Technology Issues: AI Regulation, Data Privacy & Digital Governance

Overview

India is undergoing one of the most rapid digital transformations in the world. With over 900 million internet users, the world's largest biometric identity database (Aadhaar), the fastest-growing digital payments ecosystem (UPI), and an ambitious artificial intelligence strategy, the country is simultaneously embracing the opportunities of the digital age and confronting its profound risks. Technology is reshaping governance, economy, education, health, and social life at a pace that policy frameworks and public understanding struggle to match.

This module examines the critical technology issues facing India today: the regulation of artificial intelligence, the protection of personal data in an era of mass surveillance, the architecture of digital governance, the challenges of cybersecurity, the regulation of online platforms, and the governance of emerging technologies like blockchain, quantum computing, and biotechnology. It covers the legal and institutional frameworks, the political economy of technology policy, the social and ethical implications, and the tools available to citizens who want to understand and influence the digital transformation of their society.

Technology policy is not merely a technical matter. It intersects with fundamental rights (privacy, free speech, equality), with economic power (the dominance of tech giants, the digital divide), with national security (cyber warfare, surveillance), and with democracy itself (the manipulation of information, algorithmic bias, the erosion of public trust). A citizen who understands these intersections is better equipped to navigate the digital world, protect their rights, and demand accountable governance in the algorithmic age.

Artificial Intelligence in India: Promise and Peril

Artificial intelligence (AI) — the ability of machines to perform tasks that typically require human intelligence — is being deployed across Indian governance, healthcare, agriculture, education, and finance. The government has declared its intention to make India a global AI hub, but the rush to adopt AI has outpaced the development of regulatory safeguards, ethical guidelines, and public understanding. The result is a landscape of enormous potential and significant risk.

India's AI Strategy and Ambitions

• NITI Aayog's National Strategy for AI (2018): India's first comprehensive AI strategy identified five sectors for focused deployment: healthcare, agriculture, education, smart cities, and infrastructure. The strategy emphasized social good over commercial gain, proposing AI solutions for crop disease detection, tuberculosis screening, and traffic management. It also called for the creation of a National AI Marketplace, AI research institutes, and mechanisms for international collaboration. However, implementation has been slow, and the social good framing has been overshadowed by commercial and military AI applications.
• IndiaAI Mission and compute infrastructure: In 2024, the government approved the IndiaAI Mission with an outlay of ₹10,372 crore, aiming to build domestic AI compute infrastructure, develop indigenous AI models, and promote AI startups. The mission includes the procurement of GPUs (graphics processing units), the establishment of AI innovation centers, and funding for AI research. The emphasis on "sovereign AI" reflects concerns about dependence on foreign AI models and the need for India-specific language and cultural training data.
• AI in governance and public services: AI is being deployed in governance at multiple levels. The Supreme Court uses AI for transcription and translation. The Election Commission has explored AI for voter verification and election monitoring. The income tax department uses AI for fraud detection. Police forces use facial recognition and predictive analytics. While these applications promise efficiency and accuracy, they also raise concerns about error rates, lack of transparency, and the erosion of human judgment in critical decisions.
• AI in the private sector: Indian companies are deploying AI in customer service, recruitment, lending, insurance, and e-commerce. The fintech sector uses AI for credit scoring and fraud detection. The agritech sector uses AI for crop monitoring and pest prediction. The edtech sector uses AI for personalized learning and assessment. These applications create value but also risks of exclusion, bias, and exploitation, particularly for low-income users who lack digital literacy and recourse mechanisms.

Risks and Concerns of AI Deployment

• Algorithmic bias and discrimination: AI systems trained on biased data reproduce and often amplify existing discrimination. Facial recognition systems have higher error rates for women and darker-skinned individuals, which in India's context means higher error rates for women, Dalits, and Adivasis. AI-based credit scoring can discriminate against marginalized communities by using proxy variables (like postal codes or phone models) that correlate with caste and class. AI in recruitment has been shown to discriminate against women and minorities. Without algorithmic audits and anti-discrimination safeguards, AI becomes a tool for automated exclusion.
• Lack of transparency and explainability: Many AI systems, particularly deep learning models, operate as "black boxes" — even their creators cannot fully explain how they arrive at particular decisions. This opacity is problematic when AI is used for criminal sentencing, loan approvals, job screening, or welfare eligibility. The right to explanation — the right to understand why an algorithmic decision was made about you — is a key demand of AI ethics advocates, but it is not legally recognized in India.
• Job displacement and labor market disruption: AI and automation threaten to displace millions of workers in India's informal economy, particularly in manufacturing, customer service, data entry, and agriculture. While AI also creates new jobs (in data labeling, AI training, maintenance, and oversight), the transition is unlikely to be smooth or equitable. Workers in gig economy platforms (like Swiggy, Zomato, Ola, and Uber) are already subject to algorithmic management — their work is assigned, monitored, and evaluated by algorithms they cannot understand or challenge. The labor code does not address algorithmic management, and gig workers lack the protections of formal employment.
• Generative AI and misinformation: The rise of generative AI tools like ChatGPT, Midjourney, and India's own indigenous models has created new channels for misinformation. AI-generated deepfakes — realistic but fabricated images, videos, and audio — have been used to create non-consensual pornography, manipulate political discourse, and defraud individuals. In the 2024 election season, deepfakes of political leaders circulated widely on social media. The government has issued advisories requiring platforms to label AI-generated content, but enforcement is weak and the technology evolves faster than regulation.
• Military and surveillance AI: AI is increasingly used in defense and internal security. Drones with AI targeting, autonomous surveillance systems, and predictive policing algorithms raise serious questions about accountability, proportionality, and the risk of automated killing. India's defense establishment has embraced AI for border surveillance, cyber defense, and strategic analysis, but the ethical frameworks and oversight mechanisms for military AI remain underdeveloped.

AI Regulation: The Global and Indian Context

• The EU AI Act (2024): The European Union's AI Act is the world's first comprehensive AI regulation. It classifies AI systems by risk level (minimal, limited, high, unacceptable) and imposes stricter requirements on high-risk systems (those used in healthcare, education, employment, law enforcement, and justice). The Act bans certain uses of AI (like social scoring by governments and real-time biometric surveillance in public spaces) and requires transparency, human oversight, and conformity assessments for high-risk applications. India's approach has been more permissive, favoring innovation over precaution.
• India's AI advisory and regulatory approach: As of 2024–2025, India does not have a comprehensive AI law. The Ministry of Electronics and Information Technology (MeitY) has issued advisories and guidelines, and the Digital Personal Data Protection Act (2023) provides some data governance foundations, but sector-specific AI regulation remains fragmented. The approach has been described as "regulation by press release" — reactive advisories rather than a structured legislative framework. Critics argue that India's pro-innovation stance risks creating a regulatory vacuum where harmful AI applications proliferate without accountability.
• Proposals for AI governance: Civil society, academics, and some industry actors have proposed AI governance frameworks for India. Common recommendations include: mandatory algorithmic impact assessments before deployment of high-risk AI; establishment of an independent AI regulator; requirements for transparency and explainability; protections for workers subject to algorithmic management; prohibitions on AI uses that violate fundamental rights; and public participation in AI policy-making. The government has been receptive to some suggestions but has not committed to binding legislation.
• AI and intellectual property: AI-generated content raises unresolved questions about copyright and ownership. Who owns the output of a generative AI model — the user, the developer, or the owners of the training data? Indian courts have not yet ruled on this, and the Copyright Act (1957) does not address AI. The training of AI models on copyrighted material without consent is also a major legal and ethical issue, with ongoing litigation in multiple jurisdictions.

Data Privacy and the Digital Personal Data Protection Act

Data is the currency of the digital economy. Every online transaction, search query, social media post, and mobile app usage generates data that is collected, analyzed, bought, and sold by corporations and governments. For Indians, the scale of data collection is unprecedented: Aadhaar has enrolled 1.3 billion people, UPI processes billions of transactions monthly, and smartphone apps extract vast quantities of personal information. The question of who controls this data and how it is protected is one of the most consequential policy issues of our time.

The Journey to a Data Protection Law

• The Puttaswamy judgment (2017): The Supreme Court's landmark decision in Justice K.S. Puttaswamy (Retd.) v. Union of India held that the right to privacy is a fundamental right protected under Article 21 of the Constitution. The Court recognized that privacy includes informational privacy — the right to control personal data — and called for a comprehensive data protection law. The judgment was a watershed moment, overturning earlier precedents that had minimized privacy concerns and setting the stage for legislative reform.
• The Srikrishna Committee (2018): Following the Puttaswamy judgment, the government constituted a committee chaired by Justice B.N. Srikrishna to draft a data protection framework. The committee's report (2018) and draft Personal Data Protection Bill (2019) recommended a rights-based approach, with strong protections for consent, purpose limitation, data minimization, and individual rights. The draft also proposed an independent Data Protection Authority (DPA) and strict penalties for data breaches. However, the subsequent legislative process diluted many of these protections.
• The Digital Personal Data Protection Act (2023): After multiple iterations, the Digital Personal Data Protection Act (DPDP Act) was passed in 2023. The Act represents a significant shift from the rights-based approach of the Srikrishna draft to a more permissive, government-centric framework. It provides some protections for personal data (consent requirements, data breach notification, rights of access and correction) but includes broad exemptions for government agencies, weak penalties for violations, and limited independence for the proposed Data Protection Board. Critics argue that the Act prioritizes government convenience and corporate interests over individual rights.
• Key provisions of the DPDP Act: The Act defines "personal data" and "digital personal data" and requires data fiduciaries (entities that collect data) to obtain consent for processing, with limited exceptions for "legitimate uses" (including government functions, employment, and certain public interest purposes). Data principals (individuals) have rights to access, correction, erasure, and grievance redressal. The Act mandates data breach notification but does not specify timelines. Significant data fiduciaries (large platforms) face additional obligations, including data protection impact assessments and the appointment of data protection officers. Cross-border data transfers are permitted to countries designated by the government.

Critiques and Controversies

• Government exemptions: The DPDP Act grants broad exemptions to government agencies from consent requirements and other obligations in the interests of sovereignty, security, public order, and friendly relations with foreign states. These exemptions are not subject to judicial oversight and can be invoked without transparency. Critics argue that this creates a surveillance loophole, allowing the state to collect and process data without the safeguards that apply to private entities. The exemptions are particularly concerning given India's history of surveillance, including the use of Pegasus spyware against journalists, activists, and opposition leaders.
• Weakened consent requirements: While the Act requires consent for data processing, the concept of consent is diluted by broad exceptions and by the power imbalance between data fiduciaries and data principals. In practice, users "consent" to lengthy terms of service they do not read, and withdrawal of consent often means losing access to essential services. The Act does not require granular consent (allowing users to choose which data to share) or informed consent (requiring that terms be explained in accessible language).
• Data Protection Board independence: The Act establishes a Data Protection Board of India, but the Board's composition, appointment process, and functioning are controlled by the government. Unlike the independent Data Protection Authority proposed by the Srikrishna Committee, the Board lacks structural independence, and its members can be removed by the government. This raises concerns about the Board's ability to act against powerful government agencies and corporate actors.
• Missing rights and protections: The DPDP Act omits several protections that were present in earlier drafts and in international standards. There is no explicit right to data portability, no requirement for algorithmic transparency, no protection against automated decision-making, and no special provisions for children's data beyond a limited age-of-consent requirement. The Act does not address the right to be forgotten, which has been recognized by courts in some jurisdictions and has been sought in Indian litigation (including cases involving criminal records and defamatory content).
• Penalties and enforcement: The penalties for data breaches under the Act are lower than those in the EU's GDPR and the Srikrishna Committee's recommendations. The maximum penalty is ₹250 crore, but the enforcement mechanism is untested, and the Board's capacity to investigate and prosecute violations is uncertain. The Act does not provide for class-action lawsuits or collective redress, which are important tools for holding large platforms accountable.

Aadhaar and the Data Privacy Debate

• Aadhaar as a data infrastructure: The Aadhaar system, managed by the Unique Identification Authority of India (UIDAI), collects biometric data (fingerprints and iris scans) and demographic information from 1.3 billion residents. It is the largest biometric database in the world. Aadhaar is mandatory for access to many government services (subsidies, pensions, ration, banking) and has been linked to PAN cards, mobile numbers, and bank accounts. The scale of collection and the centralization of data create enormous risks of breach, misuse, and surveillance.
• The Aadhaar litigation and Supreme Court judgment (2018): The Supreme Court upheld the constitutionality of Aadhaar in a 4:1 decision (Justice Chandrachud dissenting), but imposed significant limitations: Aadhaar cannot be mandatory for school admissions, bank accounts, or mobile phones (though subsequent government actions have re-mandated linkage in some areas). The Court held that Aadhaar serves a legitimate state interest in reducing leakages and improving service delivery, but the dissent argued that the system violates privacy, creates risks of exclusion, and lacks adequate safeguards.
• Data breaches and exclusion: Aadhaar has been plagued by data breaches, with reports of unauthorized access to the database, sale of demographic data on the dark web, and leakage through government portals. Biometric authentication failures have caused exclusion from rations and pensions, particularly affecting manual laborers whose fingerprints are worn, elderly persons with faded prints, and persons with disabilities. The government's response to these problems has been inadequate, with denial of breaches and resistance to independent audits.
• Surveillance and function creep: Aadhaar was originally justified as a tool for welfare delivery, but it has expanded into a general-purpose identification and authentication infrastructure. The government has proposed linking Aadhaar to voter rolls, health records, and even social media accounts. Each linkage increases the surveillance potential and the risk of data misuse. The concept of "function creep" — where a system designed for one purpose is expanded to others — is a major concern for privacy advocates.

Digital Governance, Surveillance, and the State

India's digital governance infrastructure is among the most extensive in the world. From Aadhaar to UPI to the Open Network for Digital Commerce (ONDC), the government has built digital public infrastructure (DPI) at scale. These systems have brought millions into the formal economy and improved service delivery, but they have also created new forms of state surveillance, exclusion, and control. The balance between digital empowerment and digital domination is one of the defining challenges of contemporary governance.

Digital Public Infrastructure (DPI)

• UPI and financial inclusion: The Unified Payments Interface (UPI), launched in 2016 by the National Payments Corporation of India (NPCI), has revolutionized digital payments in India. With over 12 billion monthly transactions and a value exceeding ₹20 lakh crore, UPI is the most widely used real-time payment system globally. It has brought small merchants, street vendors, and rural users into the digital payment ecosystem. However, UPI also generates vast transaction data that is accessible to the government and to the platform operators (NPCI, banks, and payment apps). The data can reveal spending patterns, social networks, and political activity, raising significant privacy concerns.
• Co-WIN, DigiLocker, and e-governance platforms: During the COVID-19 pandemic, the Co-WIN platform managed vaccine registration and certification for over a billion Indians. DigiLocker provides cloud-based storage for government documents (Aadhaar, PAN, driving licenses, educational certificates). The National Health Stack and the Ayushman Bharat Digital Mission aim to digitize health records. These platforms improve convenience and reduce fraud, but they also centralize sensitive data and create new vulnerabilities to hacking, misuse, and state access.
• ONDC and data centralization: The Open Network for Digital Commerce (ONDC) is a government-backed initiative to create an open e-commerce network that challenges the dominance of Amazon and Flipkart. ONDC aims to decentralize e-commerce by allowing any seller and buyer to transact through a common protocol. However, the network also involves significant data collection, and the governance structure raises questions about who controls the data and how it is used. The tension between open networks and data protection is a recurring theme in India's digital governance.
• India Stack and the DPI model: India Stack is the umbrella term for India's digital public infrastructure, including Aadhaar (identity layer), UPI (payments layer), DigiLocker (documents layer), and eKYC (verification layer). The model has been praised internationally as a template for developing countries and has been exported to other nations. However, the India Stack model also normalizes large-scale data collection and biometric surveillance as a condition of accessing public services. Critics argue that the model treats digital participation as mandatory rather than voluntary and that it lacks adequate safeguards for privacy and security.

Surveillance and the Surveillance State

• Internet shutdowns: India leads the world in internet shutdowns, with hundreds of documented shutdowns since 2012. Shutdowns are typically imposed under the Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules (2017), issued under the Telegraph Act (1885). The government justifies shutdowns on grounds of public order, security, and preventing the spread of misinformation (particularly during protests and elections). However, shutdowns have been criticized as disproportionate, ineffective, and violative of the right to freedom of expression and the right to livelihood. The Supreme Court, in Anuradha Bhasin v. Union of India (2020), held that internet shutdowns must be proportionate and subject to judicial review, but the judgment has had limited impact on practice.
• Facial recognition and biometric surveillance: Facial recognition technology (FRT) is being deployed across India for law enforcement, airport security, attendance tracking, and welfare delivery. The National Automated Facial Recognition System (NAFRS) and various state-level FRT databases aggregate images from CCTV cameras, passport photos, driving licenses, and other sources. There is no comprehensive law governing FRT, and the accuracy rates for Indian populations (particularly for women, dark-skinned individuals, and rural populations) are uncertain. FRT enables mass surveillance without consent and can be used to identify protesters, track political dissidents, and monitor religious minorities.
• The Pegasus scandal and spyware: In 2021, the Pegasus Project — a global investigative journalism collaboration — revealed that the Pegasus spyware, developed by the Israeli company NSO Group, had been used to target Indian journalists, activists, opposition politicians, and government officials. The spyware can extract all data from a phone, activate cameras and microphones, and track location in real time. The government refused to confirm or deny whether it had purchased Pegasus, and the Supreme Court ordered a technical committee to investigate. The scandal highlighted the vulnerability of Indian citizens to state surveillance and the lack of legal protections against spyware deployment.
• Social media monitoring and takedown orders: The government has increasingly used the Information Technology Act (2000) and its rules to demand the removal of social media content, block accounts, and access user data. Section 69A of the IT Act allows the government to block public access to online content on grounds of sovereignty, security, public order, and friendly relations with foreign states. The Intermediary Guidelines and Digital Media Ethics Code (2021) impose additional obligations on platforms to trace the origin of messages, remove content within tight deadlines, and appoint compliance officers resident in India. These measures have been criticized as tools for censorship and chilling free speech.
• CCTV and smart cities: India's Smart Cities Mission involves extensive deployment of CCTV cameras, sensors, and data analytics in urban areas. While these systems are justified for traffic management, public safety, and urban planning, they also enable comprehensive tracking of citizens' movements and activities. The integration of CCTV with facial recognition and AI analytics creates a surveillance architecture that can identify, track, and profile individuals in public spaces. There is little public debate about the necessity and proportionality of these systems, and no independent oversight of their use.

Digital Exclusion and the Digital Divide

• The digital divide: Despite rapid growth in internet penetration, significant gaps remain. Urban-rural divides, gender divides, class divides, and regional divides mean that millions of Indians — particularly women, the elderly, rural populations, and low-income groups — lack meaningful internet access. The digital divide is not just about connectivity but also about digital literacy, device ownership, and the affordability of data and services. As government services increasingly move online, those without digital access are effectively excluded from citizenship.
• Mandatory digitalization and exclusion: The push for digital governance has often been accompanied by the mandatory digitalization of services that were previously accessible offline. Ration cards, pensions, health services, and educational access increasingly require Aadhaar, smartphones, and internet connectivity. Biometric authentication failures, server downtime, and connectivity issues have caused documented exclusion from essential services. The assumption that everyone can and should use digital systems ignores the reality of India's digital divide and creates a two-tiered system of citizenship.
• Language and accessibility: Most digital platforms and government websites are in English or Hindi, excluding speakers of India's hundreds of other languages. Voice-based interfaces and Indic language keyboards are improving, but the quality of content and the sophistication of AI models in Indian languages lag far behind English. The digital governance experience is fundamentally unequal depending on the language you speak.

Cybersecurity and Online Safety

As India's digital footprint expands, so does its exposure to cyber threats. Cyberattacks on critical infrastructure, data breaches, ransomware, identity theft, and online fraud are rising in scale and sophistication. The cybersecurity landscape involves government agencies, private corporations, international actors, and individual citizens, each with different capabilities and vulnerabilities. Understanding cybersecurity is essential for protecting personal data, national security, and economic stability.

The Threat Landscape

• Cyberattacks on critical infrastructure: India's critical infrastructure — power grids, financial systems, telecommunications, healthcare, and defense — faces persistent cyber threats. State-sponsored actors (particularly from China, Pakistan, and North Korea) have targeted Indian infrastructure, government agencies, and research institutions. The 2020 power grid blackout in Mumbai was attributed to Chinese cyber intrusion. The 2023 AIIMS ransomware attack paralyzed one of India's largest hospitals for weeks. These incidents demonstrate that cybersecurity is not an abstract concern but a matter of national security and public safety.
• Data breaches and identity theft: Data breaches affecting millions of Indians have become routine. The Aadhaar database has been breached multiple times (though the government denies this). Customer data from airlines, banks, e-commerce platforms, and government portals has been leaked and sold on the dark web. Identity theft, phishing, and financial fraud exploit weak authentication systems and low digital literacy. The cost of cybercrime to the Indian economy is estimated in billions of rupees annually, but the exact scale is difficult to measure because many incidents go unreported.
• Ransomware and financial fraud: Ransomware attacks — where hackers encrypt an organization's data and demand payment for its release — have targeted hospitals, corporations, and government agencies. The WannaCry and Petya outbreaks affected Indian systems, and more recent ransomware strains continue to pose threats. Financial fraud through fake UPI apps, phishing links, and SIM cloning has victimized millions of Indians, particularly those new to digital payments who lack the knowledge to identify scams.
• Online child safety and exploitation: The internet has created new avenues for the exploitation of children, including grooming, trafficking, and the distribution of child sexual abuse material (CSAM). The IT Act and the Protection of Children from Sexual Offences (POCSO) Act criminalize these activities, but enforcement is difficult given the anonymity of the dark web and the jurisdictional challenges of international platforms. India's proposed amendments to the IT Act include provisions for removing CSAM, but they also raise concerns about over-censorship and the potential for abuse of removal powers.

Institutional and Legal Response

• The National Cyber Security Strategy (draft): India has been operating without a comprehensive national cybersecurity strategy since 2013. A draft strategy was prepared in 2020–2021 but has not been formally adopted. The strategy proposes the creation of a National Cyber Security Agency, a cyber command for the military, enhanced public-private partnerships, and a cybersecurity workforce development plan. The delay in adoption reflects the complexity of coordinating across multiple agencies (MeitY, the National Critical Information Infrastructure Protection Centre, the National Technical Research Organisation, and military cyber commands) and the challenge of defining roles in a rapidly evolving threat environment.
• National Critical Information Infrastructure Protection Centre (NCIIPC): Established under the IT Act, NCIIPC is responsible for protecting critical information infrastructure (CII) — systems whose disruption would affect national security, economy, public health, or safety. NCIIPC identifies CII sectors, issues guidelines, and coordinates response to cyber incidents. However, its capacity is limited, and the private sector (which operates much of India's critical infrastructure) has resisted mandatory security standards and reporting requirements.
• The Indian Computer Emergency Response Team (CERT-In): CERT-In is the national agency for responding to cybersecurity incidents. It issues advisories, coordinates response, and collects data on cyberattacks. However, CERT-In has been criticized for being reactive rather than proactive, for lacking technical capacity, and for its mandatory reporting requirements (which require organizations to report breaches within hours, creating compliance burdens without clear enforcement).
• Cybercrime reporting and the I4C: The Indian Cyber Crime Coordination Centre (I4C) was established to improve coordination between central and state agencies, enable faster reporting (through the National Cyber Crime Reporting Portal at cybercrime.gov.in), and build capacity for cybercrime investigation. The portal allows citizens to report cybercrimes, including financial fraud, online harassment, and child exploitation. However, conviction rates for cybercrime remain low, and the capacity of state police to investigate complex cyber offenses is limited.

Platform Regulation and Content Moderation

Social media platforms, messaging apps, video-sharing sites, and e-commerce platforms have become the primary spaces for public discourse, commerce, and social interaction in India. With over 500 million social media users, India is one of the largest markets for platforms like WhatsApp, Facebook, Instagram, YouTube, X (formerly Twitter), and TikTok (before its ban). The power of these platforms to shape information, influence elections, and regulate speech has made their governance a central political and legal issue.

The Information Technology Act and Intermediary Liability

• Section 79 and safe harbor: Section 79 of the IT Act provides "safe harbor" protection to intermediaries (platforms that host user-generated content) — they are not liable for illegal content posted by users, provided they comply with certain due diligence requirements and remove content when notified by a court or government agency. This framework, similar to the U.S. Section 230, has enabled the growth of platforms in India by protecting them from liability for user speech. However, the government has increasingly sought to narrow this protection and increase platform accountability.
• The Intermediary Guidelines and Digital Media Ethics Code (2021): These rules significantly expanded the obligations of digital platforms. Significant social media intermediaries (those with over 5 million users) must: appoint a Chief Compliance Officer, a Nodal Contact Person, and a Resident Grievance Officer in India; enable the identification of the first originator of messages (traceability) for law enforcement purposes; remove content within 36 hours of receiving a court or government order; and publish monthly compliance reports. The rules also bring digital news media and OTT platforms under government oversight. These requirements have been challenged in court as unconstitutional restrictions on free speech and privacy.
• Traceability and encryption: The requirement for platforms to identify the "first originator" of messages has been particularly controversial. WhatsApp and other encrypted messaging services have argued that traceability would require breaking end-to-end encryption, compromising the privacy of all users. The government has maintained that traceability is necessary for combating terrorism, child exploitation, and the spread of misinformation. The technical and legal battle over traceability remains unresolved, with implications for the future of encrypted communication in India.
• Takedown orders and content blocking: The government has used its powers under Section 69A of the IT Act to block apps (TikTok, PUBG, and hundreds of Chinese apps were banned in 2020), order the removal of social media posts, and suspend accounts. The transparency of these actions is limited: the government does not routinely publish reasons for blocking, and platforms are often barred from notifying affected users. The lack of due process and judicial oversight in content blocking has been criticized by free speech advocates and international human rights organizations.

Misinformation and Online Manipulation

• The scale of misinformation: India is one of the most misinformation-affected countries in the world. False information about health (particularly during the COVID-19 pandemic), politics (during elections), religion, and communal issues spreads rapidly through WhatsApp, Facebook, and regional-language social media. The motivations for misinformation range from political manipulation and communal incitement to financial scams and entertainment. The consequences include mob violence, medical harm, electoral manipulation, and the erosion of public trust.
• WhatsApp and encrypted misinformation: WhatsApp, with over 500 million users in India, is the primary vector for misinformation. The platform's end-to-end encryption prevents content monitoring, and the forward feature allows rapid viral spread. WhatsApp has implemented limits on forwarding (reducing the number of forwards from 5 to 1 for certain messages) and labels forwarded messages, but these measures have had limited impact. The tension between encryption (which protects privacy) and content moderation (which requires access) is a defining challenge of platform governance in India.
• Deepfakes and synthetic media: AI-generated deepfakes have emerged as a major threat to information integrity. In the 2024 election season, deepfake videos of political leaders making inflammatory statements circulated widely. The government issued advisories requiring platforms to remove deepfakes within 24 hours and to label AI-generated content. However, detection of deepfakes is technically difficult, and the sheer volume of content on Indian platforms makes manual moderation impossible. The challenge of synthetic media will only intensify as generative AI becomes more accessible and sophisticated.
• Fact-checking and media literacy: Fact-checking organizations like Alt News, Boom, Factly, and WebQoof have played a vital role in debunking misinformation. However, their reach is limited compared to the scale of false information, and they face harassment, legal threats, and political pressure. Media literacy education — teaching citizens to verify sources, cross-check claims, and recognize manipulation — is essential but underdeveloped in India's education system. The government's own media literacy initiatives have been limited and sometimes politicized.

Platform Power and Competition

• Digital monopolies and market dominance: A small number of global platforms (Google, Meta, Amazon, Apple) dominate India's digital market. Google controls search, YouTube, and Android. Meta controls Facebook, WhatsApp, and Instagram. Amazon dominates e-commerce and cloud computing. This concentration of power creates risks for competition, consumer choice, and national sovereignty. The Competition Commission of India (CCI) has investigated and fined some platforms for anti-competitive practices, but regulatory action is slow and the platforms' resources dwarf those of the regulator.
• Data localization and data sovereignty: India has adopted data localization requirements in various laws and regulations, requiring certain categories of data to be stored within the country. The RBI requires payment data to be stored in India. The DPDP Act allows the government to restrict cross-border data transfers to certain countries. The rationale is national security, law enforcement access, and the protection of Indian economic interests. However, data localization also increases costs for businesses and may reduce the quality of services that depend on global data flows. The debate between data localization and data free flow reflects the tension between digital sovereignty and global integration.
• The ONDC challenge: The Open Network for Digital Commerce represents a government attempt to break the dominance of Amazon and Flipkart in e-commerce and to create a more open, decentralized marketplace. ONDC allows any seller and delivery service to connect through a common protocol, reducing the gatekeeping power of large platforms. The success of ONDC is uncertain — it faces technical challenges, the resistance of incumbent platforms, and the need for consumer awareness — but it represents an important experiment in alternative platform governance.

Emerging Technologies and Policy Challenges

Beyond AI and data governance, a range of emerging technologies pose new policy challenges for India. These include blockchain and cryptocurrencies, quantum computing, biotechnology, autonomous systems, and the governance of digital public goods. Each technology has the potential to transform sectors and create new risks that existing regulatory frameworks are ill-equipped to address.

Blockchain, Cryptocurrencies, and Digital Assets

• Cryptocurrency regulation in India: India has taken a cautious and often hostile approach to cryptocurrencies. The RBI banned banks from dealing with crypto businesses in 2018 (a ban that was overturned by the Supreme Court in 2020), and the government has proposed legislation to ban or heavily restrict private cryptocurrencies. The Finance Minister has described cryptocurrency as a "risky area" and emphasized that profits from crypto trading are subject to a 30% tax and 1% TDS. The government's approach reflects concerns about financial stability, money laundering, tax evasion, and the undermining of monetary sovereignty. However, the ban-and-tax approach has been criticized as incoherent and has driven crypto activity underground or to foreign exchanges.
• Central Bank Digital Currency (CBDC): The RBI has launched pilot programs for the digital rupee (e₹), a central bank digital currency. The digital rupee is intended to complement physical cash, reduce the cost of currency management, and improve monetary policy transmission. Unlike cryptocurrencies, the digital rupee is centralized, backed by the RBI, and does not use blockchain. The pilot has been limited to wholesale and retail transactions, and widespread adoption is uncertain. The digital rupee raises questions about financial privacy, the role of banks in payment systems, and the potential for programmable money (where the government can restrict how digital currency is used).
• Blockchain beyond crypto: Blockchain technology has applications beyond cryptocurrency, including supply chain tracking, land records, identity verification, and voting. Several Indian states have experimented with blockchain for land registries (in Andhra Pradesh and Telangana) and academic certificates. The technology offers transparency and immutability but also faces challenges of scalability, energy consumption, and the gap between the promise of decentralization and the reality of government-controlled implementations.

Quantum Computing and Biotechnology

• Quantum computing: Quantum computing uses the principles of quantum mechanics to process information in ways that classical computers cannot. Quantum computers could break current encryption standards, revolutionize drug discovery, and solve complex optimization problems. India has launched a National Quantum Mission with a budget of ₹6,000 crore to develop quantum technologies. The implications for cybersecurity are particularly significant: when quantum computers become powerful enough, they could decrypt data that was previously considered secure, creating a "quantum threat" to all current encryption. Post-quantum cryptography standards are being developed, but the transition will be slow and expensive.
• Biotechnology and genetic data: Advances in genomics, gene editing (CRISPR), and personalized medicine create new opportunities and risks. India has a large population with diverse genetic profiles, making it valuable for genetic research. However, the collection and use of genetic data raise profound ethical and legal questions. Who owns genetic data? Can it be used for insurance, employment, or law enforcement? What protections exist against genetic discrimination? India's biotechnology policy has focused on innovation and economic growth, with limited attention to ethical governance and data protection in the biological domain.
• Autonomous systems and drones: Drones and autonomous vehicles are being deployed in agriculture, logistics, defense, and surveillance. India has liberalized drone regulations (the Drone Rules, 2021) to encourage commercial use, but the safety, privacy, and security implications of widespread drone deployment are significant. Autonomous weapons systems — "killer robots" that can select and engage targets without human intervention — are a particular concern, and India has not endorsed international calls for a ban on lethal autonomous weapons.

Digital Public Goods and Open Technology

• Digital public goods (DPGs): The concept of digital public goods — open-source software, open data, and open standards that are freely available for public benefit — has gained traction in India. India Stack, the Open Data initiative, and various open-source government projects are examples. The DPG model promises to reduce vendor lock-in, promote innovation, and ensure that technology serves public interest rather than private profit. However, the implementation of DPGs has been uneven, and the government has not fully committed to open-source principles, continuing to rely on proprietary systems for many functions.
• Free and open-source software (FOSS): India has a long tradition of FOSS advocacy, particularly in education and government. The National Policy on Open Standards for E-Governance and various state initiatives have promoted open-source alternatives. However, the dominance of proprietary software (Microsoft, Google, Amazon) in government and education remains strong. The tension between open technology and proprietary solutions is a recurring policy debate.
• Technology transfer and self-reliance: India's technology policy has oscillated between openness and self-reliance (Aatmanirbhar Bharat). The government has sought to attract foreign investment and technology while also building domestic capacity. The semiconductor mission, the push for indigenous 5G, and the investment in domestic AI models reflect the self-reliance imperative. However, India remains heavily dependent on imports for semiconductors, telecom equipment, and software, and the gap between ambition and capability is significant. The challenge is to build domestic capacity without becoming autarkic or protectionist.

Citizen Tools and Rights in the Digital Age

Technology policy is not just a matter for governments and corporations. Citizens have rights, tools, and strategies to protect themselves, participate in policy-making, and hold power accountable. The digital age requires digital literacy, but it also requires civic engagement with the technologies that shape our lives.

Understanding and Protecting Your Digital Rights

• Right to privacy under the DPDP Act: The DPDP Act gives citizens certain rights over their personal data: the right to access, the right to correction and erasure, the right to grievance redressal, and the right to nominate a representative. These rights are weaker than those in the GDPR and the Srikrishna draft, but they are still meaningful. Citizens should exercise these rights by requesting copies of their data from platforms, correcting inaccurate information, and filing complaints when data is misused. The Data Protection Board, once operational, will be the forum for redressal.
• Protecting your digital identity: Use strong, unique passwords for different accounts; enable two-factor authentication (2FA) wherever possible; be cautious about sharing personal information on social media; review and limit app permissions; and avoid using the same phone number or email for all services. For Aadhaar, use the masked Aadhaar option when possible, and avoid linking Aadhaar to services where it is not mandatory. Use virtual IDs instead of sharing your actual Aadhaar number.
• Recognizing phishing and scams: Phishing attacks — fraudulent messages that trick you into revealing passwords or financial information — are common in India. Be suspicious of unsolicited messages, especially those creating urgency ("your account will be blocked," "you have won a prize"). Never click links in SMS or WhatsApp messages from unknown sources. Verify requests for money or personal information through a separate channel. Report cybercrime to the National Cyber Crime Reporting Portal (cybercrime.gov.in).
• Using privacy-enhancing tools: Privacy-focused browsers (Firefox, Brave), search engines (DuckDuckGo, Startpage), messaging apps (Signal), and VPNs can reduce tracking and data collection. However, these tools require some technical knowledge and may not be accessible to all users. Digital literacy initiatives should include training on privacy tools as well as on safe browsing practices.

Participating in Technology Policy

• Public consultations on tech policy: The government occasionally invites public comments on draft policies, rules, and legislation. The draft DPDP Act, the IT Rules, and the National Data Governance Framework have all been open for public comment. Participating in these consultations — submitting detailed, evidence-based comments — is one of the most direct ways to influence technology policy. Civil society organizations like the Internet Freedom Foundation (IFF), SFLC.in, and the Centre for Internet and Society (CIS) often prepare model comments and guides for participation.
• RTI and technology transparency: The Right to Information Act can be used to obtain information about government technology projects, including Aadhaar contracts, surveillance system procurements, and data sharing agreements. Filing RTIs about facial recognition systems, internet shutdown orders, and data breaches can reveal information that would otherwise remain secret. The responses can be used to advocate for policy change, file complaints, or pursue litigation.
• Digital rights litigation: The Supreme Court and High Courts have become important forums for technology policy. Cases like Puttaswamy (privacy), Anuradha Bhasin (internet shutdowns), and the WhatsApp traceability challenge have established important legal precedents. Organizations like the IFF and SFLC.in provide legal support for digital rights cases. Citizens can support these organizations, donate to their work, and stay informed about ongoing litigation.
• Supporting digital rights organizations: Civil society organizations are the primary advocates for digital rights in India. The Internet Freedom Foundation (IFF) focuses on free speech, privacy, and net neutrality. SFLC.in works on legal and policy issues. The Centre for Internet and Society (CIS) conducts research and advocacy. Access Now and Article 19 are international organizations with India programs. Supporting these organizations — through donations, volunteering, or amplifying their work — strengthens the digital rights ecosystem.

Digital Literacy and Critical Engagement

• Evaluating online information: The ability to evaluate the credibility of online information is essential. Check the source of a claim, look for corroboration from independent sources, examine the evidence, and be aware of your own biases. Fact-checking websites like Alt News, Boom, and Factly can help verify claims. Reverse image search can identify manipulated photos. Be cautious of content that provokes strong emotional reactions, as it is often designed to bypass critical thinking.
• Understanding algorithmic influence: Social media feeds, search results, and recommendation systems are curated by algorithms that prioritize engagement over accuracy. This means that inflammatory, sensational, and false content often spreads faster than nuanced, factual content. Understanding that your feed is not a neutral reflection of reality but a curated selection designed to maximize attention is the first step toward resisting algorithmic manipulation. Diversify your sources, follow fact-checkers, and use chronological feeds where possible.
• Digital minimalism and wellbeing: The design of many platforms exploits psychological vulnerabilities to maximize engagement. Infinite scrolling, variable rewards, and notification mechanisms are designed to keep users addicted. Digital minimalism — the intentional reduction of digital consumption — can improve mental health, focus, and quality of life. Set time limits for social media, disable non-essential notifications, and reclaim offline time for reading, conversation, and nature.

Sources