top of page

Transforming Technology & Data Policy: Movement towards an Accountable Governance

Technology Transformation

Executive Summary

Internet Infrastructure is the backbone of the internet which is a web of interconnected

networks. The Internet Service Providers lie at the heart of this Infrastructure. They play a

pivotal role in giving us the ability to engage with the information present on the web and

make it available to us in a retrievable form. In today’s world, where the dependency on the

internet is exponentially rising, the concerns around data privacy and security are also rising parallelly. In such a scenario, it is of quintessential importance that adequate data protection laws are in place to give the citizens access to both, an open and safe internet. In the hope for the same, the study compared the data protection laws in India – a developing country - with those of the USA and the European Union - developed geographies. Based on the analysis, the study enlists recommendations for making the data protection law in India more robust.

India's MSME contributing 29% of the country's GDP will face high compliance cost of the PDP bill. The draft bill exempts only entities manually processing data, this constitutes only a small percent. Hence, other layers need to be included for exemption. The draft bill mandates storage of critical personal and sensitive personal in the country itself. This poses two major issues : high cost of construction and maintenance of data centers, decline in foreign investments.

Hence, storage of very specific critical data should be mandated in the country. Development of decentralized technologies like blockchain may take a major hit as their compliance with Data Principal's right to deletion of personal data as mandated by the PDP Bill is nearly impossible. Reforms like consent of Data Principal for the same while entering into the transaction have to be made to enable these technologies grow.

The clauses stipulated in the CCPA (Californian Consumer Privacy Act) were compared with

the ones put forth by the PDP Bill of India. The PDP Bill essentially takes after the GDPR in

terms of austerity when it comes to protecting data privacy. However, the stringency of the

PDP bill tends to adversely affect the internet economy and hence needs to be brought more

in alignment with the CCPA (which mandates browse wrap agreement and an ‘opt out’

alternative). For instance, the need for mandating a clickwrap agreement for all websites in

the PDP bill has been questioned and its implications on the internet economy have been

discussed. Hence, a reassessment of the need to mandating the ‘clickwrap agreement’ needs to be done and the consequences on the economy gauged before executing the presently tabled privacy bill.

1. Abstract

The ‘Information Age’ as 21st century is commonly known as, has witnessed explosive ways in which information may be utilised. Systematic algorithms are being developed to brush this data for trends, patterns and hidden nuances by businesses.[1] This is a digital revolution as it enables individual problems to be addressed with greater accuracy. This invites the processing of personal data that has already become ubiquitous in both the public and private sector. While data can be put to beneficial use, the unregulated and arbitrary use of data, especially personal data, has raised concerns regarding the privacy and autonomy of an individual.

The Personal Data Protection (PDP) Bill, tabled in the Parliament in 2019, is modelled largely on existing frameworks for protecting privacy in other jurisdictions, including the General Data Protection Regulation (GDPR), it is found that certain best practices across the globe cannot serve best to the Indian population, given the differences in the geographies. An IBM survey found that, though users think companies should be more heavily regulated for data management, 71 percent of them were still willing to give up privacy to get access to the technology they sought, and only 16 percent had ever walked away from a company because of data misuse. In a world which is going through a technological revolution, data is the most important and valuable commodity.[2]

The objective of this white paper is on tech policy and aims to identify the data protection policies implemented across regions, to lineate which are not suitable for India and accordingly, provide useful recommendations by identifying areas that demand attention to help bridge the existing gaps for a safer India. The bill makes consent a focal point of the proposed data protection framework. It proposes that personal data should only be processed on the basis of free, informed, and specific consent, with provisions that allow such consent to be withdrawn. However, the proposed intervention of the state could have a significant increase in the compliance costs for businesses across the economy and to a worrying dilution of privacy vis-à-vis the state. The paper aims to incorporate how certain data protection policies are not suitable for India, while recommending the needed changes for the same in the PDP Bill.

2. Research Methodology

The research methodology entails identifying the current gaps in the data protection sphere in the internet governance arena. It further entails understanding the data protection policies as have been implemented worldwide, which are not suitable for Indian economy, from the perspective of businesses as well as consumers. We have segmented our research in the following domains –

A. Internet Infrastructure – undertaking a landscaping study of the data protection regime across India, the United States and the European Union, performing a comparative analysis of data protection principles, based on the recommendations of Organisation for Economic Co-operation and Development (OECD) Guidelines for the Protection of Privacy and Trans-border Flows of Personal Data and the Justice A.P. Shah Committee on Privacy, across the three geographies and subsequently, provide recommendations for better internet governance with respect to India.

B. Business-to-Business – analysing cloud computing and data localisation laws in regions like European Union, Russia, UAE, Vietnam, Indonesia with respect to India and listing recommendations for an efficient cross-border data transfer.

C. Business-to-Consumers – conducting comparative analysis between PDP bill with the EU’s GDPR and California Consumer Protection Act 2020 and listing recommendations for the suitable regulatory changes in India.

We have additionally placed our reliance on the primary data collected by the survey conducted by us to assess the awareness regarding data privacy policies in India and how much people care about the privacy of their data. All participants had given their explicit ‘consent’ for using their responses for our research study. The majority of the participants around 89% belongs to the age group of 18-25 and the rest 11% comprised of the participants belonging to the age of under 18 and above 25. The following chart shows the time spent by them on the internet:

Time spent by participants on the Internet

This highlights the importance of having a robust data privacy framework which fulfils the need of data privacy and further utilises it to meet other societal needs. Please note that we are not aiming to prepare a comprehensive draft with all the regulations from scratch; instead, we aim to scrutinise the existing draft of the PDP Bill and give out recommendations that can be incorporated in the final draft of the bill before it is being implemented in India.

3. Internet Infrastructure

The internet has transformed from being a web of interconnected networks to becoming the foremost platform for engagement between individuals, enterprises, and other entities. The ability to engage at the click of a button is backed by interplay of a massive Internet Infrastructure. The Internet Service Providers lay at the heart of this Infrastructure. An Internet Service Provider (ISP) is an entity that provides broadband service to subscribers. Broadband refers to all services that supply high-speed Internet to subscribers.

As the internet is gradually becoming the foremost means of accessing information, communicating, and conducting commerce its role in everyday life of an individual is growing.

However, parallelly the economic stakes, personal and social consequences of network abuse are becoming more serious. Given the rise in security breaches, awareness and anxiety amongst individuals about data collection, privacy and security are growing. In 2016, 57% of individuals worldwide reported that they were more concerned about their online privacy than they were in 2014[3].

Thus, the digital transformation of the world requires adequate data protection laws in place to make individuals real and informed owners of their data. The purpose of the following sections is to study, review and compare the data protection regulations in a developing country - India, and two developed geographies - the United States and the European Union, which are expected to lead the way in terms of setting robust data protection frameworks, given they are more experienced and matured in this domain. Based on the landscaping study and comparative analysis, recommendations, for making the internet governance in India more robust, are captured.

(3.1) Landscaping Study Of Data Protection In India

According to the IBEF (2019), Globally, India ranks second in terms of telecommunication subscriptions, internet subscribers and application downloads. Owing to the vast amounts of data generated, India does not have a comprehensive national legislation on privacy rights guaranteeing individuals the right to privacy and addressing the protection of personal data.

Data Protection in India is largely regulated by the Information Technology Act, 2000 further amended in 2008, and Information Technology Rules (Reasonable security practices and procedures and sensitive personal data or information), 2011. The Telecom Regulatory Authority of India (TRAI) and Department of Telecommunications (DOT) are the two bodies that oversee the broadband and telecommunication companies in India.

Due to the changing nature of technology and the arising need for protection of data, Right to Privacy was guaranteed as a Fundamental right under the Indian Constitution in 2017.

Since the Information Technology (IT) Act had a restricted scope and lacked substance according to the present modalities, an expert committee was set up by the Government to examine the various issues related to personal data protection. In the year 2019, Personal Data Protection Bill, 2019 (PDPB) was introduced in Lok Sabha which is yet to be notified.

(3.2) Landscaping Study Of Data Protection In European Union

Since long, the data protection laws of the European Union have been regarded as the gold standard all around the globe. The first data protection law focused on regulating automated processing of personal data, sprouted in many European jurisdictions in the 1970s. However, the first data protection law - The European Data Protection Directive (Directive 95/46/EC) - applicable to the entire European Union was adopted in 1995. It focused on the protection of individuals with respect to the processing and free movement of personal data. In 2012, a comprehensive reform of the EU's 1995 data protection rules was proposed by the European Commission (EC) to strengthen online privacy rights and boost Europe's digital economy.

Subsequently, in 2014, the European Parliament (EP) demonstrated strong support for the GDPR and in December, 2015 the EC, Council and EP reached an agreement on the GDPR. Finally, the General Data Protection Regulation (GDPR) was adopted in 2016, replacing the 1995 Data Protection Directive. The Member States were given 2 years to ensure that it is fully implementable in their countries.[4]

GDPR focuses on giving the autonomy of personal data back to individuals, in addition to simplifying the regulatory environment for businesses both domestically and internationally by being a common regulation framework within the EU. The key features of GDPR are summarized below:

● The GDPR has strengthened individual rights by giving them the control to review the personal data held by companies and to get it erased as well under certain conditions. For instance, when the purpose of data collection is no longer applicable, when the consent is withdrawn or when the data has been processed illegally, the individual has the right to get his/her personal data erased. Businesses will then be obliged to comply with the request and delete the personal data within a month.

● The GDPR requires the Businesses to be more accountable and transparent in their data handling practices by mandating them to make the mode and purpose of collection of personal data clear to the individual.

● The GDPR mandates the appointment of a Data Protection Officer (DPO) by the Businesses above a certain size, who are involved in data processing and monitoring, to aid them become and remain compliant to GDPR guidelines. The responsibilities of DPO are clearly laid out in the GDPR.

● The GDPR mandates the Businesses to alert their data protection authority as well as the affected people within 72 hours of becoming aware of the breach. The alert should capture entire details of the breach as well as a proposal to mitigate its effects.

(3.3) Landscaping Study Of Data Protection In The United States

Despite being the technology hub of the world, the United States does not have a federal data privacy framework for the collection, processing, storage, sharing and disposal of personal data. It rather has a complex patchwork of more than 100 state and sector specific legislations, enforced by different government agencies. The Federal Communications Commission (FCC) and Federal Trade Commission (FTC) are the two bodies that oversee Broadband & Telecommunication companies and Websites respectively.

With the evolution of the internet and changes in time & technology, the US enacted a set of rules and regulations to promote competition and technological innovation in the telecommunications industry. In 2015, the FCC, under the Obama Administration, established Net Neutrality rules to protect and promote the open Internet[5].

In 2016, it adopted the Broadband individual Privacy Rules, 2016 which made ISPs accountable to notify and obtain explicit consent from customers before collecting their data and tracking their activities[6]. These rules were however challenged by the industry groups and ultimately repealed in 2017[7], under the Trump Administration.

However, with soaring data breaches and the revelation of some major privacy scandals including the Cambridge Analytica data incident in early 2018, the state of California took the matters in its own hands and became the first state in the US to enact its data privacy law called the California individual Privacy Act of 2018 (CCPA) which came into effect on 1st January 2020[8]. On the lines of CCPA, Vermont also enacted a law in 2018 that required ISPs to disclose to individuals which data is being collected and to permit them to opt out of the collection. In 2019, the state of New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act which took effect in March 2020. While the Act provides better protection against data breaches and imposes data security requirements, it is silent on other parameters of data protection. Taking inspiration from the neighboring states, by 2019, at least 25 states in the US had introduced data privacy bills[9]. Owing to the absence of an overarching, federal data-privacy framework, several pieces of legislation were also floated in the US. In 2020[10], the Consumer Data Privacy and Security Act of 2020” (CDPSA) bill was proposed by Senator Jerry Moran (R-Kansas) and in 2021, the Information Transparency & Personal Data Control Act was proposed by Congresswoman Suzan DelBene. Following in the footsteps of California, Virginia also signed the Virginia individual Data Protection Act (CDPA) on 2nd March 2021, which will come into effect in 2023[11].

Currently, data breach notification is theonly privacy issue implemented in all the 50 states[12]. This is largely due to numerous instances of data breaches and selling of personal information to external entities including criminal organizations[13].

(3.4) Comparative Analysis

The purpose of the section is to compare the data protection laws across eight principles and three geographies- India, the US and the UK. The comparison is made between,

The Information Technology Act (ITA), 2008 dominates the current landscape of data protection in India and applies to individuals and organizations operating within India. It also applies also to any offence or contravention committed outside India by any person. It categorizes Personal data or Sensitive Personal data into eight elements including password; financial information; health parameters (including physical, physiological and mental health conditions and medical records or history); sexual orientation; and biometric information. The scope of personal data is however limited as compared to other definitions of personal data around the world such as information relating to political viewpoints, ethnicity, or religious or philosophical beliefs, are not included in the definition found under the Data Protection Directive of European Union.

The Personal Data Protection Bill (PDPB), 2019 aims to diversify this ambit of privacy rights by bringing in a holistic national legislation and become an attractive destination for business and data processing. It applies to all organizations processioning data of Indian Citizens within India and organizations that process Data of Indian citizens outside India. The bill has 4 categories of data- 1) Personal data, that can be collected and processed both manually and automatedly; 2) Sensitive personal data, that has an elastic definition and must be stored in India but can be transferred outside India for processing with the permission of authorities; Critical personal data, that must be stored and processed in India and may be transferred outside India only in the most exceptional circumstances; and Non-personal data, that can be accessed by the government for “evidence-based policymaking”.

The California Consumer Privacy Act (CCPA), 2018, has the potential to become the de facto national standard for a federal legislation in the foreseeable future. It applies to companies that have an annual revenue of 25M+ or collects, shares, buys and sells data of >50,000 Californian customers or makes at least 50% revenue from the sale of customer data.

The Global Data Protection Rules (GDPR), 2018 is the landmark legislation which set the benchmark for data privacy debate around the world. It applies to all the Government agencies and organizations established in the EU, EU based organizations processing personal data outside the EU and organisations established outside the EU processing personal data of the Citizens of the EU.

4. Business-to-business

In the discussion of data privacy, there’s almost a focus on the consumer impact, which makes it seem like more of B2C issues on the surface. But of course, business buyers are people too, and when brand assets are at play, the scrutiny around data protection can be heightened.

(4.1) What does the PDP bill mean to businesses in India?

(a) Effect on Micro, Small and Medium Enterprises (MSMEs) and huge cost of compliance for them: One important feature of the data protection bill of India is its wide range of applicability. If implemented, it would apply to all small-medium-and big enterprises across India, any enterprise that collects data. According to the bill proposed, a DPA (Data Protection Authority) will be making regulations and enforcing the legal framework on data protection.

This not only includes Google, Facebook, the big tech giants but also real estate firms and brokers, restaurants, hotels, and many more businesses collecting your personal details. The data fiduciaries have to oblige by a number of restrictions for processing personal data some of them include complying with transparency requirements, security safeguards, encrypting personal data, etc. The bill has created three tiers of data: personal data, sensitive personal data, and critical personal data. The personal data needs to be collected on a consent basis, removed, or deleted on the approval of the data principal. Since this bill includes any business collecting personal data, it includes a grocery store with fairly uncomplicated systems to technology companies using machine learning algorithms.

For small businesses to comply with these restrictions in a technologically driven world, would be a hamper to both innovation and growth. The cost of implementing the above- mentioned requirements is significant for a country. Hence, the Indian bill would cost a significant amount to the country as well. The bill exempts small businesses from complying with the data protection requirements. But a business can only avoid that if it is manually processing data. Still, a lot of small businesses would face huge compliance costs for the first time.

(b) The Storage of Sensitive and Critical Personal data in country: The law mandates companies to store critical personal data in the country itself, it would further increase the cost of building efficient data centers. Though the term “critical personal data” is currently unclear in the bill, we can still assume it to apply to a lot of businesses in the country. Mishi Choudhary, tech lawyer, and Managing Partner at Mishi Choudhary and Associates said, “The data localisation requirements of the government showcase a misplaced understanding of the cloud architecture, companies store their data wherever it’s most cost and time-efficient. A data centre is a high electricity consuming, minimal employment generating, and a highly self-sufficient facility. That’s why many companies have their servers in countries like Iceland, for cost and climate factors.” [14]

(c) Effect on upcoming business-use technologies like blockchain: Safe data exchange around relational and transactional processes is becoming increasingly important for B2B interactions as companies become increasingly connected in business networks of stakeholders – including consumers, distributors, suppliers, industry peers, and regulators. Any business environment where goods or services are exchanged by distant parties that need an extra layer of assurance to conduct business will benefit from blockchain.

Blockchain technology, currently in a development stage, is a network of computers that records every transaction in blocks and connects it to the previous dealings with a timestamp, thus forming a chain of blocks that contain information regarding the transaction. One significant benefit of blockchain technology is its capability to stay unchanged. A blockchain that is open to the public can be read and accessed by anyone, making it wholly transparent.

The unparalleled levels of protection, safety, and reliability that blockchain technology provides are undoubtedly among the most compelling reasons to implement it in your company. Since all business and financial transactions must be documented and stored decentralised by all network members, the possibility of data fabrication is nearly nil. The ability to securely and efficiently transact in a fast-paced, global business environment where transaction participants rarely know or completely trust each other, cannot be overstated.

In certain ways, both blockchain and PDP were designed to give people more transparency and control over their data – albeit from different perspectives. Blockchain eliminates the need for intermediaries or centralised authorities to protect transactions by using advanced cryptography and consensus algorithms. PDP, on the other hand, is based on a structure that includes privileges, responsibilities, centralised authority, and a sequential view of data collection and management in order to give people more power over how their personal data is processed.

According to Section 9 of the PDP Bill, a data fiduciary (defined as the individual who decides the intent and means of processing personal data) should not keep personal data longer than is required to fulfill the purpose for which it is processed, and should remove it once the processing is completed. The personal data can, however, be kept for a longer time if the Data Principal agrees or if it is necessary by law. Each data fiduciary is expected to conduct periodic checks to decide if the personal data in its possession needs to be kept. When the retention of personal data by the data fiduciary is no longer required, the personal data must be removed in accordance with regulations. Each Data Principal has the right under Section 18(1)(d) of the PDP Bill to have his or her personal data erased if it is no longer required for the reason for which it was processed.

Section 20 of the PDP Bill states that any Data Principal has the right to restrict or prevent any data fiduciary from continuing to disclose personal data (relating to such Data Principal) if the disclosure meets one of the three conditions mentioned below, namely that the disclosure of personal data:

(1) has served the purpose for which it was collected or is no longer necessary

(2) was made on basis of consent and the consent has been withdrawn

(3) was made contrary to the provisions of the personal data protection act or any other law in force.

Blockchain technology is built on two essential pillars: data immutability and transparency. Data can't be deleted because it's immutable, and transparency necessitates exposing data to the public eye. These two conditions clash with various jurisdictions' data privacy laws.

5. Business-to-Consumer

(5.1) Internet usage in India

According to the Digital 2021: India Report by Hootsuite, India has 624 Million active internet users (as of January 2021) which is around 45% of India's population of 1.39 billion. With increasing internet penetration this number is bound to increase in coming years. The number of internet users grew at 8.2% (around 47 million) as compared to the previous year.

Moreover, Indians spent on an average 6 hours 36 minutes surfing the web and around 2 hours 25 minutes socialising over social media. This all means the data privacy of Indians for a majority of time in a day is at risk in some sense or the other and all this advocates for the need of a robust data privacy framework for general consumers.

One of the major concerns was that the PDP has tried to incorporate GDPR’s consent framework to an extent. Our hypothesis was that the stronger consent framework which the PDP has tried to incorporate may not work in Indian context due to the low awareness regarding data privacy among the Indian consumers. Therefore to test our hypothesis we conducted a survey called the Data Privacy Awareness Survey. As per the survey conducted, only 7.7% of people said that they read the privacy policies before signing up for an application, 11% said that they read it around 50% of the time and the rest either never reads them or read less than 50% of the time. We asked whether they would uninstall WhatsApp if they continue with their same proposed changes in their privacy policies. 86.4% of people said that they would continue using WhatsApp even if it continues to have the same data privacy policies.

The major point of concern was that the majority of respondents were not even aware of the rage against the proposed WhatsApp privacy policies. Only 46.2% of participants knew the exact reason for the recent rage against WhatsApp privacy policies, i.e., they did not provide us with an opt-out option and asked us to either accept the policies or leave the platform.[17]

6. General Recommendations

The wide scope of the applicability of the PDP Bill signifies that if implemented, it will apply to all enterprises across India. The bill has laid out its provisions based on the actions of storing, processing or transferring of data performed on the data of the data principal, simply whose data is being taken. This would include any enterprise that uses automated means to collect data. The policies and regulations put on the storage, processing and transfer of data by any enterprise should be formulated taking into account the type and amount of data the enterprise (big or small) is operating on. Additionally, the type and amount of data a company is operating on, are dependent on the industry in which it is operating.

Policies to be Formulated = F(Type of data, Volume of data, Use of data)

F(Type of data, Volume of data, Use of data) = Q(Industries)

Here F and Q denote two functions dependent on parameters given in the brackets.

For instance, Facebook and Google Pay, both are market leaders in their industries, now the regulations posed on Facebook relating to data storage, usage or transfer cannot be the same as those posed on Google Pay, simply due to the difference in the type and amount of data they are operating on.

1. MSMEs in India will bear high costs to comply with the PDP Bill, which puts all the businesses that enter their data electronically under a single umbrella. The PDP Bill needs to categorize the businesses on some basis like type of personal data collected, amount of data collected, etc, to protect the income of these MSMEs which contribute 29% to India's GDP.

2. The ISPs are the backbone of the internet infrastructure that fuels the internet and connect millions of people worldwide. This power to drive the internet makes ISPs the first point of contact for both the internet users and the government in case of nay mishandling of data. While the Indian IT Act and PDP Bills seems to have reasonable security practices to protect the Indian internet user, there are some gaps, if fulfilled could bring data protection in India at par with the International standards. On the subscribers’ front, the ISPs should inform the subscriber about the nature of security risk and put in place certain measures to further educate them in case of any potential security threat in the future. Besides, the ISPs should resolve consumers’ request for correction of data in a time bound manner. On the Government front, the ISPs should report any data breach to the Data Protection Authority in a stipulated period of time, to mitigate the impact and deploy procedures for corrective action.

3. As far as the Data Protection Authority (DPA) is concerned, the recommendations are two-fold: firstly, having an important bearing on the market, its composition should enable it to avail of independent inputs in an institutional manner. At present, there are no independent members mandated to be made a part of DPA; secondly, given the cross-sectoral applicability of regulations under the PDP Bill, DPA must be mandated to follow a high consultative procedure, like other regulators, such as the Telecom Regulatory Authority of India, the Airports Economic Regulatory Authority, and the Insolvency and Bankruptcy Board of India follow do, before framing regulations. At present, the PDP bill requires the DPA to follow a consultative process only for formulating codes of practice and entrusts the government to further prescribe the details of the consultative procedure.

7. Conclusion

The PDP Bill entails its own merits and appreciation points. The provision of ‘Consent Manager’ introduced under the PDP Bill is a welcome initiative which will enable individuals to give or withdraw their consent at ease. While the provision around breach notification has not been explicitly covered in the IT Act, it has been introduced in the PDP Bill. While there was no adequate provision to address minor’s data under the IT Act, it has been duly covered in the PDP Bill.

One of the reasons for the absence of this provision from the IT Act, might be due to the rate of internet penetration being close to 4.4% of the total population in 2008.

Understanding the public policy implications of the growing technologies has been a huge debate as to, do these policies hamper innovation and economic growth, and if not controlled do they steal our right to privacy. Security frameworks like cloud computing certifications, cross-border transfers, and storage in country’s with an equal privacy policy can be allowed. Certain blockchain features, such as cryptographic encryption and node-to-node data integrity authentication, are without a doubt the best potential solutions to privacy concerns. However, due to the network's non-hierarchical nature and transaction immutability, blockchain is challenging to reconcile with existing data privacy laws. Despite regulatory obstacles, blockchain is the technology of the future and is here to stay.

Law is notorious for being behind the times when it comes to technological advances. In our opinion, the PDP Bill should be amended to allow data fiduciaries who operate blockchains to obtain prior, ‘irrevocable’ consent from Data Principals for the processing of their personal data after providing Data Principals with sufficient information about blockchain technology and the importance of immutability.

The regulatory framework that is proposed for protecting the privacy of citizens has to be suitably tailored to suit the realities of the Indian economy and its regulatory landscape. Strengthening the state is important in a diversified democratic economy like India, however, it must be done keeping in mind to adequately protect privacy. Designing a pragmatic assessment for assessing the costs and merits of data protection would be necessary in outlining the revised regulatory framework which characterizes privacy, as a means to achieve other societal ends distinct to Indian political economy.

Meet The Thought Leaders

Shatakshi Sharma has been a management consultant with BCG and is Co- Founder of Global Governance Initiative with national facilitation of award- Economic Times The Most Promising Women Leader Award, 2021 and Linkedin Top Voice, 2021.

Prior to graduate school at ISB, she was Strategic Advisor with the Government of India where she drove good governance initiatives. She was also felicitated with a National Young Achiever Award for Nation Building. She is a part time blogger on her famous series-MBA in 2 minutes.

Naman Shrivastava is the Co-Founder of Global Governance Initiative. He has previously worked as a Strategy Consultant in the Government of India and is working at the United Nations - Office of Internal Oversight Services. Naman is also a recipient of the prestigious Harry Ratliffe Memorial Prize - awarded by the Fletcher Alumni of Color Executive Board. He has been part of speaking engagements at International forums such as the World Economic Forum, UN South-South Cooperation etc. His experience has been at the intersection of Management Consulting, Political Consulting, and Social entrepreneurship

Ishan Tewari is a Mentor at GGI and a management consultant. He likes to mentor young GGI fellows on weekends as a volunteer in his free time.

Personally, he is a massive sports buff and loves to share his passion by connecting with like-minded people too.

Meet The Authors (GGI Fellows)

Akshita Bansal holds a Master's in Regulatory Governance from Tata Institute of Social Science, Mumbai and a Bachelor's in Economics from Delhi University. She has previously worked with Tata Trusts as a District Consultant under POSHAN Abhiyaan, a flagship programme of GoI to reduce malnutrition in the country. A firm believer in the motto of 'no one left behind,' she seeks the career journey of a lifetime that has a positive impact on the society.

Jessica Jindal is a sophomore from Lady Shri Ram College majoring in Economics. An upcoming intern at Citi India, she has been a Client Relations Manager at AIESEC in Delhi University and is currently the coordinator of World University Service, LSR, a society that works towards spreading awareness on various issues of public health and community service. She is passionate about creating a social impact and is keenly interested in working with NGOs at a grassroots level.

Pragati Keswani is currently a final year engineering student at Jadavpur University, Kolkata. She is interning with Sattva consulting in their Corporate Knowledge Management team. She has previously worked on research projects at the Indian School of Business and the Indian Institute of Management Ahmedabad. She believes in ‘education for all’ and wishes to work in the field of social impact at grassroots levels.

Rajshree Agarwal is a final year undergraduate student at Symbiosis Law School, Pune and is currently interning with Ernst & Young. She has gained extensive industry experience through Tier 1 law firms internships like Shardul Amarchand Mangaldas & Co. and AZB & Partners in the area of Corporate & Commercial Laws. Having undertaken voluntary work for the community through organisations like Bachpan Bachao Andolan and Think India, she aims to indulge in the Policy Consulting sphere to deliver a worthy impact as a future leader.

Rishabh Jain is an undergraduate student of Physics at St. Stephen's College, Delhi and an incoming Business Analyst at InMobi. He has been associated with GGI since its starting days and has worked as a Research Columnist at GGI. He has been a Research Intern at BITS, Goa and has also worked with Hello Study Global as a Human Resources Intern. He aspires to be in decision making positions in leading organisations or work with the Government of India, where he gets a chance to make a positive impact in the health and education sector of India.

Ritikaa Khanna is currently pursuing her BA in

Economics Honours from Christ University, Bangalore.

She has conducted research on water pricing mechanisms

in India with The Takshashila Institution, a public policy

think tank based in Bangalore. She has also conducted a

study on ‘Smart Cities in India’ under the guidance of an

accomplished IIM professor. She has a keen interest in

sustainable economics. She specifically looks forward to

working on policies promoting economic growth coupled with sustainable life choices.

Ronak Agarwal is currently working at Reckitt as a

Future Leadership Program Associate. She holds a

Bachelor’s degree in Chemical Engineering from IIT

Roorkee where she maintained a CGPA of 9.1 and earned

the Excellence Award for her exemplary all round

performance. She has always derived her motivation from

visualising the impact of her work on the lives of people,

whether it is creating digital solutions for over 6000

students at IITR or it is establishing the effectiveness of

Dettol Bar Soap portfolio against the SARS-CoV2 virus at Reckitt. On the personal front, she loves to play chess and has been a national level chess player.

If you are interested to apply to GGI Impact Fellowship, you can access our application link here.


[1] Big data: Changing the Way Businesses Operate and Compete‘, Ernst & Young (April 2014), available at:, (last accessed November 20, 2017). [2] Erik Sherman, “People Are Concerned About Their Privacy in Theory, Not Practice, Says New Study,” Fortune, February 25, 2019,

[3] Centre for Internet Governance Innovation (2016) – Ipsos. Retrieved from 2016 CIGI-Ipsos Global Survey on Internet Security and Trust. [4] The History of the General Data Protection Regulation - European Data Protection Supervisor. Retrieved from: [5] Chin, C. (2019, October 08). In the net neutrality debate, what might follow Mozilla v. FCC? Retrieved from [6] Federal Communications Commission (2018, October 08). FCC adopts Broadband consumer privacy rules. Retrieved from [7] Shepardson, D. (2017, April 03). Trump signs repeal of U.S. Broadband privacy rules. Retrieved from:

[8] Ghosh, D. (2018, July 12). What you need to know About California's new data privacy law. Retrieved from: [9] Greenberg, P. (2020, March 1). 2019 consumer data privacy legislation. Retrieved from [10] Kratofil, G. M., & Harding, E. (2020, March 14). Federal privacy Legislation Update: Consumer data privacy and Security act of 2020. Retrieved from [11] McNicholas et. al. (2021, March 05). Step aside CALIFORNIA: Virginia consumer data Protection act becomes law - privacy - United States. Retrieved from [12] Scott, G. (2018, September 10). Internet privacy laws in the US: A guide to all 50 states. Retrieved from [13] Sullivan, B. (2006, January 26). ChoicePoint to pay $15 million over data breach. Retrieved from: [14] Munjal, D. (2020). Personal Data Protection Bill: Compliance costs to rise for India. Retrieved from:

[15] Marel, et al. (2014). The Costs of Data Localisation: A friendly fire on economic recovery. Retrieved from:

[16] India: Blockchain Technology - A Review: 07 January 2020: by Vinod Joseph and Protiti Basu, Argus Partners. [17] Link to the data privacy survey Google form circulated by the authors of the paper [18] Burman, (2020). Will India’s Proposed Data protection law protect privacy and promote growth? Retrievedfrom:

[19] Goldberg et al. (2019). Regulating Privacy Online: The Early Impact of the GDPR on European Web Traffic & E-Commerce Outcomes. Retrieved from [20] Burman, (2020). Will India’s Proposed Data protection law protect privacy and promote growth? Retrievedfrom:

[21] GDPR & Blockchain: At the intersection of data privacy and technology: Jim Lee Corporate Counsel - North America

189 views0 comments


bottom of page