Episode 379: Outsourcing to India: Managing Cyber, Legal, and Data Risks

Without even knowing it, millions of people rely every day on technology, services, and digital infrastructure that are built, managed, or supported from India. As the country cements its position as a global technology powerhouse, it is increasingly becoming indispensable to businesses around the world. However, alongside this remarkable growth comes a complex and growing web of cyber threats, evolving regulation, and legal uncertainty. So what should business leaders know before outsourcing operations, transferring data, or expanding into India? And how is one of the world’s fastest-growing digital economies reshaping the future of cybersecurity and data protection?

Joining us to discuss this topic is N.S. Nappinai, Senior Advocate at the Supreme Court of India, Founder of CyberSaathi, and one of India’s leading experts on cyber law, cybersecurity, digital rights, intellectual property, and data protection. She advises governments, multinational organisations, and institutions on emerging technology law and has helped shape India’s approach to cyber governance and digital policy.

The International Risk Podcast brings you conversations with global experts, frontline practitioners, and senior decision-makers who are shaping how we understand and respond to international risk. From geopolitical volatility and organised crime, to cybersecurity threats and hybrid warfare, each episode explores the forces transforming our world and what smart leaders must do to navigate them. Whether you’re a board member, policymaker, or risk professional, The International Risk Podcast delivers actionable insights, sharp analysis, and real-world stories that matter.

Dominic Bowen is the host of The International Risk Podcast and Europe’s leading expert on international risk and crisis management. As Head of Strategic Advisory and Partner at one of Europe’s leading risk management consulting firms, Dominic advises CEOs, boards, and senior executives across the continent on how to prepare for uncertainty and act with intent. He has spent decades working in war zones, advising multinational companies, and supporting Europe’s business leaders. 

Episode Transcript with Dominic Bowen and N.S. Nappinai

India’s Cyber Law and Data Protection Landscape — with N.S. Nappinai

Guest: N.S. Nappinai — Senior Advocate at the Supreme Court of India, Founder of CyberSaathi, and one of India’s leading experts on cyber law, cybersecurity, digital rights, intellectual property, and data protection. She advises governments, multinational organisations, and institutions on emerging technology law and has helped shape India’s approach to cyber governance and digital policy.

Host: Dominic Bowen


Dominic Bowen: Today I’m joined by N.S. Nappinai. She’s a Senior Advocate at the Supreme Court of India, and she’s also the founder of CyberSaathi. She’s one of India’s leading voices on cyber law, cybercrime, digital rights, and data protection. In today’s conversation, we’re going to explore India’s evolving cyber and data protection landscape, how India’s Digital Personal Data Protection Act compares with the EU’s version, and what international organisations should understand when they’re operating across borders, relying on large Indian technology providers, and managing legal and cyber risks.

Nappinai, welcome to The International Risk Podcast.

N.S. Nappinai: Thank you for having me here.

Dominic Bowen: Whereabouts in the world are you today?

N.S. Nappinai: Right now I’m in Mumbai, but otherwise I’m now mostly based out of Delhi.

Dominic Bowen: Two beautiful cities. I love Mumbai and Delhi a lot, so it’s a good place to be. Let’s jump straight in. India has become one of the world’s most important digital economies, and I think unquestionably one of the world’s largest and most significant technology service hubs. As the business environment has expanded at such a rapid rate, how would you describe the evolution of India’s cyber laws and data protection environment over the last decade, as the business environment has raced ahead?

N.S. Nappinai: Well, the last part of your question spoke about the last decade, but India’s foray into cyber laws started in the year 2000. And a little background that many may not know: it actually started a few years prior to that, and the first thing India contemplated was in fact a data protection law, especially after the EU had produced its 1995 Data Protection Directive and the UK had brought in its Data Protection Act in 1998. Thereafter, because of India’s commitment to the WTO, we needed to come out with a cyber law enactment in line with the model laws that the UN had produced. Initially, the thought was to come out with an e-commerce law, but what we landed with finally in 2000 was a semi-comprehensive Information Technology Act, which was then amended in 2008 after the tragic terror attack in Mumbai, where it was realised that we did not have a strong cybersecurity foundation in terms of law.

From there to now, if you look at the way things have evolved, we have mostly gone sectoral. The Information Technology Act was supposed to be redone in the form of a Digital India Act, but that was dropped a couple of years back. It’s not completely dropped — it may still come to the front in some other form — but right now we have the Information Technology Act, which caters to e-commerce and catered to data protection. Now we have a Digital Personal Data Protection Act, which will be implemented a year from now. It has been passed but has not yet come into force, so until then we are in a kind of interregnum phase. Otherwise, you have the IT Act and certain sectoral regulations and provisions that have been driving the cyber law domain. In my first book, I called it a cyber jigsaw puzzle, because you need to take the pieces from different parts and then figure out what fits your requirement.

Dominic Bowen: I think that’s a really good point, and what you covered in your book on that topic was really interesting and very well said. For organisations and business leaders who haven’t read your book, and for those trying to understand India’s Digital Personal Data Protection Act, what are the most important things? If we talk about the top three or four things that business leaders operating in Europe and North America need to understand about India’s DPDPA, what are they?

N.S. Nappinai: Well, the DPDPA had a very long route. It started with the Supreme Court’s judgment in 2017, the Puttaswamy judgment; then the first draft came out in 2018, and a more elaborate draft in 2019. Then the government went through a whole phase and said they wanted to keep it simple — they didn’t want a complicated law. So what you have is the principles of the GDPR captured in a very short enactment, which the government says is more like the skeletal body of a personal data protection law that it is going to fill out with rules and regulations.

So the good news for you is that you have a very simple law. The bad news is that this law is going to go through a great deal of addition. We always say that a first principle in law is that you cannot go beyond the remit of the parent Act. Having said that, industry is going to be in a state of flux, not knowing what is going to come in under a particular provision. If you look at the provisions, so many speak of “as prescribed,” or “the central government may prescribe,” or “the central government may waive.” So many powers are vested with the central government, which will be exercised through delegated legislation. That means it is not as glacial as a parliament-enacted law; it can change very rapidly. That is where the first problem lies for industry.

The second thing is that you do not have to worry that India has given you a more rigid law than the GDPR. Like the GDPR, the DPDP Act also runs on a consent-plus-accountability framework. You do have certain waivers for consent, but you are still accountable for following the data principles — purpose limitation, protecting the data sufficiently, and the principles that govern how you share the data, how you use it, how long you retain it, when you have to delete it, and whom you can share it with, including cross-border sharing. All of this is captured in that skeletal, or I would say minimalist, draft. So you broadly need to follow the GDPR, and you may largely be in line with what you will see in the Indian scenario. But India has gone a little beyond that. If you look at the exemptions, and the manner in which they are framed — particularly when it comes to children’s data — it has become more rigid than even the GDPR. It has also retained the right of the central government to waive or to prescribe. So certain rules have come into play, especially regarding the appointment of the Data Protection Board, and the consent manager framework is in place, but the remaining prescriptions or delegated legislation through rules and regulations are still awaited.

Dominic Bowen: That’s what I wonder, because sometimes comparing laws between one jurisdiction and another doesn’t work, and it isn’t fair, because there are other supporting laws, or parent laws, or social conditions or business practices that make the comparison unfair. But of course, now that India is, I think it’s fair to say, the centre of IT outsourcing, when you compare India’s laws, such as the DPDPA, with Europe’s GDPR and related laws, we probably should be able to compare and to confirm alignment. In fact, I think many European countries require that if their companies are outsourcing to India, they have to make sure they’re meeting the same requirements. Where do you see challenges there? Where are the biggest differences in approach, and where can companies potentially come unstuck?

N.S. Nappinai: So India is still not part of the approved-nation list of the European Union. The chances of your EU data coming to India are still bleak, except through other means such as contractual compliance or third-party sharing. When it comes to EU data, they are very strict — except for their very relaxed or lenient mode for the USA.

For India, the concern is this: we needed a Data Protection Act a couple of decades back or more. We now have a minimalist law that has been passed but not yet implemented. As it stands today, one of the things Indian businesses wanted was the possibility of India finding its way onto the approved-nations list. Right now that seems a little bleak. Maybe after the rules and regulations come out, the EU may review its stance, but right now it doesn’t look very positive.

But keeping aside EU data, let’s talk about cross-border data flow into India. You rightly said India has become a hub for technology services. I would venture to say that, unlike its earlier avatar when it was predominantly a service provider, India has now evolved to developing products. There are so many startups that are keen to launch their products. This is my cautionary tale, whether you’re an Indian company or an international one: often they think “launch first, ask for forgiveness later” — launch first and ask for permission later. Under the DPDP Act, the fines are very stringent and the provisions are fairly strict, though minimalist. So you may want to pause before you rush to launch. Remember that forgiveness, or permission, may come at a very steep price; you can be fined fairly heavily. That is my caution to any developer who wants to use data as the fuel but may not want a heavy compliance framework.

Dominic Bowen: So how do companies get past this? You said the European Union’s and India’s laws are not yet perfectly aligned, but there must be some alignment, because there are so many companies. I work with most of Europe’s largest companies on their risk management, their crisis preparedness, their outsourcing and their third-party risk, and I know a large majority are outsourcing. I’m often asked: how do we stay compliant?

N.S. Nappinai: Often this is actually done through contractual processes. Take HIPAA in the USA. When HIPAA came out, India did not even have its Section 43A, which came in through the 2008 amendments — and even those amendments were implemented only in October 2009. So how did the USA’s data come to India then? The companies that accepted work involving data processing or data analytics would have to contractually bind themselves to comply with the HIPAA provisions. So to a large extent, contract comes into play where the law may not provide sufficiently.

But even so, when it comes to the GDPR, it does not allow circumvention of its stringent provisions on the transfer of EU citizens’ data. You may be an Indian service provider, but you may be providing your services within the EU. So companies have been structuring themselves such that, where there is an impediment, they find a way to modify the jurisdiction sufficiently to suit their purposes. One of the classic examples I always give is cloud computing. Consider the Microsoft case, and why it happened in the US. Many social media platforms claim to be based in the USA, and here it was Microsoft, a service provider. But when it came to the data, they said, “Sorry, we are now in Ireland, and therefore it’s beyond your jurisdiction.” And so the USA came out with its CLOUD Act. People keep playing this cat-and-mouse game — Tom and Jerry is what always comes to mind for me. When governments start getting strict, companies find certain solutions, and then the government tightens the noose again. Ultimately, as humans, whatever we may claim about data being in the sky, we are still grounded; we are amenable to one jurisdiction or another.

On a final note about the laws of different jurisdictions being different: one of the reasons you had model laws coming out of the UN was that certain forms of commerce transcended borders — maritime is a classic example — and so you had the UNCITRAL e-commerce model laws as well. But if you look at data protection laws and various other provisions coming in, you do not have that uniformity or harmonisation. Companies with footprints in multiple jurisdictions invariably find compliance a bit difficult. So they also create their own setups to ensure that their compliance is valid geographically.

Dominic Bowen: You talked about that cat-and-mouse game that regulators and corporate actors sometimes play. But for those actors concerned about the practicalities, and this isn’t just about India, it’s the case in many countries, for some countries it’s very clear. No European or North American company is going to outsource its IT to Russia, North Korea, Iran or China; there are very clear concerns about those. Whereas with India, I think companies genuinely see it as an unknown. They think it’s fine, but they’re not quite sure. So how should organisations that are asking these questions think about it? They say, “There are laws, we’re working through them; we have contractual terms, our SLAs and their appendices, with certain provisions to protect our data. But we’re still a bit unsure about government access, about law enforcement powers, about national security exemptions.” How should companies think about this when they’re looking at India specifically?

N.S. Nappinai: I may be preaching to the choir, but let me give it some context. Companies have invariably kept politics and profits separate. You mentioned China, and immediately this thought came to my mind. My journey into the world of cyber was through my expertise in intellectual property rights. What really amazed me when I did my fellowship in the US was that, despite their concerns about China, and despite companies being very protective of their intellectual property rights, everything was being outsourced to China for production. Why? Because the cost of production was much cheaper than, for instance, India. At that time — I’m talking about a decade or more ago — China did not have as strong an IPR regime as India did. India had strong laws and was still evolving in terms of implementing them, and it was not that India was an expensive jurisdiction; it was just more expensive than China. Yet despite the political and geopolitical situation, and despite continuous complaints about repeated violations of their proprietary rights, American companies continued to outsource to China.

So today, if you’re looking at data and the various products or services around it, any jurisdiction will have to consider multiple issues. One: what is the law of the land of the citizens whose data they are trying to transfer? Are they transferring the data, or merely availing themselves of services — and where will those services be provided from? What laws will become applicable, and how strong or weak are those laws? Sometimes companies want weak laws — let’s not forget that; as I said, many companies may not want a strong compliance regime. Companies call it a trade-off: what am I trading off when I choose a particular jurisdiction, or a particular company to engage with? And how strong are their agreements or contractual terms to protect the company availing of the services? Finally, remember that the strength of your agreement lies only in its strong implementation. If you have a very strong agreement but the jurisdiction you have chosen is very weak in enforcing the contract, then a strong contract is of no consequence. Similarly, many companies resort to standard-form contracts, but that doesn’t help you if you make it one-sided or unconscionable. So there are a lot of nuances when it comes to the legal aspects.

Dominic Bowen: I couldn’t agree more. Your point about implementation is critical. I spend a lot of time looking at contractual law and advising clients on it, but you’re right: at the end of the day, it’s what’s implemented that really matters. You need the contracts to prevent problems and, if there’s an incident, to remediate, to negotiate, to get some form of compensation, or to fix it. But ultimately it’s that implementation that’s so critical.

I’ll just take a short moment, Nappinai, to remind our listeners that if you prefer to watch your podcasts, The International Risk Podcast is always available on YouTube. Please go to YouTube and search for The International Risk Podcast, and please do like, share, and subscribe to our content — it really is so important for our success.

Now, Nappinai, you’ve touched on a few different topics, and I think that’s important because, as we’ve made very clear, India is a major outsourcing and IT services destination. So put on your sales hat, from a legal and cyber risk perspective: what makes India so attractive? Why has it become such a hub? And then, what should foreign companies be cautious about when they’re outsourcing IT services to India?

N.S. Nappinai: Well, the capability of our technology experts is mind-boggling. These are young people who are capable of things we cannot even fathom. I think that’s one of the reasons India has seen such a big boom in startups. In my time, we didn’t even question the answer. If someone had asked an engineering student in my day what they would do, they would say they would join a good company, or take a government job — government jobs were the most preferred. From government jobs, the next generation moved to private jobs as the most preferred, even though that security was not there. Today’s young people have such a huge risk appetite, and the capability to back that risk appetite, so they are happy to go out, venture, and find their footing. I think the technology capability is actually the biggest draw when companies look towards India.

I don’t think law can be the first reason — that’s just the supporting actor; we come in only when trouble starts. Even when you’re drafting a contract, you never look at law as the primary actor; we are just a supporting player. Only when things reach a difficult state does law step in. But in this instance, I would strongly advise companies to look at law as a primary actor too. I used to run a session called “Litigating IT Contracts: Catch Them Early or Watch Them Grow.” I always addressed it on three grounds: first technology, second commercials, and third legal. Each of the teams works separately, but most of the time they have to work together to understand how commercials can be bound to milestones in terms of technology, and technology has to be delivered with a keen eye on the law.

We spoke about the DPDP Act, but let me point out that intellectual property rights also play a key role. Many times companies ignore the necessity for legally acquired or licensed software or tools to be used, even in building their product; and then, when a third-party claim arises, an indemnity alone is not going to protect you, because your business is going to be affected. That’s why marrying all three — having them go hand in hand by consensus — I know it sounds utopian, but believe me, it’s feasible, and something to that effect is likely to help companies more.

Dominic Bowen: Unquestionably, working together in that matrix way, bringing people together, is smart. I also love what you said about catching it small or watching it grow — that’s so important, because problems never get smaller by themselves. They only go in one direction, and that’s bigger.

I agree that legal protection is there if something goes wrong, and ideally it also gives us the framework for resolution, and even the framework to avoid problems by making roles, responsibilities and remediation clear. In that vein, I wonder — if we’re talking to European or North American financial institutions, those with the heaviest regulation. Particularly since 2008 and the financial crisis, financial institutions are generally, from a risk management and legal point of view, the most robust and heavily regulated industries out there, so they’re a great example. If we know that some banks, financial institutions and insurance companies in Europe are outsourcing a significant portion of their data management and IT services to India, what are some of the legal and contractual protections they should insist on?

N.S. Nappinai: Well, that’s a really heavy question, and I don’t want to venture into giving a formal opinion on it. I think I’ve actually touched on most of the aspects, but there is one issue we haven’t really touched on so far, so let me focus on that. You mentioned cyber risk in your earlier question. When we talk about financial institutions, cyber risk, protection against cybercrime and cyber insurance all come into play. In India, sectoral provisions for cybersecurity are strongest in the financial sector. And yet — I used this in one of my writings, and I love it — I referenced Edwin Muir’s poem “The Castle,” with its little wicked wicket gate. You may have the strongest fortress, but that one small wicket gate is enough for someone to breach it — the Trojan horse syndrome.

So cyber risk is something companies need to be very careful about. What buttressing is a vendor or supplier giving you? How well are you protected — not just in terms of cyber risk while developing the product, but when it’s deployed? What laws will apply to that, and how safe are you? Particularly because, if you look at some of the oldest cybercrimes, they started with very simple siphoning of funds through bank accounts, using a bug placed by a software vendor in a bank. We have seen cases like that from many decades back. We understand that today the financial sector is much more robust and sophisticated, and therefore the cybercrimes that affect it are equally sophisticated. So we have to keep evolving our remedies and keep a very sharp eye out.

Dominic Bowen: That’s a really good point — the more robust many of our organisations are, which is something to be commended and celebrated, but we can’t assume that the adversaries, whether foreign state actors or criminal organisations, aren’t also evolving. The organisations most valuable to them are precisely where they put in the effort to work around and mitigate our strengthening defences.

Now, you work in the courts and have done so for a long time, with great experience in India. Without mentioning company names, tell us about some of the most common mistakes you’re seeing companies make. Where do we end up with litigation in India when we’re talking about service providers? Where do things go wrong?

N.S. Nappinai: You know, Dominic, I started off as a litigator, and for a period in between, when I was running my law firm, I did both transactional work and litigation. Very interestingly, one of the earliest transactions I handled — when I quipped about how they had opted for a known litigator to handle their transaction — the gentleman told me something very interesting. He said, “You know where it is headed. Where most people may see only words strung together when they look at an agreement, you will see where one flaw can lead us. And therefore I want the sharp eye of a litigator on my contracts.” That positioning actually helped me a lot. Now I’ve moved back to litigation after my designation. So yes, there have been some very interesting cases that have come my way. I always used to joke that, for some reason, the vanilla cases never came to me; they were always so complicated, with nuances in every case, and that’s how we had to deal with them. So when you ask about some of the cases I’ve handled — is there any specific field you would want me to address?

Dominic Bowen: I was thinking about when companies are leading — you’ve got some amazingly large and effective outsourcing companies, and with so much of the world sourcing and outsourcing their activities in India, there are common things you see: mistakes, assumptions. One common thing I see is that they’re not doing physical audits. They rely on reporting from companies rather than actually getting on a plane. If you’ve got a contract worth several million dollars, honestly, a ten-thousand-dollar trip to conduct an in-person audit, review the reports, and look at the site — whether a data centre or a call centre — is worth it. It’s amazing how often problems land on my desk and I ask, “When did you last do the audit? When did you last visit the site?” And they say, “We never did,” or “We did when we signed the contract, but that was it.” It just amazes me.

N.S. Nappinai: And they really hesitate to spend on two different kinds of audits. When you’re talking about technology contracts, you have to have a technology audit and also a legal audit. Often people find one or the other not relevant; the legal audit becomes just a tick-mark questionnaire, and the technology audit may or may not be a physical one, as you mentioned. So let me pinpoint a couple of things that come to mind. The first — and I’ve seen this, since you mentioned outsourcing; a few series of cases I handled some years back come to mind. Many times, you’ve heard of the “water cooler” movement, and we talk about cybersecurity or data breaches happening with an insider helping out. I have handled so many cases where not just one person but a whole team was involved. In one case — it’s a little funny in retrospect, but it was so sad when it happened — an entire branch of the company moved out overnight and started a competing organisation.

So one person leaves your company, and that’s where your data breach happens — the inside man. A team leaves with that single person, and a series of data breaches happens. And the data breaches are not just about personal data; they’re about your proprietary data, your software, the work you have spent a lot on to develop. Secondly, if you are a foreign company that has outsourced its proprietary content to a third party in another jurisdiction, and a team walks out there, then that proprietary content is also jeopardised, because you don’t know how much has been stolen or how strong the laws are to protect you in such a situation. How well have you protected yourself in terms of contracts, audits, and reviewing the terms of usage? I remember the early days when we had to fight over data breaches, and the first question the court would ask was, “But you gave them permission to use it.” And we had to clarify: of course — how else will a software developer work on improving software unless we allow access? But that access is predicated on their working on the software within my infrastructure, within my corporate premises. That permission does not extend to their taking it out of my premises. The minute I have a contract that says you will work on it for my sake, I don’t have to spell out that you will not take it away. In fact, companies started doing that later — building in very strong employee contracts and confidentiality terms to protect against this insider issue.

Dominic Bowen: It’s a really important point. When we look at insider threats, the levels are staggering, and I think so many companies don’t understand it. Looking broadly across the variety of cybercrimes you see — and I know your organisation, CyberSaathi, looks at this, everything from revenge porn to cyber extortion, fake news and more — how should companies be thinking about and understanding cybercrime trends in India today, especially when we think about fraud, identity theft, social engineering, ransomware, and business email compromise? What should business leaders understand about the environment in India today?

N.S. Nappinai: Well, one of the biggest financial frauds happening, which has impacted foreign companies — and I’ve come across too many of these — is email fraud, or impersonation fraud. Company A, based, let’s say, in the USA, has engaged a supplier in India. The supplier raises an invoice, Company A pays it, and then finds out it wasn’t actually their supplier — it was a man in the middle who hacked into the supplier’s systems, found the details, and rerouted the payment. I’ve come across very interesting cases where a person falls prey to an impersonation attack, is then informed that it was impersonation and that they should be careful, and is then made to pay again — even that going to the same fraudster. You would be amazed at how easily people can fall prey.

In fact, the Supreme Court of India has taken a great deal of cognisance of the most prevalent and very sad phenomenon of “digital arrest” that is happening now — and I’m amicus curiae in that case, in fact. One thing that may affect foreign vendors is that, since bank accounts are misused for siphoning out monies, one of the processes implemented is the freezing of accounts. So if your money is stuck in an account that has been misused, your money is frozen there, and it will first be applied as proceeds of crime to reimburse the victims, and only thereafter to recover your money. So who you deal with, how it works, and how secure the connection and the money are is critical.

Dominic Bowen: And I wonder how much of a role AI is playing in cybercrime today. How much do you see AI really driving the digital extortion, the fraud, the online harm in India? How much is being motivated by artificial intelligence?

N.S. Nappinai: A lot. In fact — CyberSaathi is a non-profit, thank you for bringing that to the fore. Through CyberSaathi, as part of our awareness programme, I wrote my second standalone book, which I called, to meet the requirements of Gen Z, “Sassy Tales: Cyber Crime Stories and the Law.” The whole idea of “Sassy Tales” was to explain how these frauds happen. Initially, we called it the grandparent scam, and I’ve covered that in the book too. Grandparent scams used to happen through a text where a grandchild is asking for money and says, “Please don’t tell my parents; I’ve been arrested,” or “The police are threatening me, I have to pay them off.” The grandparent sends money and then finds out it was not the grandchild. Then people became a little more wary and would say, “I want a voice call with you.” On the voice call, it sounds very much like their grandchild, so they transfer the money — and then find out it was not their grandchild. So you become even more cautious and insist on a video call, and this is where the digital arrest cases also come to the fore, with people impersonating police officers and judges. So AI and deepfakes have been used extensively, from job scams to grandparent scams to digital arrest cases. AI is the most favoured tool of the criminal right now, and therefore having strong AI laws is a critical need that India still does not have.

Dominic Bowen: Maybe just very briefly, when you look ahead, what developments do you see in India’s cyber laws, data protection, AI regulation and digital governance? What do you see changing? I understand the laws are evolving, improving and strengthening — what should we be looking at in India’s legislative landscape?

N.S. Nappinai: The first word of caution — and this is more for Indian legislators — is that they need to approach law with a multi-pronged approach. It cannot be a knee-jerk reaction, so don’t substitute paranoia for caution. Obviously you have to be cautious, but not paranoid, when you provide for technology, because law should be an enabler and should not end up stifling innovation. We spoke a lot about AI and its misuse; merely because a technology can be misused does not mean you say “off with their heads.” You still need to use the technology, and the economy has to benefit from it. So I see a positive trend in India, where the ministries have started looking at law as an enabler too, and not just for prevention, protection and punitive action.

When we talk about law as an enabler, it’s critical that laws are precise, clear and transparent, and that there is certainty. Yes, technology is evolving faster, so governments are also opting for delegated legislation, but that should not be overdone, because then the certainty of law goes away. This is my wish list. We have laws in India that were several centuries old; only now have we changed our major criminal Acts, after more than 160 years in some cases. Today technology is evolving too fast, and we are in a situation where laws also have to evolve or change to meet the requirement. The Digital India Act was one such initiative, where it appeared we might get a comprehensive law in place, but that has not seen the light of day.

The way I look at it from an Indian perspective: first, I definitely see something new coming in place of the Information Technology Act, with simpler but more robust provisions for regulating e-commerce, social media platforms, and the other digital processes that are happening. And most critically, I feel India needs a cybersecurity law, and that cybersecurity law needs to provide for emerging technologies. Today, as I mentioned, sectoral laws are providing for emerging technology regulation. Cybercrime law needs to be more robust. But ultimately, the problem we see in India — and I repeat myself when I say this — is implementation. A law is only as strong as its enforcement. If a law is seen as a paper tiger, then nobody is going to pay attention to it or abide by it. So I feel India needs to strengthen its implementation processes, and very soon; we can’t delay it any longer.

Dominic Bowen: That’s excellent. One final question, which I ask all guests on The International Risk Podcast: when you look around the world at all the international risks we face — from the environment to war to financial stresses — what are the international risks that concern you the most?

N.S. Nappinai: International cooperation. I was part of the UN’s cybercrime convention, and we saw so much cooperation when the initial talks started; but when it came to signing, the countries that had even participated strongly in the negotiations refused to sign. So I think that, when it comes to the digital domain, you cannot substitute international cooperation.

Dominic Bowen: I think that’s a great answer on so many levels — whether on finance, the environment, or geopolitical tensions, more international cooperation is certainly needed. Thank you for highlighting that, and thank you very much for coming on The International Risk Podcast.

N.S. Nappinai: Thank you. I enjoyed this journey and look forward to more. All the best to you.

Dominic Bowen: Thank you so much. That was a great conversation with N.S. Nappinai, Senior Advocate at the Supreme Court of India and founder of CyberSaathi. I really enjoyed our conversation about cyber law, cybercrime, digital rights and data protection in India. I think this is an important conversation for all of us; those working internationally, and of course those outsourcing and working in India. I’m Dominic Bowen, host of The International Risk Podcast. Thanks very much for listening.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *