR is one of the toughest data protection legislations in the world , it is not the only one in existence. More than 100 nations across Asia- pacific, Americas and Africa have implemented or are in the process of drafting data protection laws catering specifically to their local needs.


Unlike Europe’s GDPR, US doesn’t have a single data protection law. Instead it has a set of industry specific regulations, monitoring and protecting personal data of people in question.

For example,

The Health Insurance Portability and Accountability Act (HIPAA), applies to “covered entities” holding “protected health information.”

Children’s Online Privacy Protection Act (COPPA), protects data of children under the age of thirteen.

While, Family Educational Rights and Privacy Act (FERPA) protects student immunizations and other school health records.

Though various regulations within US system does provide relief in case of breaches, the responsibility is ultimately put on the individual who share his/her data with an organisation.

Unlike what Europe does, where companies are responsible and answer for the breached while the data is owned by the individual.

Privacy in India

Supreme court in it’s 2017 judgement, upheld that the Indian constitution guaranteed a right to privacy to its citizens, making right to privacy a fundamental right under Article 21 and part III of the chapter on fundamental rights.

As such, India neither has a data protection law nor a data protection agency to protect its citizens from data breaches. Though via the information technology amendment act of 2008, the government does ask for reasonable measure to protect personal information from breaches and provides compensation in case of misuse to the individual.

Having said that, a draft for Indian Personal Data Protection Bill, 2018 was created and submitted by Srikrishna Committee in July of 2018 to the Government of India.

What India needs?

Data protection and privacy is the need of the hour. Though in India, unlike Europe, most people are unaware of how and where their personal data can be used and unlike US, not all citizens are digitally or financially included into the mainstream.

This gives the country an opportunity to create positive impact using the data available and provide essential services to the masses where required. For example, an individual who might not be financially included into the mainstream would be able to get access to credit that might be essential for his survival, just by being able to identify himself.


a labourer who is bound to travel around to earn a living would be able to access essential services like the food distribution system provided by the government, just by being able to identify himself.

What we need, are regulations that are similar to GDPR in Europe and data protection laws in US, which should not only protect its citizens from their personal data being misused but also simultaneously allow for economy to flourish using the data that might be needed.

Share on social media: 

More from the Blog

How Video KYC will help Banks and Financial institutions

What’s the first step that a customer has to take when he wants to avail any service from a Bank or a Financial institution? It is the Know Your Customer (KYC) process. KYC is a process where a financial institution verifies the identity and personal details of a potential customer. The RBI has made it mandatory for all companies to undertake KYC before offering any services to customers. While it has had a positive effect of reigning in unscrupulous activities like money laundering and fraud, it has its drawbacks too.

Read Story

Ensuring business continuity through V-CIP

With social distancing as the key preventive measure in the going global pandemic, expecting customers to come to the branches of RE’s, i.e. Banks, NBFCs, etc. seems out of the question. The biggest casualty of this situation would be the Know Your Customer (KYC) process which needs verification of documents and other aspects of a customers’ identity.

Read Story

Reintroduction of eSign based eMandates: What does it mean?

The NPCI (National Payment Corporation of India) has reintroduced eSign based electronic NACH (National Automated Clearing House) mandates. This latest update shared via a circular dated May 26, 2020, is bound to cheer Banks, Lenders and other institutions.

Read Story