《Invest India：2023年印度隱私技術研究報告（英文版）（67頁）.pdf》由會員分享，可在線閱讀，更多相關《Invest India：2023年印度隱私技術研究報告（英文版）（67頁）.pdf（67頁珍藏版）》請在三個皮匠報告上搜索。

1、PRIVACY TECHNOLOGIES IN INDIASTRATEGIES TO ENHANCE THE ECOSYSTEMRESEARCH PAPERThe DialogueTM-(c)2023 The DialogueTM and Invest India.All rights reserved.Copyeditor DesignerKamesh Shekar,Kazim Rizvi,Sreyan Chatterjee,Eshani Vaidya,Saksham Malik,Karthik Venkatesh Invest India-Simran Khurana,Soumil Gup

2、taAuthorsShivam KulshresthaAkriti JayantThe DialogueTM is a public policy think tank with a vision to drive a progressive narrative in Indias policy discourse.Founded in 2017,we believe in facilitating well-researched policy debates at various levels to help develop a more informed citizenry,on area

3、s around technology and development issues.The DialogueTM has been ranked as the worlds Top 10 think tanks to watch out for,by the Think Tank and Civil Societies Programme(TTCSP),University of Pennsylvania in their 2020 and 2021 rankings.Invest India is the National Investment Promotion and Facilita

4、tion Agency of India,set up as a non-profit venture under the aegis of Department of Industrial Policy&Promotion,Ministry of Commerce and Industry,Government of India.It facilitates and empowers all investors under the Make in India initiative to establish,operate and expand their businesses in Indi

5、a.For more informationhttps:/|https:/investindia.gov.in Suggested CitationShekar,K.,Rizvi,K.,Chatterjee,S.,Vaidya,E.,Malik,S.,Venkatesh,K.,Khurana,S.,&Gupta,S.(2023,July).Privacy Technologies in India:Strategies to Enhance the Ecosystem.The DialogueTM&Invest India.Catalogue No.TD/PDG/RP/0723/02Publi

6、cation DateJuly 20,2023DisclaimerThe facts and information in this report may be reproduced only after giving due attribution to the authors,The DialogueTM,and Invest India.We would like to extend our sincere gratitude to Ms Nivruti Rai,CEO&MD,Invest India;Mr Gaurav Sishodia,Cluster Lead&VP(ESDM-TMT

7、,Invest India;Mr Anuj Kapur,Senior Director&Head of India Region,Invest India;Mr Uday Wadhwa,Investment Specialist,Invest India for extending their support to the paper.We also extend our gratitude to Mr Anshu Sharma,Co-founder&CEO,Skyflow,Subhashish Bhadra,Head of Corporate Development,Klub,and Ana

8、nd Venkatanaryanan,DeepStrat,for their invaluable input to the paper.We also extend our gratitude to Akriti Jayant for providing copyediting support and Shivam Kulshrestha for his design support to this report.Acknowledgement Privacy Technologies in India:Strategies to Enhance the EcosystemForeword-

9、Ms.Rama VedashreeExecutive Summary 3.1.1.Data collection 3.1.2.Data retention 3.1.3.Data structuring 3.1.4.Data transfers 3.1.5.Data processing 3.1.6.Data expunction 3.2.Evolution of Privacy Preserving Technology4.4.Structural Challenges for Privacy Technology4.1.The Trend of Legal Endogeneity4.2.Li

10、mits of Technological Outsourcing4.2.1.Power Asymmetries4.2.2.Narrowing Privacy Law4.2.3.Erosion of Expertise4.2.4.Lack of Accountability5.Operational Challenges for Privacy Technology5.1.Demand-side challenges5.1.1.Lack of a privacy-centric culture5.1.2.Limited focus on creating value out of data5.

11、1.3.Low demand from users 5.1.4.Limited awareness of business incentives5.1.5.Budgetary restrictions5.1.6.Gap in knowledge and internal processes5.2.Supply-side challenges5.2.1.Lack of consensus on theoretical frameworks5.2.2.Shifts in regulatory landscape5.2.3.Challenges pertaining to the growth of

12、 Artificial Intelligence12101112141517181819212223232426262626272727293030313232333434Table of Contents1.1.Introduction2.2.Status Quo of Privacy Technology3.3.Privacy Technology A Landscape3.1.Mapping the growth of PETs across the data lifecyclePrivacy Technologies in India:Strategies to Enhance the

13、 Ecosystem6.The Way Forward and Recommendations6.1.Government6.1.1.Regulatory enablers6.1.2.Incentives6.1.3.Fiscal support6.1.4.Competence building6.2.Private Enterprises6.2.1.A shift in cultural factors6.2.2.Internal processes6.2.3.Budgetary restrictions6.3.Investors6.3.1.Privacy protection as a va

14、lue addition6.3.2.Growth of context-appropriate privacy-tech start-ups6.4.Civil Society7.A framework to understand privacy-technologyreadiness of firms7.1.The Data Balance Sheet7.2.Technical Strategy7.2.1.Data Enumeration7.2.2.Data Flow Mapping7.2.3.Data Categorisation7.2.4.Data Access Control7.2.5

15、Data ConvergenceConclusion3636363737394040424243434445454650505152535556Privacy Technologies in India:Strategies to Enhance the EcosystemList of Figures:List of Figures:Figure 1:Way ForwardFigure 2:Way Forward-GovernmentFigure 3:Way Forward-Private Enterprises Figure 4:Way Forward-InvestorsFigure 5:

16、Way Forward-Civil SocietyFigure 6:Mapping PETsList of Figures:List of Figures:Box 1:Privacy-enhancing Technology:Account Aggregator SystemBox 2:Time V alue of DataBox 3:Dashboard ViewBox 4:Lossy Compression List of Tables:Table 1:PETs-Data CollectionTable 2:PETs-Data RetentionTable 3:PETs-Data Struc

17、turingTable 4:PETs-Data TransfersTable 5:PETs-Data ProcessingTable 6:PETs-Data ExpunctionTable 7:Indicative List of Data Categorisation Table 8:Indicative Mapping of Access ControlAbbreviationsAbbreviation DefinitionPrivacy Technologies in India:Strategies to Enhance the EcosystemAAAccount Aggregato

18、r(s)AIArtificial Intelligence BISBureau of Indian StandardsDEPA Data Empowerment and Protection Architecture DPDPB 2022Digital Personal Data Protection Bill 2022DSDDispute Systems Design E2EEEnd to End EncryptionEUEuropean UnionGDPRGeneral Data Protection RegulationHIPAAThe Health Insurance Portabil

19、ity andAccountability Act of 1996(United States)IDIdentification Document IITIndian Institute of TechnologyIoTInternet of Things ITInformation TechnologyIT/ITeSInformation Technology/Information Technologyenabled ServicesMLMachine Learning MSMEMicro,Small and Medium EnterprisesSMESmall and Medium En

20、terprisesNASSCOMThe National Association of Software andService CompaniesNBFCNon-Banking Financial CompanyPET Privacy Enhancing TechnologyPIIPersonally Identifiable Information PPTPrivacy Preserving TechnologyPrivacy Technologies in India:Strategies to Enhance the EcosystemPrivacy Tech Privacy Techn

21、ologyRBIReserve Bank of IndiaSDKSoftware Development KitSIEMSecurity Information and Event ManagementSMEsSmall and Medium EnterprisesTRLTechnology Readiness Level Privacy Technologies in India:Strategies to Enhance the Ecosystem01Privacy Technologies in India:Strategies to Enhance the EcosystemIndia

22、 75 has been scripting a new phase of accelerated digitalization,and our pioneering efforts at digital innovation and technology-enabled inclusion and socio-economic growth are garnering global attention.The technology industry,which has been driving digital transformation for enterprises worldwide,

23、is now a$245 Billion Industry and consistently clocking double-digit growth.Public Service delivery both at the states and Centre,is architected for scalable technology platforms serving citizens over multiple channels.Digital is embedded in Society,both urban and rural,and consumers prefer digital

24、in financial services,shopping online,entertainment,education and skills development,and healthcare.This all-pervasive shift to digital has led to expanding online digital footprints of all segments of our society.Data-driven innovation is central to every businesss growth;emerging technologies and

25、AI are key to offering personalised services to consumers.As we move forward,I believe to realise the maximum potential of digital and data-led innovation,it is essential for businesses to consider trust on an even keel with other business considerations.To build consumer trust,businesses must move

26、from a compliance focus to privacy,being considered a value proposition and competitive advantage.As businesses craft their enterprise data strategies centred around consumer trust,technology solutions for implementing privacy have gained momentum.The Global Privacy Technology vendor landscape now s

27、pans 350 plus companies,and India has also seen the nascent privacy-tech ecosystem grow in the last three years.Think Privacy Think Technology is an initiative that was taken up by the Data Security Council of India to grow the privacy startup ecosystem.The government of India is in the process of e

28、nacting legislation for securing digital spaces like the upcoming data protection bill.However,enforcing and implementing a comprehensive data protection and privacy regime with the continually changing technology landscape and billion-plus consumers/citizens across sectors is daunting for both regu

29、lators and industry.Therefore,I believe Privacy Enabling Technologies can help both government and businesses in their privacy journey and make their digital services and products privacy aware by design.As privacy technologies are at their nascent stage in India,I want to compliment The Dialogue an

30、d Invest India for this timely paper on“Privacy Technologies in India:Strategies to Enhance the Ecosystem”,which discusses the privacy technology landscape of India,its operational challenges,and the way forward.The paper ties the demand-side,supply-side and technological facets together and provide

31、s a holistic perspective on the role of various stakeholders in enhancing the market for privacy technologies in India.I believe the way forward strategies mapped in this paper to some of the critical actors,such as government,investors,private enterprises,and civil society,is a step in the right di

32、rection and could aid the evolution of the privacy technologies ecosystem in India.As India has made rapid strides in her digital transformation journey,its time we give attention to the innovation and growth of privacy technologies and their adoption by both government and business.I do hope this p

33、aper helps evangelise with all stakeholders,the importance of privacy-tech in rolling out robust privacy programs.ForewordMs.Rama Vedashree02Privacy Technologies in India:Strategies to Enhance the EcosystemThe protection of the individuals right to privacy has occupied center stage in recent years,w

34、hile the focus,earlier,was on cybersecurity.A specific approach towards protecting networks,overall servers and systems,cybersecurity stands distinct from privacy technology(privacy-tech),focusing on the individuals right to privacy.The first stage of the evolution of privacy-tech was marked by the

35、need to comply with data protection legislation being enacted across the globe.A notable development was the competitive advantage data fiduciaries could secure by adopting privacy-tech.This inspired a shift from privacy-tech fulfilling mere compliance roles to a more privacy-first culture prioritiz

36、ing individual privacy and security.ExecutiveSummaryThe earliest developments in privacy-tech were the privacy-by-design principles introduced in the 1990s.Subsequently,privacy-enhancing technologies evolved due to the enactment of global data protection regulations,such as the omnibus data protecti

37、on regime like the General Data Protection Regulation(GDPR in the European Union.These regulations focus primarily on fiduciaries complying with the relevant provisions rather than building a holistic privacy-tech culture.However,with increasing consumer-led demand,services have expanded into buildi

38、ng technology solutions that expand on pre-existing privacy-tech solutions,thereby increasing the degree of security offered;(dubbed by some as Privacy Enhancing Technologies and adopting services that guarantee user privacy in a multi-layer format(often dubbed Privacy-Preserving Technologies.Theref

39、ore,in theory,while multiple PETs might be deployed to secure individual data,a single PPT is meant to serve the same purpose.The technology-readiness level,i.e.the degree of maturity of these technologies,is relatively low,particularly in the Global South.This makes seamless adoption a challenge.Fo

40、r instance,one of the most common debates in the South is the need for encryption.Encryption technologies provide a necessary but limited first step towards creating an ecosystem that protects an individuals privacy across the data lifecycle.Privacy-tech vendors aim to provide solutions that protect

41、 ones privacy while maximising the value of data throughout the business.Evolution of Privacy Technology03Privacy Technologies in India:Strategies to Enhance the EcosystemPrivacy-tech in the Global South is notably distinct from the markets in developed countries.In India specifically,for instance,t

42、he industry is relatively new and often absent from several businesses work cultures.An understanding of privacy,experts argue,requires one to consider the management of users expectations,their desire for obscurity and the need for trust.Our report highlights the structural challenges into two broa

43、d bucketsthe trend of legal endogeneity and the limits of technological outsourcing.With privacy regulations being developed in several jurisdictions,its regulatory landscape has become increasingly more complex.As a result of this,the businesses face most challenge in interpreting the privacy law.I

44、t is important that in interpreting the law,the technology solution does not occupy centre stage.The danger of such a focus is that the impact of data protection regulations will be diluted during implementation.Ensuring that privacy outcomes for individuals are centred requires collaboration betwee

45、n the in-house privacy teams of companies with those providing privacy technology.As discussed in the report,the lack of a privacy-first culture poses a significant hurdle towards reaching that goal.Challenges in the Global South Operational ChallengesBottlenecks identified on the demand side includ

46、e low user demand,limited awareness of business incentives,budgetary restrictions,and a knowledge gap within internal processes.The supply-side challenges include a lack of consensus on theoretical frameworks and frequent shifts in the regulatory landscape.The result is that most companies adopting

47、privacy technology in India are limited to cybersecurity solutions.Those operating in the Global North often have to comply with the GDPR,which,in turn,accelerates the adoption of privacy technologies.In order to understand Indias transition towards chartering a privacy-safe environment,it is import

48、ant to discuss the role of the legislature,executive,and judiciary in building a free and fair digital economy that respects informational privacy.Our study tries to understand the reasons behind the slow uptake of privacy technologies in India to provide action points for each major stakeholder.The

49、 level of trust that needs to be established will vary based on the nature of the data being shared,for instance,health data must be accorded a higher degree of protection.Our objective has been to study the expectations of each stakeholder within the privacy-tech ecosystem.This has been done with a

50、 particular focus on the industry and its challenges in establishing a privacy-first culture.04Privacy Technologies in India:Strategies to Enhance the EcosystemWay ForwArd05Privacy Technologies in India:Strategies to Enhance the EcosystemA standardized taxonomy;Sandbox mechanisms can be incorporated

51、 across industries;Recognition by DPIIT could allow for the institutionalization of fiscal benefits,in addition to increased investment in physical infrastructure;andAn independent nodal agency could improve grievance redressal systems and promote awareness,thus establishing a privacy-first culture.

52、1.Way Forward:GovernmentOur findings overwhelmingly point to the need for regulatory support.The legislation will not only be a critical stepping stone towards creating standardized processes,including a taxonomy,but the need to comply will also have a positive effect on the privacy technology indus

53、try.For instance,data classification or labelling does not have any accepted industry standards that are relied upon in India.Governments can also aid privacy-tech businesses by developing clear definitions for key terminologies,like privacy-preserving technologies,and privacy enhancing technologies

54、,in addition to defining the regulatory thresholds for compliance.Regulatory enablers will also enable ease of doing privacy-tech business through the provisions enhancing regulatory requirements,compliance,and due diligence.With adequate support given to those within the privacy technology industry

55、,the positive knock-on effect will be felt across other critical industries,such as digital healthcare and fintech.Efforts in this regard could include regulatory sandboxes and provide adequate intellectual property rights mechanisms.For instance,privacy could be incorporated as an element in pre-in

56、vestment due diligence.The central and state governments already use the sandbox mechanism,in addition to regulatory bodies like the Reserve Bank of India.Enabling recognition by the Department for Promotion of Industry and Internal Trade will also allow start-ups to get various benefits.State-backe

57、d incentives can include those granted infrastructurally or as indirect monetary benefits to enable innovation.Going beyond the basic provisions of fiscal support,the government can grant access to existing infrastructure,such as start-up parks,IT parks,innovation hubs,etc.,set up by various state g

58、overnments.Providing monitoring support and knowledge-sharing mechanisms through a holistic mentoring facility,for instance,would allow for a better understanding of the technologies themselves.For instance,a separate nodal agency for privacy-tech backed by the Start-up India initiative could act as

59、 a single window for clearance for exemptions,incentives,and grievance redressal.Summary of Recommendations:A l legislation can enhance the privacy-tech ecosystem by providing/provisioning the following:06Privacy Technologies in India:Strategies to Enhance the EcosystemREGULATORY ENABLERGovernment e

60、nabling ease of doing business and enabling market for privacy-enhancing businesses.FISCAL SUPPORTGovernment providing financial support directly and indirectly.INCENTIVEGovernment bestowing privacy-enhancing businesses with various incentives.COMPETENCE BUILDINGGovernment supporting in the form of

61、skill development and harness capital enhancing capacitiesWay Forward:Private EnterprisesEstablish training programmes that allow for a practical understanding of the importance of privacy-tech and the manner in which it functions;The need for privacy-tech must also be reflected in financial decisio

62、n-making for which sub-committees can be formed.Legislative compliance must not be the only goal,and the fiscal benefits(such as attracting more FDI must be given their due.Privacy organizations play a critical role in building and supporting a privacy-first culture that prioritizes user privacy pro

63、tection.Private enterprises must invest more resources in creating a privacy-centric culture,which includes considering legislative compliance,cyber security,and privacy protection as complementary goals.For instance,data security and privacy can be a part of corporate governance strategies,and sub-

64、committees can be created to conduct regular assessments and assign a privacy budget.To make informed decisions about adopting the right privacy technology,companies must build internal capacities first.Training cannot be reduced to a mere box-ticking exercise but should help employees realize the p

65、ractical value of privacy-tech solutions.Increasing the awareness of privacy-tech solutions or introducing a team focused on protecting user privacy will ensure that there is a comprehensive view of the company requirements,and that the technology can be meaningfully utilised.Technology that can aff

66、ordably protect user privacy must be given an increased focus on privacy budgets.Summary of Recommendations:Building internal capacities must be prioritised.This includes the following action points:2.Figure 2:Way Forward-Government07Privacy Technologies in India:Strategies to Enhance the EcosystemI

67、ncreasing buy-in for privacy governance at the leadership/executive level by incorporating it as part of corporate governance.Building capacity of internal stakeholders to make them take an informed decision on adopting privacy-tech solutions.Identifying an appropriate privacy-tech solution which co

68、rresponds to the business needs.Thinking beyond the material risk of non-compliance to secure the privacy interest of individuals.Encouraging privacy secured value derivation from data.Way Forward:InvestorsPrivacy-tech solutions also assign investors an important role where they can choose companies

69、 that value privacy,and they can facilitate the development of privacy -tech by investing in solutions that are fit for the Indian market.This would include viewing privacy protection as a value addition rather than a basic hygiene criterion focussed on regulatory compliance.A more strategic approac

70、h must be adopted to provide technical guidance on privacy practices and technology,routine privacy audits or periodic assessments.Investors can also facilitate the development of a standardised taxonomy and metrics for decision-making at the board level that can include privacy as a vital cog of th

71、e business model itself.This will ensure that potential portfolio companies can derive optimum value out of data in a sustainable and privacy-centric manner.Summary of Recommendations:Investors must value TRL,data protection practices(beyond individual privacy)and the inclusion of privacy technology

72、 in key budgetary decisions above simple checkbox exercises for regulatory compliance.Invest in companies focussing on building a privacy-first culturethis can be done by a dynamic evaluation process that studies TRL.Regulatory compliance,while important,cannot be granted singular focus by investors

73、.3.Propounding privacy protection as a value additionInvestors must ensure their portfolio companies indulge in privacy-centric practices.For the same,they must provide technical guidance on privacy practices and technology,conduct routine privacy audits or periodic assessments,and standardise expec

74、tations and taxonomy.Funding context-appropriate privacy-tech start-upsInvestors must consider funding/investing in privacy-tech solutions which are appropriate and adaptable to the Indian market and regulatory landscape.Figure 3:Way Forward-Private EnterprisesFigure 4:Way Forward-Investor08Privacy

75、Technologies in India:Strategies to Enhance the EcosystemWay Forward:Civil SocietyLastly,civil society has a dual objectiveencouraging the shift towards making privacy protection an important determinant while purchasing technology;and working towards the resolution of the privacy paradox.This can b

76、e done by producing literature and tools aimed at explaining concepts pertaining to privacy.For instance,developing impact assessment reports or tools to evaluate the technological readiness level of various privacy technologies in the country will help create a more informed consumer base.There is

77、a need to analyse the efficiency of existing solutions to identify points of vulnerability and new improvement areas.Summary of Recommendations:Work must be targeted towards awareness of the need for data protection beyond individual privacy.This must be done within the industry and at the consumer

78、levels.Conversations with the Government(closed door and otherwise)can ensure that stakeholder expectations are addressed in legislation.Civil society plays a crucial role in identifying incentives for investors and conveying the same to policymakers.Can participate in developing a robust audit mech

79、anism,including inputs on Impact Assessment Reports.Development of a TRL report will not only provide investors with a valuable assessment toolkit,but will also allow consumers to make informed decisions.4.KNOWLEDGEENHANCEMENTCivil society must tackle the privacy paradox concern amongst individuals

80、by bridging the gap in knowledge by kindling privacy protection as an essential determinant while buying technological solutions.EFFICIENCY TESTINGCivil society must analyse the efficiency of solutions that can enhance privacy outcomes and encourage their adoption by businesses.Figure 5:Way Forward-

81、Civil SocietyCivil society plays a crucial role in identifying the bottlenecks in the industry and the need for increased consumer privacy.The following action points are therefore critical to adopt:Privacy Technologies in India:Strategies to Enhance the Ecosystem09India has made a remarkable journe

82、y towards creating a comprehensive data protection regulation for the country to secure the right to privacy of individuals.Towards this,the report is a timely effort to lay out the national strategy for enhancing privacy-tech in India,which could complement the efforts taken by the government towar

83、ds establishing a privacy-first culture in India.The report takes one step further from considering privacy technology as a compliance instrument and suggests means through which the technology could establish a culture where privacy is considered a value proposition through concerted efforts by var

84、ious stakeholders in India.The holistic approach adopted by the report tries to take a bottom-up approach where we emphasise the efforts needed from every stakeholder from the grassroots,i.e.,individuals to businesses and government.Our strategies try to create awareness among individuals and incent

85、ive structure to follow by the investors,which would propel businesses to adopt privacy-tech,boosting the market for the same.ConclusionPrivacy Technologies in India:Strategies to Enhance the EcosystemInternet penetration in India is witnessing a surge,with the COVID-19 pandemic-induced lockdowns ac

86、celerating the trend of consumers adopting services in the digital ecosystem.The internet penetration rate in India stood at 48.7%at the start of 20231,and information technology spending is expected to have increased by 2.6%in 2023 compared to 20222.This rise in the utilisation of digital services

87、also led to increased risks of exclusion in addition to the increase in potential privacy harms.This has led to a shift in the privacy culture,creating a more individual focus,i.e.,protecting personal data.The General Data Protection Regulation defines personal data as any information relating to an

88、 identified or identifiable natural person(data subject;an identifiable natural person can be identified,directly or indirectly,in particular by reference to an identifier such as a name,an identification number,location data,an online identifier or to one or more factors specific to the physical,ph

89、ysiological,genetic,mental,economic,cultural or social identity of that natural person.Risk-based assessments may also create a category of sensitive personal data requiring additional protection.For instance,the personal data of minors that may be collected through online education services or heal

90、th data is often classified as such.The growing importance of ones right to privacy was marked by the Puttaswamy Judgement in 20173.The Honble Supreme Court declared the right to privacy as a fundamental right under Article 21 of the Indian Constitution.The recent draft of the Digital Personal Data

91、Protection Bill,2022(DPDPB,2022 also seeks to recognise the right of individuals to protect their personal data.The intensification of data practices has also pushed Indias digitisation ambitions to the front seat,with NASSCOM(an IT/ITeS industry body estimating that data and Artificial Intelligence

92、(AI will generate over$500 billion in value by 20254.While data is one of the primary drivers of Indias trillion-dollar digital economy vision5,the call for securing informational privacy has become louder not just on the demand side,but also on the supply side.The introduction of the Digital Person

93、al Data Protection Bill,2022 is a step towards formalising the principles introduced and creating a compliance-driven market.With the introduction of the GDPR,the first phase of privacy-preserving technologies was aimed at fulfilling business entities immediate compliance needs6.Subsequently,there h

94、as been a narrative shift towards a privacy-first culture on a global scale.Reflecting this shift,in the past few years,businesses have been taking the initiative and deploying novel privacy technologies(privacy-tech)that go a step further than legal compliance.Privacy technologies,therefore,aim to

95、design novel systems where privacy is improved at the get-go while also improving privacy in existing systems7.Introduction1.Kemp,S.(2023,February 13).Digital 2023:India DataReportal Global Digital Insights.DataReportal.Retrieved July 1,2023,from https:/ Gartner Forecasts India IT Spending to Grow 2

96、.6%in 2023.(2022,November 14).2.Gartner.Retrieved July 1,2023,fromhttps:/ K.S.Puttaswamy(Retd.)and Anr.vs Union Of India And Ors.AIR 2017 SC 41614.Unlocking Value from Data and AI The India Opportunity.(2020).Retrieved from NASSCOM:https:/community.nasscom.in/system/files/report/28219-final-nasscom-

97、report-onscreen-2.pdf101As privacy technologies are nascent in India,in this paper we discuss their growth,journey,and challenges the industry faces.In Chapter 2,we analyse the status quo of privacy technology in India by discussing the trends in privacy technology,including the focus on data manage

98、ment and process orchestration,before briefly discussing factors that impact the industrys growth.Chapter 3 thoroughly explores the privacy technology landscape,including the journey of Privacy Enhancing Technologies(PETs to Privacy Preserving Technologies.This chapter provides a comprehensive map o

99、f various PETs present at various stages of the data lifecycle,from data collection to data expunction.It also traces the evolution of PPTs,their scope as well as their importance for privacy compliance.Chapter 4 discusses the structural and operational challenges of privacy technology in addition t

100、o various demand and supply challenges impacting the uptake and growth of privacy technology in India.In order to recommend grounded solutions,we studied the expectations of various stakeholders within the industry.Chapter 4&5 of the paper,therefore,proposes various recommendations for the governmen

101、t,private enterprises,investors,and civil society to ensure the growth of privacy-tech solutions and consequent protection of users privacy interests.Lastly,Chapter 6 the paper proposes a framework to understand the technology readiness level(TRL of firms.The framework provides a zero-to-one flow re

102、quired to successfully manage a typical data-intensive company in an environment where data protection is a legal obligation and a user expectation.The market for privacy technology has been largely focused on developing cybersecurity solutions.The rise in data breaches led data protection and secur

103、ity practices to become a part of the Information Technology(Reasonable Security Practices and Procedures and Sensitive Personal Data or Information)Rules 2011.Currently,the technologies focus on three key areas:personal data management and governance solutions,risk management and compliance,and pro

104、cess orchestration8.Personal data management solutions allow companies to store,retain and use their data effectively and securely.Automated data discovery tools,for example,would be a personal data management solution.Process orchestration solutions allow automation and standardisation of processes

105、 to improve efficiency.For example,automatic responses to users requesting access to their personal data.Technology can also ease cross-border compliance processes with business entities often operating in multiple jurisdictions.Privacy Technologies in India:Strategies to Enhance the EcosystemStatus

106、 Quo of Privacy Technology5.Indias Trillion Dollar Digital Opportunity.(2019).Retrieved from MEITY:https:/www.meity.gov.in/writereaddata/files/india_trillion-dollar_digital_opportunity.pdf6.Timan,T.&Z.Mann,Data Protection in the era of artificial intelligence.Trends,existing solutions and recommenda

107、tions forprivacy-preserving technologies,Big Data Value Association,Retrieved on January 16,2022 fromhttps:/www.bdva.eu/sites/default/files/Data%20protection%20in%20the%20era%20of%20big%20data%20for%20artificial%20intelligence_BDVA_FINAL.pdf7.Timan,T.&Z.Mann,Data Protection in the era of artificial

108、intelligence.Trends,existing solutions and recommendations forprivacy-preserving technologies,Big Data Value Association,Retrieved on January 16,2022 fromhttps:/www.bdva.eu/sites/default/files/Data%20protection%20in%20the%20era%20of%20big%20data%20for%20artificial%20intelligence_BDVA_FINAL.pdf8.Priv

109、acy Technology:Whats Next?,KPMG International Retrieved on January 8,2022 fromhttps:/assets.kpmg/content/dam/kpmg/xx/pdf/2021/05/privacy-technology-whats-next.pdf11212While the status quo shows privacy technology tilted towards the supply-side management of processes,operations,and compliance,studie

110、s have shown that in addition to this,companies must develop privacy-centric designs to appeal to consumers.Now more than ever,consumers are inclined to choose products with a better privacy rating9.With the latest DPDPB,2022,it is likely that the obligations of data fiduciaries will be expanded.The

111、refore,with the importance of a privacy-first strategy increasing,companies must find a way to operationalise the necessary technology effectively and consistently for data security and privacy.However,the privacy culture in India is relatively new and is growing.While there is a steady movement tow

112、ard privacy-first culture,however,there is still a long way to go in terms of imbibing the same at the organisational level where businesses do have a growing emphasis on the same.Therefore,in the short run,businesses focus on building a data extraction culture with less focus on achieving a positiv

113、e sum game in the long run where privacy and consumer protection are considered as a value proposition,through innovating on privacy safeguards.10Even though risk management solutions seek higher uptake rates from businesses,operationalising these solutions has proven to be an uphill task.Data class

114、ification and labelling do not have any accepted industry practices or standards.Classification is extremely important because the treatment of different kinds of data will vary based on this risk-based assessment.However,the absence of trained personnel and the enabling infrastructure slows the pro

115、cess down significantly.Small and Medium Enterprises(SMEs),in particular,do not have the resources to employ people dedicated to managing privacy technology within the company.On the other end of the spectrum,businesses with requisite resources face longer sales cycles because several new technologi

116、es employ new personnel,such as employees exclusively allocating budget for buyers.Moreover,privacy technology solutions can also rarely operate in silos.Encryption technology,for example,is a vital product for cybersecurity but is insufficient.To protect data throughout its lifecycle and for regula

117、tory compliance,a company will have to deploy various technologies that can work in sync with each other.These technical solutions,therefore,attempt to preserve privacy throughout the lifecycle of data,at the source,during the processing of data or at the outcome of data analysis or all three.9.Shil

118、pa Kumar et.al.,Paving the Future:Why PrivacyTech is a rewarding frontier for venture capital,Omidyar Network India,Retrieved January 26,2022 from https:/www.omidyarnetwork.in/wp-content/uploads/ON-India-PrivacyTech-Thesis.pdf10.Venkatesh,Karthik and Shekar,Kamesh,Positive or Zero-Sum Game:When Priv

119、acy by Design Meets Dark Patterns(August 1,2022).Available at SSRN:https:/ or http:/dx.doi.org/10.2139/ssrn.4178549Privacy Technologies in India:Strategies to Enhance the EcosystemPrivacy Enhancing Technologies increased significantly to fix the privacy void by providing technological solutions that

120、 improve privacy in existing systems and practices.The PET solutions are both consumer-facing(demand-side)and business-facing(supply-side).On the supply side,PETs aid businesses in adhering to some of the fundamental principles of Privacy Technology A Landscape3data protection like data minimisation

121、,proactive data protection,end-to-end security and privacy-by-design,and in turn,aidding in compliance.11 On the demand side,PETs are placed in a unique position where their consumer-facing solutions aid individuals in securing their data from privacy harm like financial loss12,discriminatory treatm

122、ent13,exclusion14,restrictions on free speech15,and enhance user agency.Additionally,the Digital Personal Data Protection Bill 2022 provides consent managers who are meant to grant data principals increased autonomy over their data.Privacy-enhancing Technology:Account Aggregator SystemSimilar to the

123、 Digital Personal Data Protection Bill 2022 Bill,NITI Aayogs draft Data Empowerment&Protection Architecture(DEPA)policy makes a case for a consent manager in the final layer of India Stack.Following the draft DEPA policy,the Reserve Bank of India(RBI)notified the Master Direction for Non-Banking Fin

124、ancial Company-Account Aggregator in 2016.In September 2021,the Account Aggregator system was launched.Licensed under the category of NBFC,the Account Aggregator(NBFC-AA)will collect and share consumers financial information with their consent from a financial information provider to a financial inf

125、ormation user,acting as a consent manager for financial information transfer.Besides,the technical aspects prescribed by RBI for NBFC-AA(NBFC-Account Aggregator(AA)API Specification,2019)are mostly in line with the privacy by design principle.1311.Ruan,W.,Xu,M.,Jia,H.,Wu,Z.,Song,L.,&Han,W.(2021).Pri

126、vacy Compliance:Can Technology Come to the Rescue?Retrieved from IEEE Security&Privacy:https:/puter.org/csdl/magazine/sp/2021/04/09444564/1u3mFH7L9gA12.Prasad,S.(2019,October 29).An Analysis of Harm defined under the draft Personal Data Protection Bill,2018.RetrievedJanuary 17,2022,fromhttps:/ 3).Ya

127、le Law Journal-Amazons Antitrust Paradox.The Yale Law Journal.Retrieved January 17,2022,from https:/www.yalelawjournal.org/note/amazons-antitrust-paradox14.A Taxonomy of Privacy-ORG Wiki.(2013,January 8).ORG Wiki.Retrieved January 17,2022,fromhttps:/wiki.openrightsgroup.org/wiki/A_Taxonomy_of_Privac

128、y#Exclusion;Falling through the Cracks:Case Studies in Exclusion from Social Protection-Dvara Research.Retrieved January 17,2022,fromhttps:/ of Expression&Privacy.(n.d.).The Centre for Internet and Society.Retrieved January 17,2022,fromhttps:/cis-india.org/internet-governance/blog/freedom-of-express

129、ion-and-privacy.pdf16.Personal Data and Individual Agency.(n.d.).IEEE.https:/ethicsinaction.ieee.org/wp-content/uploads/ead1e_personal_data.pdf17.Personal Data and Individual Agency.(n.d.).IEEE.https:/ethicsinaction.ieee.org/wp-content/uploads/ead1e_personal_data.pdfThe supply-side and demand-side P

130、ETs are tailored to fix the privacy void at different stages of the data lifecycle.While there are various PETs in the market,their implementation differs according to their maturity in technological readiness and solution quality17.The PETs discussed in this chapter are at the mid to complete matur

131、ity levels,where they are optimally ready for deployment.For example,end-to-end encryption is a Privacy Technologies in India:Strategies to Enhance the EcosystemBOX 1Privacy Technologies in India:Strategies to Enhance the Ecosystem14PET that is at a stage where deployment is possible at scale.Howeve

132、r,homomorphic encryption,a kind of encryption technique that works differently from the E2EE and has different use cases,is still at the lab testing stage and is consequently not ready for deployment at scale.At the conclusion of this chapter,we discuss the journey of PETs to Privacy Preserving Tech

133、nologies,which are novel technological solutions that guarantee user privacy.Every data-driven industry and business has its functions,targets,and intended outcomes based on its specific business model and business requirements,but overarchingly they follow similar steps when dealing with data for e

134、xtracting utility.While various pieces of literature18 propose different classifications and models for understanding the data lifecycle,for the purpose of this chapter,we take the consensus of different classifications and divide the data lifecycle into six stages,i.e.,data collection,data retentio

135、n,data structuring,data transfer,data processing,and data expunction.The classification is then used as a framework to categorise the available PETs across various stages of the data lifecycle.We study how each of these solutions and technology adds value to the company by easing compliance and prom

136、oting privacy outcomes.Mapping the growth of PETs across the data lifecycle18.Stobierski,T.(2021).8 steps in the data life cycle.Retrieved from Harvard Business School:https:/online.hbs.edu/blog/post/data-life-cycle;Faroukhi,Z.(2020,January 8).Big data monetization throughout Big Data Value Chain:a

137、comprehensive review-Journal of BigData.Journal of Big Data.Retrieved January 17,2022,fromhttps:/ Big Data Value Chain:Definitions,Concepts,and Theoretical Approaches.In New Horizons for aData-Driven Economy(pp 29-37).https:/ more literature on data value chain visit here.Data collectionData retenti

138、onData structuringData transferData processingData expunctionConsent mapping,Location granularity,Encryption in motionFederated learning,Encryption in restData labelling/annotationData flow mapping technologies,Digital watermarking,Synthetic data generationMuli-party computation,Differential privacy

139、,Federated analytics,First-order temporal logic,Trusted execution environmentsData auditing technologies,Certification of data,Crypto-sheddingConsent manager,Attribution-based credentials,Identify management,Privacy policy simplifiersPersonal data storesData integratorsData capsuleSupply-Side PETDem

140、and-side PETData LifecycleFigure 6:Mapping PETs3.115The first step that kickstarts the data lifecycle is data collection.An entity(data fiduciary)collects information about persons(data principal)in a variety of ways-both direct and indirect.Broadly,they can be grouped into the following (a)by direc

141、tly seeking information from data principals,where individuals provide datain return for service;19 and(b)by indirectly through third parties,for instance,businesses approach data brokers(who aggregate data from multiple public sources20)to obtain data for marketing orauthentication21 purposes,among

142、 others.While data collected through different means serve a particular purpose within the business operation of the data fiduciary,overall,at the point of the data collection stage,the data fiduciary is obliged to follow universal principles such as purpose limitation,data minimisation22,and inform

143、ed consent23.To aid business compliance with data minimisation mandates and to obtain informed consent for data collection,there are various supply-side(direct)and demand-side(indirect)PETs in the market,as discussed below.Data collectionTechnologyDescriptionConsent mapping24It is a process for iden

144、tifying data principals for seeking consent during data collection through third parties.There are solutions like consent mapping to simplify this process and make data fiduciaries compliant with consensual data collection.This technological solution maps data principals and automatically sends cons

145、ent notices.Location granularity25They collect the location information of data principals and classify them based on granularity.Data principals can then avail of this service to disclose the granular amount of location data proportionate to the need for the same.Privacy Technologies in India:Strat

146、egies to Enhance the Ecosystem19.Matsakis,L.(2019).The WIRED Guide to Your Personal Data(and Who Is Using It).Retrieved from WIRED:https:/ data brokers find and sell your personal info.Retrieved from Norton:https:/ Costs and Benefits of Data Brokers.Retrieved from The Regulatory Review:https:/www.th

147、eregreview.org/2014/06/19/19-slater-costs-and-benefits-of-data-brokers/22.The principles of data protection:not new and actually quite familiar.(2018,September 24).Privacy International.RetrievedJanuary 17,2022,fromhttps:/privacyinternational.org/news-analysis/2284/principles-data-protection-not-new

148、-and-actually-quite-familiar23.Kosseim,P.(2017,May 15).Speech:Consent as a Universal Principle in Global Data Protection-May 15,2017-Oce of thePrivacy Commissioner of Canada.Oce of the Privacy Commissioner of Canada.R etrieved January 17,2022,fromhttps:/www.priv.gc.ca/en/opc-news/speeches/2017/sp-d_

149、20170515_pk/24.Ruan,W.,Xu,M.,Jia,H.,Wu,Z.,Song,L.,&Han,W.(2021).Privacy Compliance:Can Technology Come to the Rescue?Retrieved from IEEE Security&Privacy:https:/puter.org/csdl/magazine/sp/2021/04/09444564/1u3mFH7L9gA25.Privacypatterns.org.(n.d.).Retrieved from https:/www.privacypatterns.org/patterns

150、/Table 1:PETs-Data Collection3.1.116Attribute-based credentials27Data fiduciaries collect data directly from data principals for authentication.Attribute-based credentials or ABC solutions minimise data at authentication,allowing for a highly flexible verification process.Using this solution,the dat

151、a principals can choose to reveal only a relevant attribute of personal information for authentication thus aiding in complying with the data-minimisation principle.For instance,if age verification is mandatory for certain authentication,data principals can use ABC solutions to verify their age with

152、out disclosing their date of birth.Privacy policy simplifiersTo reduce the fatigue28 caused by reading the terms and conditions of various websites and services,this tool29 scrapes the privacy policy of the website,simplifies it,and provides data principals with the information in an easily consumab

153、le format.This solution can reduce the compliance burden of data fiduciaries who are mandated to provide a simplified and consumable privacy policy for informed consent.In the Indian context,where regional differences create further challenges for obtaining informed consent,solutions with vernacular

154、 support can aid businesses in obtaining meaningful consent.Privacy Technologies in India:Strategies to Enhance the EcosystemIdentity management This privacy-enhancing solution helps data principals manage their multiple online identities and provide means to protect the data principals primary iden

155、tity by(a)access management solutions,i.e.,controlling access to necessary information and(b)pseudonym management solutions,i.e.,generating a proxy.26 While this consumer-facing technology aids data principals to control the nature of data collection and to prevent their personal identity from being

156、 linked to data that they share,this solution also acts as a fixer between data principals and data fiduciaries by enabling privacy-secured transactions.Consent managerThe consent manager acts as a conduit between the(a)data principal,(b)data fiduciaries who hold the data and(c)other data fiduciarie

157、s/processors to whom the data principal seeks to transfer the data.Consent managers aid data fiduciaries as the consent management for the data collection process is outsourced to them.26.Hansen,M.,Berlich,P.,Camenisch,J.,&Clau,S.(n.d.).Privacy-Enhancing Identity Management.2004:Information Security

158、Technical Report.Retrieved from Information Security Technical Report.27.Ruan,W.,Xu,M.,Jia,H.,Wu,Z.,Song,L.,&Han,W.(2021).Privacy Compliance:Can Technology Come to the Rescue?Retrieved from IEEE Security&Privacy:https:/puter.org/csdl/magazine/sp/2021/04/09444564/1u3mFH7L9gA28.Antithesis,some busines

159、ses provide readable privacy policies;for instance,the BBCs privacy policy scores high on the Lexiletest due to short and plain language usage.Besides,Google and Apple provide consumer-friendly privacy policy interfaces,likeshort consent pop-ups before specific data collection for service.29.While t

160、his solution is still in the nascent stage,with informed consent increasingly becoming the bedrock of privacy regimesacross the globe,there is scope for this solution.17TechnologyDescriptionFederated learning32Federated learning is a solution that enables machine learning models to analyse decentral

161、ised data located in different local servers.This solution helps in decentralising data storage without compromising the business edge of processing data,thus reducing the risk of a data breach.Encryption in Rest This technological solution secures data stored on devices and servers,where the data o

162、n the server is converted into ciphertext that only authorised personnel with the encryption key can decode.Encryption in MotionThis tool enables data principals to secure the information from unauthorised access where data/information is converted into ciphertext,which only authorised recipients ca

163、n decrypt with the key.This encryption-in-motion solution can aid data fiduciaries in preserving the privacy of the data principals and aligning with the data minimisation principle.Privacy Technologies in India:Strategies to Enhance the EcosystemNext in the pipeline,post collection and generation o

164、f the data is to retain it by storing it in the cloud servers or on physical devices,etc.The biggest threat that data fiduciaries face at the data storage stage relates to data breaches through hacking,leaks,etc.The impact of data breaches on an individuals right to privacy cannot be understated.The

165、y also have a negative knock-on effect on the reputation of data fiduciaries in addition to the costs of compensation.From a consumer perspective,data principals lose control over data at rest(when stored at the data fiduciaries servers or with a third party),creating a lack of consumer choice and o

166、pacity in treating sensitive data like payments,medical history,etc.Restricting data retention practices is an important aspect of practising the principle of data minimisation and limitation.With these principles finding their way into the DPDPB,2022 the following technologies can be used to go bey

167、ond merely fulfilling a legal obligationsuch as proactive data protection,30 user control of data,31 etc.Data retention30.GDPR Article 25,3531.GDPR Chapter III;CCPA Section 1 to 7;LGPD Chapter III32.Bonawitz,K.,Eichner,H.,Grieskamp,W.,Huba,D.,Ingerman,A.,Ivanov,V.,Roselander,J.(2019).Towards Federat

168、ed Learningat Scale:System Design.Retrieved from Cornell University:https:/arxiv.org/pdf/1902.01046.pdf;McMahan,B.,&Ramage,D.(2017).Federated Learning:Collaborative Machine Learning without Centralized Training Data.Retrieved from Google AI Blog:https:/ 2:PETs-Data RetentionTable 3:PETs-Data Structu

169、ring18TechnologyDescriptionData labelling/annotation34This solution aids data fiduciaries in cleaning,structuring and labelling data,which is the foundation for the machine learning tools used for processing.Labels allow the data fiduciaries to isolate variables within datasets and club them into bu

170、ckets according to the nature and sensitivity of the data to stay privacy and data protection compliant.Data labelling solutions may also depend on machine learning models,which use various methods like synthetic labelling,programmatic labelling etc.,for the annotation of data.Privacy Technologies i

171、n India:Strategies to Enhance the EcosystemData transfer is a process through which data fiduciaries exchange,port,and transmit data to a third party or other business entities.Data fiduciaries transfer data for business purposes like processing,research and development,marketing,etc.and for receivi

172、ng data portability requests from data principals.Data transfersAt the pre-processing stage,data fiduciaries train the data by sorting raw information,i.e.,collected,generated and stored.The information of the data principal can be very loosely classified into personal,non-personal,sensitive,critica

173、l,and mixed data.Data fiduciaries also classify data and extract maximum value from it through precise predictions and usability.Usually,this classification is derived from legislation or policy.Data structuring Personal data stores(PDS)33Using personal data stores,data principals can regain control

174、 over the stored data on the server through secure personal tokens.Various regulations globally including the upcoming DPDPB,2022,vest data rights with users.This technological solution can aid data principals in exercising their rights and choice effectively by increased control over their data.33.

175、Bolychevsky,I.(2018).Are Personal Data Stores about to become the NEXT BIG THING?Retrieved fromhttps:/ Convergence Accelerator:The Future of Privacy Technology.Retrieved fromFuture of Privacy Forum:https:/fpf.org/wp-content/uploads/2020/03/NSF_FPF-REPORT_C-Accel1939288_Public.pdf3.1.33.1.4Table 4:PE

176、Ts-Data Transfers19Digital watermarking36Using digital watermarking solutions,data fiduciaries can watermark the data while transferring it to third parties.This technology will place markers covertly on data to track and monitor the data transferred,protect data from anti-counterfeiting activities,

177、etc.Data integratorsData integrators aid data aggregation efforts across multiple parties and enable the transfer of aggregated data to desired data fiduciaries.As data portability is right to be vested to data principals through various regulations globally,data integrators can aid data fiduciaries

178、 in enabling portability in privacy preserved fashion.One of the significant stages of the data lifecycle is the data processing phase,where data fiduciaries process data for a multitude of services,including but not limited to marketing,improved service delivery,securing competitive advantages etc.

179、Insufficient adherence to the principles of purpose limitation,data minimisation and privacy violations also make the Data processingTechnologyDescriptionData mapping solutionsThere are various data mapping solutions in the market,which would aid data fiduciaries to trace the flow of data across var

180、ious third parties,which increases the ease with which one can employ monitoring mechanisms across the lifecycle.These solutions also aid data fiduciaries in understanding the information lifecycle to identify unforeseen or unintended uses of the data.Privacy Technologies in India:Strategies to Enha

181、nce the EcosystemThis makes it difficult to trace the integrity of the data in terms of data provenance as identical data gets shared with different parties.But,the regulations push the data fiduciaries to map the data flow to assess privacy risks35.Therefore,data mapping is crucial for preserving p

182、rivacy by assigning compliance to different actors during data transfers.On the demand side,as data is scattered across various players,it is hard for the data principals to realise the actual value of data by transferring it from one entity to another.Solutions on the demand side trying to solve th

183、is problem by informing and allowing the data principal to access and integrate their personal data scattered across various players in a single dashboard.35.For instance,Article 30 of GDPR mandates data flow mapping.36.L.Ou,Z.Qin,H.Yin,&K.Li.(2016).Security and Privacy in Big Data.In R.Buyya,R.N.Ca

184、lheiros,&A.V.Dastjerdi,Big Data:Principles and Paradigms.3.1.5Table 5:PETs-Data Processing20First-order temporal logicThis solution provides automatic system monitoring/oversight on the processing of data in line with data processing restrictions imposed by regulations and users.Using this solution

185、data fiduciaries can monitor their processing activities to avoid regulatory breaches.Privacy Technologies in India:Strategies to Enhance the EcosystemTechnologyDescriptionMulti-party computation(MPC)37This solution branches out from cryptography,where different untrusted players process data throug

186、h private distributed computations.This computation allows different players to analyse data without revealing their private input.Therefore,this solution aims for a positive-sum game where privacy is kept intact while processing the data for extracting utility.Differential privacyAt the output leve

187、l,a differential privacy solution helps to share aggregate information of data principals while preserving privacy.This solution also keeps the probability of identifying the data principal low.Differential privacy forms data anonymity via injecting noise into the dataset.It allows data fiduciaries

188、to execute all possible(functional)statistical analyses without identifying personal information.data more vulnerable to cybersecurity breaches both at input and output levels.From the demand-side,data principals are unaware of how their data is processed,thus losing control over it.To weed out thes

189、e inconsistencies,there are various business-facing and consumer-facing PETs in the market.37.Dilmegani,C.(2020).Top 10 Privacy Enhancing Technologies(PETs)&Use Cases.Retrieved from AI Multiple:https:/ Compliance:Can Technology Come to the Rescue?Retrieved from IEEE Security&Privacy:https:/puter.org

190、/csdl/magazine/sp/2021/04/09444564/1u3mFH7L9gATrusted executionenvironments(TEE)38TEE is commonly known as an isolated processing environment in which applications can be securely executed irrespective of the rest of the system.This solution creates a secured environment within the main server where

191、 the operating system cannot read the code within the TEE.Therefore,this solution aids data fiduciaries in maintaining confidentiality and integrity of data while processing.Table 6:PETs-Data Expunction21It is clear that privacy-enhancing technologies are moving in a positive trajectory.While there

192、is a significant development in PETs at stages like data processing and data transfers;there is tremendous scope for improvement in stages like data expunction,data training,etc.Privacy Technologies in India:Strategies to Enhance the EcosystemData capsule39This consumer-facing solution aids data pri

193、ncipals in manually creating policies in accordance with which their data can be processed.Data principals can also develop purpose-specific policies with data capsules.This solution will aid data fiduciaries to be aware of the sensitivity of the data according to data principals preferences during

194、processing.The final stage in the data lifecycle is deleting the data once it has served its purpose or on the insistence of the data principal,whichever is earlier.India has provided for the right to erasure in the latest DPDPB,2022.40 These regulations also empower data principals to seek deletion

195、 or correction of data(through consent withdrawal)if they think it no longer serves the purpose.Data expunctionTechnologyDescriptionData auditing technologiesThese help expunge unnecessary data collected throughout the lifecycle.Audit functions can also help fiduciaries identify new ways of using th

196、eir data(raw or the database created).Certification of datadestructionThis solution provides an audit document that certifies data fiduciaries to have undergone the data destruction process.This document acts as proof of data fiduciaries compliance with data protection regulations and enhances trans

197、parency.39.Wang,L.,Near,J.P.,Somani,N.,Gao,P.,Low,A.,Dao,D.,&Song,D.(2019).Data Capsule:A New Paradigm for AutomaticCompliance with Data Privacy Regulations.Retrieved from Cornell University:https:/arxiv.org/abs/1909.0007740.Clause 393.1.622Privacy Technologies in India:Strategies to Enhance the Eco

198、systemPrivacy technology in India,as an industry,is still in its nascent stages.Considering the staggered adoption of data protection regulations across the globe,the privacy technology industry has also developed at a relatively slow pace.As discussed earlier,the larger problem is the absence of a

199、privacy culture within businesses and on the consumer side.Another reason for the slow uptake of privacy technology in India and across the globe is the absence of standardised privacy terminology.41 There are no uniform industry standards to conduct risk assessments or develop standardised technolo

200、gy that can be effectively used globally.For example,a privacy technology can have various use cases,each with distinct levels of effectiveness.The result of such fragmentation is that there are several classifications of privacy technology.The ambiguity has thus created a disjointed privacy technol

201、ogy industry.Therefore,while businesses are making decisions regarding the onboarding of privacy technology solutions,they must take into consideration the Technology Readiness Level of the privacy solution they choose to adopt.42 ENISA,the EU Agency for Cybersecurity,has developed an assessment met

202、hodology for determining the readiness of privacy-tech solutions.43 Conducting such an assessment will also introduce a degree of harmony within the industry as available solutions,and their shortcomings will be made clear.44Another classification adopted by a few is that of privacy-preserving techn

203、ology and privacy enhancing technology.PETs are said to have evolved in the first phase of the privacy technology industry in the West,marked by the enactment of the General Data Protection Regulation in the European Union or the California Consumer Privacy Act,2018.Privacy Enhancing Technology woul

204、d,therefore,have preceded the use of Privacy Preserving Technology.45 The significant penalties imposed by data protection regulation in case of non-compliance encouraged several business entities to adopt privacy technology that was focused on simplifying the compliance processes of businesses.The

205、goal,therefore,was to adopt technology that allowed one to maximize or enhance privacy in existing systems and processes.These technologies are therefore dubbed Privacy Enhancing Technologies.However,with the evolution of privacy and the beginnings of a privacy culture in the West,several business e

206、ntities wished to develop a privacy-first approach.The privacy-by-design principles46,while introduced in the 1990s,began slowly translating into technological solutions.Privacy-Preserving Technologies are those that developed novel solutions or technologies to address a specific concern,commonly be

207、yond mere compliance solutions.3.2Evolution of Privacy Preserving Technology41.Privacy Tech Alliance&Future of Privacy Forum,Privacy Techs Third Generation,FPF(June.2021),https:/fpf.org/wp-content/uploads/2021/06/FPF-PTA-Report_Digital.pdf42.Ibid43.Ibid44.Ibid45.Ibid46.Ann Cavoukian,Privacy by Desig

208、n:The 7 Foundational Principles,2009,https:/www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf23Privacy Technologies in India:Strategies to Enhance the EcosystemThese are technologies which guarantee privacy to an individual,while PETs simply improve privacy in existing systems.4

209、7 The goal of privacy-tech vendors has evolved to provide solutions that maximise the value of data throughout the business.48 These technologies span across the following key areas:1.Making personal data accessible/available for marketing/unlocking the value ofdata.49 These would include technologi

210、es like Secure Multi-PartyComputation,homomorphic encryption,differential privacy,etc.2.Increasing end-user control and engaging in user-centric data protectionpractices.50 These include consent mapping,consent managers,etc.3.Developing solutions for automated compliance and tools for transparency.5

211、1These include technologies based on Fully Homomorphic Encryption principles,data disruption exchanges,Trusted Execution Environments,etc.It is clear,therefore,that to successfully meet all their data needs,a business will have to layer several integrated solutions.Developing such technology and cre

212、ating a homogenous market will be even more challenging in the future because the privacy landscape will become more complex,with various jurisdictions diverging in their regulatory approaches.Most companies,however,do not have the resources and expertise required to build these technologies in-hous

213、e.They,therefore,have to rely on privacy technology vendors to be able to provide the solutions.The next chapter will delve into the challenges associated with adopting privacy technology in greater detail.Leading scholars has traced the evolution of privacy law from its traditional notice-and-conse

214、nt mechanisms to include a combination of individual rights of control and internal compliance structures.Laura Edelman posits that any law,over time,shows a trend in its compliance wherein the overall culture of the form of law starts taking The Trend of Legal EndogeneityStructural Challenges forPr

215、ivacy Technology47.Data Protection in the Era of Artificial Intelligence,Big Data Value Association,(Oct.2019),https:/www.bdva.eu/sites/default/files/Data%20protection%20in%20the%20era%20of%20big%20data%20for%20artificial%20intelligence_BDVA_FINAL.pdf48.Privacy Tech Alliance&Future of Privacy Forum,

216、Privacy Techs Third Generation,FPF(June.2021),https:/fpf.org/wp-content/uploads/2021/06/FPF-PTA-Report_Digital.pdf49.Ibid50.Data Protection in the Era of Artificial Intelligence,Big Data Value Association,(Oct.2019),https:/www.bdva.eu/sites/default/files/Data%20protection%20in%20the%20era%20of%20big

217、%20data%20for%20artificial%20intelligence_BDVA_FINAL.pdf51.Ibid44.124Privacy Technologies in India:Strategies to Enhance the Ecosystemprecedence over its substance a process termed as legal endogeneity.52 Privacy laws and technology in India face this structural challenge,not unique to a national co

218、ntext,to its implementation and desired outcomes.Edelman studied the phenomenon of legal endogeneity in the American context of enforcement of civil rights in workplaces.She describes how developing an anti-discrimination policy is a necessary first step in creating an inclusive working environment,

219、but it becomes a mere symbolic structure until actively enforced.However,these symbolic structures have increasingly gained the legitimate status of law itself.53 In other words,the act of developing an internal complaints process or appointing a diversity officer is looked at as complying with the

220、law.These actions would hardly lose their legitimacy even if they were to grant the aforementioned diversity officer no powers or overturn every complaint in the review process.54As described by Edelman,there are several stages through which a culture of legal endogeneity can be observed.It begins w

221、ith the enactment of legislation that has ambiguity in application.The absence of clarity in law gives practitioners on the ground the leeway to interpret and implement the law in a manner that benefits them.55 Left to their own devices,practitioners often recast their obligations from the substance

222、(such as preventing discrimination,for instance)to procedure(such as drafting an anti-discrimination policy).A.E.Waldman,a celebrated privacy scholar,describes the matter of legal endogeneity in the context of privacy laws in the United States.He claims that the overwhelming complexity and dynamic n

223、ature of privacy laws have created a significant degree of ambiguity.For example,the Federal Trade Commission in the United States requires that individuals are given adequate notice by companies regarding the use of their personal data.56 However,the term adequate remains undefined.This results in

224、several hard-to-read privacy policies that are hardly ever read by consumers.Even so,the existence of a privacy policy became a proxy signifying the enforcement of privacy law to courts and regulators.Privacy law,unlike civil rights law,is dominated by a technology market.The novelty of the new-age

225、technology and the scale at which the market grows accelerates the trend of judicial bodies deferring to the expertise of industry professionals.Judicial bodies are sometimes of the opinion that they do not have the requisite knowledge to answer questions of privacy law because it is steeped in tech

226、nology.5752.Ari Ezra Waldman,Privacy Laws False Promise,WASH.U.L.REV.0773(2020).53.Ibid.54.Ibid.55.Ibid.56.Ibid.57.Ibid.Limits of Technological OutsourcingThe overall tendency of endogeneity,therefore,can be identified in privacy technology that codifies the interpretations of privacy law in their s

227、ystem design.These interpretations are rarely if ever,made by privacy or legal professionals but rather in the field of privacy 4.225Privacy Technologies in India:Strategies to Enhance the Ecosystemengineering.58 While the privacy technology sector is relatively new,the existing practices will event

228、ually shape the law itself.Makers of technology,because of market pressures,may be more concerned with whether or not a law can be easily articulated in system design rather than focusing on the substantive goal of securing privacy outcomes of individuals or communities.In his paper titled Outsourci

229、ng Privacy,Waldman discusses how systemic outsourcing in the privacy space in the United States has had a widespread effect on privacy as a culture.He describes the rise of a framework that calls for institutions to be organised around the values of efficiency,productivity and innovation.The primary

230、 argument he makes is that the manner in which privacy compliance practices have evolved,such as the practice of outsourcing compliance operations to privacy-tech vendors,has led to a minimal focus on substantive adherence to the goals of privacy law and more on reducing bottlenecks for product inno

231、vation.The privacy regulatory landscape is only becoming more complex as more jurisdictions develop their data protection laws.Interpreting the laws themselves is challenging for privacy law experts and others in the judicial field.Privacy technology vendors and anyone that is meant to comply with p

232、rivacy law must first understand the regulation and its requirements.However,the development of privacy technology often occurs with little to no legal expertise on the team.When privacy technology vendors develop such solutions,they do so,keeping the corporate goals of efficiency,productivity,and i

233、nnovation.Their interpretation of privacy law in itself is skewed.The goal is not that of securing the data of the end-user but to comply with regulation while engaging in unabated data-extractive practices behind the scenes.Without specific laws or organisational policies,privacy technology vendors

234、 end up codifying their own definitions and interpretations of privacy laws into the technology they build.59 A few technologies that do this include a compliance technology which claims that it is GDPR Ready and helps organisations attain,maintain and demonstrate ongoing compliance.60 Another vendo

235、r that provides privacy and security solutions to healthcare providers and guarantees compliance with Article 25 of the GDPR and fully addresses five of the Phase 2 HIPAA61 Audit protocol elements and partially addresses twenty-six more.62Waldman conclusively states that this approach has reduced th

236、e effectiveness of privacy regulation by converting policies,privacy impact assessments and audit frameworks to symbolic measures.He argues that a company only outsources functions and responsibilities that are not part of its core competencies.63 When a company outsources privacy-related tasks,they

237、 do so perhaps because it is not their core expertise,but that does not mean competencies should not be built up over time.This trend is particularly worrisome when the company collects,stores and processes vast amounts of data.Such systemic outsourcing can lead to the following issues:58.A.E.Waldma

238、n,Outsourcing Privacy,96 Notre Dame L.Rev.Reflection 194(2021)59.Ibid60.Antonenko,D.(2022,April 9).GDPR Compliance Technology.B.Retrieved October 20,2022,fromhttps:/ is an American legislation enacted to develop and enforce standards of healthcare,specifically data collection andsharing practices,ac

239、ross the country.62.A.E.Waldman,Outsourcing Privacy,96 Notre Dame L.Rev.Reflection 194(2021)63.Ibid0726Privacy Technologies in India:Strategies to Enhance the EcosystemPower AsymmetriesDeveloping an in-house capacity of privacy solutions requires the following firstly,resources to set up in-house te

240、chnical experience,accommodate large salaries,benefits for new employees and create institutional time and capacity;secondly,legwork which allows a company to develop a clear set of goals,ongoing relationship maintenance,technological assessment,employee training etc.It is clear that larger companie

241、s are better positioned,therefore,to develop their in-house privacy capacity,while smaller entities that are strapped for time and resources cannot afford to do so.This inevitably gives the larger entities a competitive advantage as they are able to adhere to privacy regulations and advertise the sa

242、me to their consumers.Several companies in Singapore have also begun advertising their updated privacy policies to highlight their commitment to protecting individual data.64Narrowing Privacy LawWaldman argues that to operationalise privacy outcomes,as a first step,one must consider managing users e

243、xpectations,their desire for obscurity,and their need for trust.In their interpretation of privacy law,however,vendors reduce the law to modifiable factors that can be easily identified by Artificial Intelligence(AI).It also shifts focus from the larger objective of reducing privacy risks for consum

244、ers to reducing litigation risks for the business.This has created a culture where laws are drafted with this managerial objective in mind.Laws are,therefore,limited to easily codifiable provisions in system designs.65Erosion of ExpertiseAs discussed earlier,technology vendors rarely employ legal ex

245、perts to be part of their teams.People with no legal experience end up burying their conclusions into code,which inevitably creates a product of poorer quality.Waldman also discusses this concept in his paper titled Privacy Laws False Promise.Here,he points out that while involving in-house attorney

246、s and privacy professionals in the design process of privacy-tech is ideal,it is also expensive.Limiting the scope of activity of PET vendors to something like information management is also unrealistic.64.Claudia Lim,Singapores Reationship to Data Privacy May be Evolving,Iris,(1 June 2021),fromhttp

247、s:/participationindex.iris- Unbound:The Inside Story of Privacy,Data,and Corporate Power,Cambridge University Press(28Sept.,2021).Lack of AccountabilityThe introduction of privacy-safe techniques takes place in the design process of such technologies.Waldman argues that the design process is also wh

248、en privacy laws are instantiated.Those in due diligence teams,such as audit teams,are often shielded from this design process.In his book,Industry Unbound,Waldman discusses his experience with several companies in-house privacy experts.The expert is often assigned to a 4.2.14.2.24.2.34.2.427Demand-s

249、ide challengesPolicymakers are stressing on the significance of data privacy in the light of rising data breaches at various companies.Additionally,the expectations of users from companies to protect their data is rising.According to a recent survey of 6000 Indian respondents,84%of consumers surveye

250、d prefer organisations that are committed to protecting their privacy.67 In light of these trends,privacy-tech vendors anticipate the rising adoption of their solutions.According to our review,there are six major challenges currently holding back businesses from adopting privacy-tech solutions.Opera

251、tional Challenges forPrivacy TechnologyThe Indian industry has developed privacy-tech solutions that are arguably sufficiently mature to meet the compliance needs of businesses today.PETs that can enhance privacy at each data lifecycle stage through various functions like consent mapping,data labell

252、ing and encryption are available for enterprise use.Further,PPTs or novel systems and solutions that preserve the privacy of user data,have also seen notable growth.However,certain operational bottlenecks have held back the adoption of privacy technology.In this chapter,we will analyse operational c

253、hallenges in the following groupings:1.Demand side challenges limiting the uptake of privacy-tech by businesses2.Supply side challenges preventing the growth of privacy-tech solutionsLack of a privacy-centric culture Businesses primarily look at privacy protection to first,ensure compliance with dat

254、a protection laws and consequently reduce legal risks,and secondly,to prevent data breaches in order to prevent reputational and financial damage.68 These are genuine concerns,considering that penalties for non-violation of laws,combined with litigation Privacy Technologies in India:Strategies to En

255、hance the Ecosystemproduct or engineering team.However,the reporting requirements within the corporate structure often require the engineer to spot the privacy issue and report it to his manager.The issue then travels up the corporate ladder and often reaches the privacy expert only at a late stage

256、of the design process.6666.A.E.Waldman,How Big Tech Turn Sprivacy Law Into Privacy Theatre,Slate,Retrieved on January 2,2021 fromhttps:/ Sheth,(2021,March 14),84%Indian consumers willing to pay more to do business with organisations committed toprotecting data privacy:Report,The Hindu Business Line,

257、Retrieved February 16,2022 fromhttps:/ Privacy study:500 companies share their insights,(2020,May 22),Data Privacy Manager,Retrieved February 16,2022from https:/ Organizations are ManagingCyber Risk in a Fast-Changing Business Environment:Marsh Microsoft 2019 Cyber Survey Results,(2019,October 7),MA

258、RSH,https:/ 11;IAPP 2021 Tech Vendor Report,(2021),IAPP,https:/iapp.org/media/pdf/resource_center/2021TechVendorReport.pdf at 35.55.15.1.128Privacy Technologies in India:Strategies to Enhance the Ecosystemcosts,can be significant.At the same time,costs of data breach have reached record highs during

259、 the pandemic.The 2021 Cost of a Data Breach Report from IBM security revealed that in India,Rs.5,900 was the cost to the company per lost or stolen record in 2021.69 The average total cost of a data breach was the highest in the healthcare and financial sector.70 According to the survey,anonymised

260、customer data was the second most common type of record compromised,preceded by customer personal identifiable information(PII was the most common type.71 The report considers hundreds of cost factors involved in data breach incidents,including loss of customers and brand equity.As a result,business

261、es are relying more on lawyers to ensure regulatory compliance and cybersecurity solutions to prevent data leaks.With the enactment of the DPDPB 2022,it is likely that this dependency will only increase.While resolving these concerns is integral to business operations,the culture does not allow for

262、proportionate attention to the data privacy interests of the users.One of the reasons behind this is that privacy is often understood from risk perspectives as focused on managing corporate risk,balancing regulation and profit and enhancing innovation.The effect of this is often the frustration of c

263、onsumer privacy rights.72 The DPDPB,2022,for instance,provides for the right to correct and erasure consent mechanisms,while the digital health sector in India has already envisaged the application of consent managers to access longitudinal records.73 These priorities are often also reflected in nat

264、ional policies pertaining to technology.For instance,public engagement values and mechanisms are rarely salient in consolidating AI regimes.Therefore,they do not always prioritise protecting the interests of the users.74 Absence of governing policies that do not prioritise user interest can influenc

265、e organisational cultures and values in the private sector.There exists a need for businesses to move towards a privacy-centric culture that prioritises the protection of user privacy while also looking after concerns of non-compliance and data leaks.For instance,a focus on efficiently recording use

266、r consent through consent management solutions can considerably enhance the autonomy of users over their data.At the same time,this approach can i assist in adhering to legal requirements that mandate processing of data only according to purposes consented to and ii reduce risks associated with data

267、 leakage by ensuring that data is shared strictly in accordance with user consent.The issue of insufficient attention is not limited to the protection of user privacy.The challenge also extends to responsible value creation from data.Over time,businesses have witnessed an increase in the influx of d

268、ata.However,they continue to be overwhelmed by it and are not deriving sufficient value from it.This has also played a role in slowing down the adoption of privacy-tech solutions,as we will see in the next section.69.PTI,(2021,July 28),Cost of data breach hits record high during pandemic:IBM,Financi

269、al Express Retrieved February 16,2022from https:/ of a data breach report 2021,(2021,July),IBM,Retrieved February 16,2022 fromhttps:/ at 15.71.Cost of a data breach report 2021,(2021,July),IBM,Retrieved February 16,2022 fromhttps:/ at 15.72.Waldman,A.,Privacy Laws False Promise(2019,December 6).Wash

270、ington University Law Review,Vol.97,No.2,2020,Retrieved February 16,2022 from SSRN:https:/ at 49.73.Ministry of Health and Family Welfare,National Digital Health Blueprint(30 Jan.2020),fromhttps:/main.mohfw.gov.in/sites/default/files/Final%20NDHB%20report_0.pdf.74.Wilson,C.,(2022,January),Public eng

271、agement and AI:A values analysis of national strategies,Government InformationQuarterly Vol 39 Issue No.1,Retrieved February 16,2022 from https:/doi.org/10.1016/j.giq.2021.10165229Limited focus on creating value out of dataIn addition to protecting user privacy,privacy-tech solutions can enable proc

272、esses that can assist in responsibly deriving value out of data.75 This can be achieved in two ways.Firstly,privacy-tech can enable processes beneficial for value derivation from data.For instance,technologies like data mapping solutions can provide businesses with an insight into how data moves thr

273、ough their systems,including the identity of data collected,sources of ingestion,purpose,retention timelines,and access controls.Therefore,it can ensure that data in various silos do not go undetected and can inform business decisions.Secondly,privacy-tech solutions can balance data utility with the

274、 privacy of data,thereby enabling long-term sustainable data processing activities that do not have any regulatory risk.For instance,homomorphic encryption can enable computations on encrypted data without first decrypting it,serving as a sustainable mode of privacy-centric value creation.Businesses

275、 that safely and consistently derive value from data would,therefore,recognise the value of privacy technology.According to a cross-jurisdictional study by Forrester76 of 45 locations including India,the United States,and various European countries,70%of data decision-makers are gathering data faste

276、r than they can analyse and use it and most(88%of them are neglecting either the technology and processes or culture and skills or both required for creating value out of data.This has led to businesses being unable to analyse and derive value out of most data collected by them.A report by Deloitte

277、highlights that Indian companies often do not use more than 5-20%of the personal data they collect.77 Increased focus on creating value out of data which entails identifying use-cases of data insights,implementing internal processes for analysing insights and incorporating appropriate solutions can

278、help businesses innovate and customise services to consumer needs.Additionally,it can foster increased adoption of privacy-tech solutions.The willingness of businesses to invest in privacy-tech solutions is not only influenced by demand from users.The extent of awareness among businesses about incen

279、tives that can be derived out of these solutions can also determine whether companies would be keen to invest in privacy-tech solutions or not is also a relevant point here.Privacy Technologies in India:Strategies to Enhance the Ecosystem75.Timan T.,(2019,October),Data Protection In The Era Of Artif

280、icial Intelligence,BDVA Retrieved February 16,2022 fromhttps:/www.bdva.eu/sites/default/files/Data%20protection%20in%20the%20era%20of%20big%20data%20for%20artificial%20intelligence_BDVA_FINAL.pdf at 16;Protecting Privacy in practice,(2019,March),The Royal Society,Retrieved February 16,2022 fromhttps

281、:/royalsociety.org/-/media/policy/projects/privacy-enhancing-technologies/privacy-enhancing-technologies-report.pdf at 26.at pg.2676.Unveiling Data Challenges Aicting Businesses Around The W orld.(n.d.).Dell.Retrieved October 20,2022,fromhttps:/ V.&Sehgal M.,(2019),Unlocking the Potential of Indias

282、Digital Economy:Practices,Privacy and Governance,Omidyar Network India And Deloitte,Retrieved February 16,2022 fromhttps:/ demand from usersWith the backdrop of rising privacy breaches and discourse on data protection laws,the relevance of privacy protection has increased for consumers as they are n

283、ow more aware of their data rights.78 This is down to focused efforts from various stakeholders.For instance,civil society is publishing literature that raises awareness of privacy rights.Companies are leveraging their privacy protection capacities as a competitive differentiator to attract consumer

284、s.However,there is a long way to go before privacy concerns of users can significantly impact their behaviour while using technology,including their decision to use or not use certain services.Concerns about privacy are not yet driving consumer behaviour,despite rising awareness;as their online acti

285、vity is only increasing.79 Further;consumers are regularly trading their privacy rights for benefits provided by technology.This phenomenon has been termed as the privacy paradox.80 Recent research has revealed that while users are concerned about their privacy,they nevertheless undertake very littl

286、e action to protect their personal data.81 Difficulty in understanding the manner in which their data is processed and cumbersome processes for managing privacy are a few reasons behind this.To this end,consumers often find it easier to be apathetic to privacy concerns while making purchasing decisi

287、ons.An increase in consumer demand for effective privacy protection practices can potentially incentivise businesses to adopt privacy-tech solutions.Limited awareness of business incentivesWhile businesses are aware of the disincentives of not implementing privacy-protecting practices,positive incen

288、tives like investor appeal and prospects of international expansion are yet to be realised.Hefty penalties under data protection laws disincentivise inefficient data protection practices by businesses.For instance,The Privacy Legislation Amendment(Enforcement and Other Measures Bill 2022 provides fo

289、r a fine of AUD 500 million or 30%of a companys adjustment turnover,whichever is greater,for the breach of the law.82 The recent iteration of Indias data protection regulations has also indicated that financial penalties will be borne by data fiduciaries in cases of violation.83 This represents an o

290、verall shift towards imposing mandatory data protection practices across various industries.However,in order to ensure meaningful compliance through privacy-tech solutions,Privacy Technologies in India:Strategies to Enhance the Ecosystem78.Has Lockdown made Consumers more open to Privacy?(2020),EY G

291、lobal Consumer Privacy Study 2020 Retrieved February16,2022 fromhttps:/ 8),Are data privacy concerns driving consumer behavior?Not yet.,Deloitte,Retrieved February16,2022 from https:/ the internet experience,Hewlett Packard,Retrieved February 16,2022 fromhttps:/ D(2017),The privacy paradox Investiga

292、ting discrepancies between expressed privacy concerns andactual online behavior A systematic literature review,34(7)Telematics and Informatics 1038,Retrieved February 16,2022https:/ Legislation Amendment(Enforcement and Other Measures)Bill 2022 fromhttps:/www.aph.gov.au/Parliamentary_Business/Bills_

293、Legislation/Bills_Search_Results/Result?bId=r6940.https:/www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6940.83.Cl.25,Ministry of Electronics and Information Technology,The Digital Personal Data Protection Bill,2022,fromhttps:/www.meity.gov.in/writereaddata/

294、files/The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022.pdf.5.1.35.1.431Budgetary restrictionsLack of resources for the protection of privacy has also held back the adoption of privacy-tech.87 There are multiple reasons for the budgetary restrictions.First,since businesses have not suffi

295、ciently realised the financial benefits of integrating privacy-tech,budget allocations for these solutions remain limited.In the short-term,privacy-tech investments can be challenging and cost-intensive for enterprises with limited resources as they may require a notable investment of funds,time,and

296、 human resources.However,in the longer term,financial incentives for investment in privacy-tech show up,which can justify the budgetary allocations.These benefits include shorter sales delays due to customer data privacy concerns as well as shorter system downtimes during a data breach.88Secondly,th

297、e budget for various privacy-tech solutions would be determined by an entirely new budget head89 that can only be accommodated with sufficient time and analysis of Privacy Technologies in India:Strategies to Enhance the Ecosystembusinesses need to realise positive incentives of privacy protection as

298、 well.A global study by Cisco highlighted that only 36%of the surveyed businesses recognised investor appeal as a business benefit of privacy investment.84In addition to investor appeal,privacy-tech solutions can enhance future business prospects by preparing it for expansion into jurisdictions with

299、 strict data protection laws.Regulatory frameworks have the potential to create entry barriers in certain markets,as has been acknowledged by antitrust frameworks of various jurisdictions.85 Data privacy laws,without effective preparation and funding,can make it difficult for companies processing da

300、ta to operate feasibly in the concerned jurisdiction.86 Therefore,incorporating privacy-tech solutions can assist companies in overcoming regulatory barriers and effectively competing in jurisdictions with strict data privacy regimes.Consequently,these factors can impact a businesss valuation while

301、raising funds.Continued oblivion to these factors can affect their willingness to adopt privacy-tech and slow their growth.Limited awareness of business incentives can influence budgetary decisions pertaining to privacy-tech solutions,further stalling the adoption of these services.84.White Paper on

302、 Privacy Gains:Business Benefits of Privacy Investment,Cisco(2019),Retrieved February 16,2022 fromhttps:/ and barriers to entry,(2007,January),OECD,Retrieved February 16,2022 fromhttps:/www.oecd.org/competition/mergers/37921908.pdf.86.Kerber,W.&Specht-Riemenschneider,L.,(2020,September 30),Synergies

303、 Between Data Protection Law And CompetitionLaw,VZBV Retrieved February 16,2022 fromhttps:/www.vzbv.de/sites/default/files/2021-11/21-11-10_Kerber_Specht-Riemenschneider_Study_Synergies_Betwen_Data%20protection_and_Competition_Law.pdf87.How Privacy Tech Is Bought and Deployed,(2019),IAPP&TrustArc,Re

304、trieved February 16,2022 fromhttps:/iapp.org/media/pdf/resource_center/privacy_tech_bought_and_deployed_IAPPTrustArc_2019.pdf.88.White Paper on Privacy Gains:Business Benefits of Privacy Investment,Cisco(2019),Retrieved February 16,2022 fromhttps:/ at 3.89.Kumar,S.et.al.,(2021),Paving the Future:Why

305、 PrivacyTech is a rewarding frontier for venture capital,Omidyar Network India,Retrieved February 16,2022 from https:/www.omidyarnetwork.in/wp-content/uploads/Privacy-Tech-Thesis-July7.pdf.5.1.5Gap in knowledge and internal processesBusinesses with the intent to adopt privacy-tech often have limited

306、 awareness of state-of-the-art technologies.In cases where companies are aware of the latest technologies,they are either unclear about which use cases can benefit from them or have the impression that easy-to-use solutions are unavailable.90Further,organisations are unable to adopt privacy technolo

307、gy due to a gap in internal processes.Businesses often do not have dedicated roles to manage conflicts arising out of product and engineering decisions on user privacy.91 Absence of institutionalised process workflows and standard operating procedures on data privacy,limits their ability to integrat

308、e privacy-tech in their operations.92 Understanding the relevance,use cases and integration strategies of privacy-tech is crucial to adopt these technologies.To ensure that the uptake of privacy-tech increases among businesses,it is crucial that bottlenecks pertaining to culture,demand,knowledge,int

309、ernal processes,and budgets are sufficiently studied.Supply-side challengesOut of 365 privacy-tech vendors identified in the IAPP 2021 Tech Vendor Report,only 7 are from India.These companies provide a range of services,including data mapping,identification/pseudonymity,and consent management soluti

310、ons.These solutions assist in various stages of the data lifecycle by efficiently mapping the processing journey of data,anonymising sensitive data and ensuring adherence to the consent provided by data principals.Currently,market studies on the privacy-tech sector in India are scarce.Certain trends

311、 specific to the Indian context are worth mentioning.First,a notable number of vendors93 in the country provide a multitude of services to businesses,rather than hyper-specialising in a particular technology.Assessment managers and services that can optimise data processing like data mapping and dat

312、a discovery solutions are particularly Privacy Technologies in India:Strategies to Enhance the Ecosystemreturns.Thirdly,while IT professionals may understand the nuanced benefits of privacy-tech solutions,but those with authority over the allocation of budgets may not.Streamlining operational proces

313、ses and stakeholder interaction on budget decisions can,thus,facilitate investment in privacy-tech solutions.In addition to budgetary restrictions,there are other factors as well that impact the ability of a business to adopt privacy-tech solutions.Most importantly,these include gaps in knowledge an

314、d internal processes that concern the adoption of privacy-tech.3290.Polonetsky,J.&Greenberg,J.(2019),NSF Convergence Accelerator:The Future of Privacy Technology,Future of PrivacyForum,Retrieved February 16,2022 fromhttps:/fpf.org/wp-content/uploads/2020/03/NSF_FPF-REPORT_C-Accel1939288_Public.pdf.9

315、1.Privacy practices in the Indian technology ecosystem:A 2020 survey of the makers of products and services,(2020),Hasgeek,Retrieved February 16,2022 from https:/ practices in the Indian technology ecosystem,Hasgeek.Retrieved February 16,2022 from https:/ Infosec,Expert Techsource,Privacy Virtuoso G

316、lobal and SensorproI,(2021),See IAPP 2021 Tech Vendor Report,IAPP,Retrieved February 16,2022 from https:/iapp.org/media/pdf/resource_center/2021TechVendorReport.pdf5.1.65.2Lack of consensus on theoretical frameworksIn order for an industry to grow,a uniform theoretical framework on the solutions can

317、 be helpful.98 Owing to the fact that it is still early days for the industry in India,the theoretical literature on the taxonomy of terms and the methodology to characterise privacy-tech is still underdeveloped.However,internationally,there is little consensus on taxonomy and methodologies for cate

318、gorising privacy-tech.99 The interpretation of certain terms differs according to laws,courts,privacy professionals,as well as vendors that self-preferentially develop terminology for marketing purposes.The lack of consensus is a major impediment to the growth of privacy-tech,which it can potentiall

319、y slow down its development.Various issues including differences of understanding between the technology available in the market and the needs of buyers,the applicability of relevant laws,the development of technologies;as well as limited growth of platforms for knowledge sharing may come up.Further

320、,a lack of consensus on what technologies form part of the privacy-tech may cause uncertainty for stakeholders.For instance,consensus on the overlaps and distinctions between privacy technologies and cybersecurity solutions is still lacking.This has the potential to cause confusion for stakeholders

321、producing insights including market reports as well as investors with limited portfolio capacities for privacy-tech solutions.One of the reasons for the lack of unanimity is the regular shifts in regulatory landscapes around the world.Data privacy frameworks are constantly evolving by either borrowi

322、ng from other jurisdictions or departing from commonly accepted theoretical frameworks of taxonomy and methodologies for characterisation.100 If left unaddressed,this may cause uncertainty among stakeholders and slow down the process of harmonising privacy-tech taxonomy.Privacy Technologies in India

323、:Strategies to Enhance the Ecosystem33common.Secondly,companies dealing in specialised solutions may be less common,but certain companies like Doosra94 and Truthshare,95 are slowly gaining traction.Thirdly,various companies with a global presence are providing privacy-tech services in the country.A

324、few of these are indigenous companies,96 while some are based in other jurisdictions.97 While various factors like ease of doing business and a hospitable regulatory regime in the country have encouraged these services,the development of privacy-tech in India still suffers from various supply-side c

325、hallenges.94.Doosra,Retrieved February 16,2022 from https:/ Share,Retrieved February 16,2022 from https:/.ng/.96.Mindtree:A Larsen and Toubro Group Company,Retrieved February 16,2022 fromhttps:/ MasterCraft Dataplus,Retrieved February 16,2022 from https:/ and Data Protection(PDP)services:Key highlig

326、hts of Indias Personal Data Protection Bill(draft),2018(2018),Deloitte,Retrieved February 16,2022 from https:/ privacy and AI protection,IBM,Retrieved February 16,2022 fromhttps:/ Techs Third Generation:A Review of the Emerging Privacy Tech Sector,(June 2021),FPF,Retrieved February 16,2022from https

327、:/fpf.org/wp-content/uploads/2021/06/FPF-PTA-Report_Digital.pdf at 12.99.Privacy Tech Alliance et.al.,(2021),Privacy Techs Third Generation:A Review of the Emerging Privacy Tech Sector,Future ofPrivacy Forum,Retrieved February 16,2022 from https:/fpf.org/wp-content/uploads/2021/06/FPF-PTA-Report_Dig

328、ital.pdf.100.Polonetsky,J.&Greenberg,J.,(2019),NSF Convergence Accelerator:The Future of Privacy Technology,Future of PrivacyForum,Retrieved February 16,2022 fromhttps:/fpf.org/wp-content/uploads/2020/03/NSF_FPF-REPORT_C-Accel1939288_Public.pdf at 27.5.2.134Shifts in regulatory landscapeData privacy

329、 frameworks across various jurisdictions have witnessed regular shifts.In the United States,for instance,the data privacy landscape has changed significantly;with new laws coming up in California,Virginia and Colorado over the past few years.In January 2020,South Korea passed significant amendments

330、to three of its data privacy laws,including its primary data privacy legislation,the Personal Information Protection Act.101 In the same year,Singapore amended its Personal Data Protection Act,2012 after several rounds of consultations;to enhance strictness.102 In 2021,China enforced the Personal In

331、formation Protection Law,the countrys first comprehensive data privacy law.103 Earlier in 2022,Chinas new Data Security Law,which governs a wide range of data processing activities,also went into effect.104Privacy-tech vendors have had to regularly adapt to ever-changing needs,causing multiple alter

332、ations and delays in creating feasible solutions.A regulatory regime that balances stability with adaptability can avoid uncertainty among vendors about expectations from their services.Further,it can enable consensus building among various stakeholders on the taxonomy and methodology to characteris

333、e privacy-tech.Challenges pertaining to the growth ofArtificial IntelligenceArtificial Intelligence plays an important role in the development of privacy-tech solutions in various jurisdictions.The need for the same arises since several privacy workflows currently are manual,making their implementation resource intensive.It is difficult to produce enough manpower to perform compliance tasks manual