Working with “Last Mile” Data Protection in India

India’s digital economy is characterized by “last mile” data protection, with privacy norms, data collection and sharing standards being set at the level of the application (“app”), operating system (OS) and the device. This practice lends itself to multiple, often crisscrossing rules maintained by smartphone manufacturers, mobile operating system vendors and application developers. The user is caught in a maze of privacy policies that bear on important questions: what data is collected, where it is stored, who it is shared with, and legal recourse in the face of policy violations or unauthorized use of data by third parties.

Contributing to the confusion is the lack of statutory or regulatory clarity on data protection. India’s own data protection rules offer wide latitude to technology companies to determine their own practices, which encourage irregular and poorly enforced privacy policies. If regulatory ambiguity has opened the door for conflicting data protection guidelines, the problem is compounded by India’s heavy reliance on foreign devices and applications, many of which transfer data of Indian users outside India’s borders and base their privacy policies on their home jurisdictions. This system of “last mile” data protection significantly diminishes the state’s ability to protect the privacy of its citizens, a right that was recently confirmed as “inalienable” by the Supreme Court of India.
This paper highlights “last mile” protection through an analysis of policies at the app, OS and device layer — using the examples of the Google Play Developer Distribution Agreement, Google Developer Policy, the India-specific privacy policies of smartphone manufacturers Huawei, Vivo and Xiaomi, as well as the privacy policy of WhatsApp. While acknowledging that such policies are here to stay and that it may not be feasible to craft statutory guidelines that comprehensively address every dimension of data sharing and collection, given the diversity in technological platforms, the paper makes the case for a self-regulating, autonomous and multi-stakeholder agency for protecting the integrity of user data.
Available in:
Regions and themes
ISBN / ISSN
Share
Download the full analysis
This page contains only a summary of our work. If you would like to have access to all the information from our research on the subject, you can download the full version in PDF format.
Working with “Last Mile” Data Protection in India
Related centers and programs
Discover our other research centers and programsFind out more
Discover all our analyses
RAMSES 2024. A World to Be Remade
For its 42nd edition, RAMSES 2024 identifies three major challenges for 2024.
France and the Philippines should anchor their maritime partnership
With shared interests in promoting international law and sustainable development, France and the Philippines should strengthen their maritime cooperation in the Indo-Pacific. Through bilateral agreements, expanded joint exercises and the exchange of best practices, both nations can enhance maritime domain awareness, counter security threats and develop blue economy initiatives. This deeper collaboration would reinforce stability and environmental stewardship across the region.
The China-led AIIB, a geopolitical tool?
The establishment of the Asian Infrastructure Investment Bank (AIIB) in 2016, on a Chinese initiative, constituted an attempt to bridge the gap in infrastructure financing in Asia. However, it was also perceived in the West as a potential vehicle for China’s geostrategic agendas, fueling the suspicion that the institution might compete rather than align with existing multilateral development banks (MDBs) and impose its own standards.
Jammu and Kashmir in the Aftermath of August 2019
The abrogation of Article 370, which granted special status to the state of Jammu and Kashmir (J&K), has been on the agenda of the Bharatiya Janata Party (BJP) for many decades.