PRIVACY ENHANCING

TECHNOLOGIES
Global and Cross-Sectoral Regulatory Insights
Copyright ©2024

All rights reserved.

This paper has been jointly developed by Data Security Council of India (DSCI) and Aldefi.

The information contained herein has been obtained or derived from sources believed by DSCI and Aldefi to be reliable.
However, DSCI and Aldefi disclaims all warranties as to the accuracy, completeness, or adequacy of such information. We shall
bear no liability for errors, omissions or inadequacies in the information contained herein, or for interpretations thereof.

The information contain herein should not be relied upon as a substitute for specific professional advice. Professional advice
should always be sought before taking any action based on the information provided.

The material in this publication is copyrighted. You may not, distribute, modify, transmit, reuse, or use the contents of the
report for public or commercial purposes, including the text, images, presentations, etc. without prior consent from either
DSCI and/or Aldefi.
Table of
Contents
READING GUIDE 4

EXECUTIVE SUMMARY 5

1. INTRODUCTION 7

1.1. Methodology 8

1.2. Privacy-Enhancing Technologies: A Brief Overview 9

2. INDIA-CENTRIC STUDY ON PETs: 10

LEGAL AND REGULATORY DEVELOPMENTS

2.1. Key Sector-agnostic Regulations 10

2.2. Sectoral Impact on PET Implementation 13

3. GLOBAL TRENDS IN PRIVACY-PRESERVING 22

AND ENHANCING TECHNOLOGIES

3.1. Asian Landscape Study on Pet Adoption 22

3.2. PET Trends in Europe 25

3.3. North American Guidance on PET Usage 26

3.4. Oceania Regulatory Endorsements of PETs 27

4. CONCLUSION 29

4.1. The Role of Global Regulators and Cultural Variance in PET Uptake 29

4.2. Key Cross-Sectoral Trends and Observations 30

4.3. Cross-Sectoral and Cross-Jurisdictional Regulatory Challenges 33

4.4. Strategic PET Investment for DPDPA Compliance 33

4.5. Balancing Compliance and Innovation: The Road Ahead 33

ANNEXURE I: DPDPA COMPLIANCE DATA GOVERNANCE PLATFORM 35

REFERENCES 39

RESEARCH TEAM 47

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 3
Reading Guide
Chapter Summary Target Audience Pages

Chapter I:
Provides background for the
study, the research approach, and All readers. 7-9
a foundational understanding of
select PETs.
Chapter II: Legal Professionals, Data Protection Officers,
An expansive repository of legal Security Professionals, Policy Practitioners,
and regulatory developments from and Technical Leaders (CISOs, CTOs, CIOs,
10 - 21
an Indian context that references Governance, Risk and Compliance Officers)
the usage of PETs. in organisations primarily within the BFSI and
Healthcare sectors.
Chapter III: Legal Professionals, Data Protection Officers,
A compilation of research on Security Professionals, Policy Practitioners,
PET usage endorsed by global and Technical Leaders (CISOs, CTOs, CIOs,
jurisdictions. Ten diverse Governance, Risk and Compliance Officers) in 22 - 28
jurisdictions are studied for this organisations having a global presence.
purpose, including Asia, North
America, Europe and Oceania.
Chapter IV:
Key findings from the study are
synthesised, and recommendations All readers. 29 - 34
are put forth to regulators and
industry stakeholders.
Annexure I: Legal Professionals, Data Protection Officers,
Proposes the usage of a robust Security Professionals, Policy Practitioners,
data governance platform to assist and Technical Leaders (CISOs, CTOs, CIOs,
35 - 38
organisations with their DPDPA Governance, Risk and Compliance Officers)
compliance journeys. in organisations that are required to adhere to
the DPDPA.

Privacy-Enhancing Technologies:
4 Global and Cross-Sectoral Regulatory Insights
Executive Summary
Cybersecurity experts often advocate for a multi-faceted approach to data
protection consisting of administrative, physical, and technical layers. This paper
particularly focuses on the need for a robust technical layer by deploying a variety
of PETs. Given the expansive nature of PETs, this paper restricts its focus to only
those technologies that are relevant from a data protection compliance standpoint.
The categories of technologies explored for the purpose of this study include
Cryptography-Based PETs, Obfuscation Technologies, Statistical Technologies, and
Systems-Based Solutions, amongst others. Within each category, key PETs routinely
implemented by organisations are identified.

After the thorough exploratory exercise, an expansive study of regulatory

endorsements of PETs within the Indian legal landscape was undertaken. A set of
key sector-agnostic and sectoral laws and regulations are studied to ascertain the
necessity for PET investments. Sector-agnostic regulations such as the IT Act, 2000,
SPDI Rules, 2011, and the DPDPA 2023, among others, were scrutinised to identify
PET usage prescriptions. Similarly, banking, insurance, and healthcare industries’
sector-specific regulations were assessed to determine the categories of PETs
routinely implemented by entities.

In the third chapter of the paper, global trends in PET adoption are examined. With
an aim to consolidate varied perspectives, the global study spans across a diverse set
of jurisdictions. Thereby, PET trends across Europe, North America and Oceania
were explored, with a particular focus on Asia. Within the Asian landscape study,
Japan, Singapore, the Philippines, and South Korea were covered.

Lastly, this paper synthesises cross-sectoral and cross-jurisdictional regulatory

insights in the final chapter and provides key observations and recommendations for
government and industry stakeholders. Key recommendations emphasised are as
follows:

For Industry Stakeholders:

• We synthesised our findings from the India-centric sectoral study which
explored a variety of sector-agnostic and sectoral regulations. We find that
recurring regulatory endorsements include the usage of Encryption,
Access Controls, Data Audits, Management Interface and
Technology-neutral specifications.
• On analysing the DPDPA, we find that the PETs specifically endorsed by
the law are Consent Management Interfaces and carrying out Data
Audits, DPIAs, and Consent Mapping.

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 5
• In view of the DPDPA impacting all entities that process personal data, we highly recommend organisations
take preliminary steps for seamless compliance. These preliminary steps include budgeting for privacy,
which involves investments in PETs to achieve the twin objectives of consumer trust and legal
adherence.
• While regulatory relaxations have been promised to a specific set of Data Fiduciaries, we recommend that
DPDPA-mandated PET usage should, nevertheless, be a key consideration for all entities.
This is considering that the scope of relaxation and the extended timelines for compliance have not been
officially notified by the Central Government.

For Regulators:
• At the time of drafting this paper, the Central Government was yet to release a set of rules that accompany
the DPDPA. In view of this, we recommend supplementary DPDPA obligations to align with global
standards and the existing Indian sectoral frameworks, endorsing technology-neutral best
practices. This approach allows organisations flexibility in selecting PETs that align with legal considerations
across jurisdictions and sectors.
• Through comparative studies across ten global jurisdictions, we observe that the role of dedicated
regulators for data protection is critical in influencing privacy cultures and PET uptake in regions.
We anticipate the expansion of Indian privacy jurisprudence once the Data Protection Board is
formed. While the DPDPA is silent on whether the Board can also release advisories, we anticipate the
Board through its orders, mitigation measures, and directions will clarify PET usage to secure data
processing activities.

Taking a forward-looking perspective on deploying PETs across data lifecycles demonstrates the feasibility of
meeting regulatory mandates while championing data privacy. With this perspective in mind, we propose a
comprehensive ‘Data Governance Platform’ to assist organisations with seamless compliance with the
DPDPA. All in all, integrating key Privacy by Design (PbD) principles into technical layers paves the way for
cost-effective PET implementation. In conclusion, with the dynamic regulatory mandates coupled with industry
outlook shifts, India is positioned to herald an era of privacy-conscious data processing activities.

Privacy-Enhancing Technologies:
6 Global and Cross-Sectoral Regulatory Insights
 1
Introduction
In the age of digital economies and big data analytics, data processing offers
a plethora of benefits to businesses. These benefits range from personalised
customer experience to data-driven business decision-making. Data, thereby,
has now become the lifeblood of organisations. This sentiment echoes across
businesses, irrespective of their size, sector, and location. Regardless of these
advantages, data can potentially be monetised and misused as cyberattacks and
dataveillance threats loom.

As a proactive measure against these risks, cybersecurity experts often recommend

the adoption of a multi-faceted approach to data protection, commonly referred
to as ‘layers’.1 These layers can be administrative, physical, or technical in nature,
each serving a specific purpose in safeguarding data. Administrative layers include
establishing airtight internal data governance models, conducting periodic
cybersecurity hygiene checks, and cultivating sustainable data system practices.
Physical security measures are characterised by restricting access to office premises
and implementing biometrics systems, amongst other measures. Integrating Privacy
by Design (PbD) principles into the organisation’s technical architecture is a key
facet of the technical layer of data security. Establishing these layers, thereby, is
critical to minimising the harm caused by even the most dedicated hackers and their
sophisticated modus operandi.

In this paper, particular focus is placed on establishing a robust technical layer

for data security, emphasising the implementation of a combination of Privacy
Enhancing Technology (PETs). Through an expansive literature survey, we observe
that centralised data monitoring systems and privacy solutions are recognised by
a variety of regulators in India and globally. On gathering cross-sectoral and cross-
jurisdictional regulatory insights, we have compiled a quick-reference guide enlisting
relevant PETs for legal compliance. All in all, we demonstrate that legal compliance
and data processing can be achieved parallelly and cost-effectively to ensure that
regulatory mandates are met while championing data privacy.

1.1 Methodology
In this paper, the typology of PETs was thoroughly studied, and relevant authorities
were relied on to classify PETs. It is to be noted that the literature on PETs does not
universally accept a typology pertaining to these technologies.2 Additionally, several
regulators and scholars have varied approaches to grouping PETs. Nevertheless,

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 7
we have classified PETs based on their inherent nature and characteristics. Further, the scope of research has
been limited to the PETs that are commonly used in enterprises and those which have been routinely endorsed
by regulatory authorities. Adopting this approach enabled the researchers to conduct a systematic study on
trends and regulatory endorsements, relevant from a practical compliance standpoint.

Through this approach, an enquiry was made to ascertain whether a particular PET relied on cryptographic
technologies, obfuscation technologies, or system-based technologies for accountability. However, if a particular
technology does not fit into any of these categories, it is bucketed into the ‘miscellaneous’ category.

Given the broad nature of technical interventions and compliance requirements, we are focusing our research
on complying with data protection laws by utilising select PETs enlisted below in Table 1.

Table 1:

PET Typology Key PETs Relevance in Data Lifecycle*

Data at Rest
Homomorphic Encryption Data in Transit
Data in Use
A. Cryptographic Technologies Zero-Knowledge Proof (ZKP) Data in Transit
Secure Multi-Party Computation
Data in Use
(SMPC)
Crypto-Shredding Data Deletion
Pseudonymisation/Anonymisation
K-Anonymity
B. Obfuscation Technologies Data in Transit and Data in Use
Differential Privacy
Data Masking
Federated Learning
C. Statistical Technologies Distributed Analytics Data in Use
Synthetic Data Generation (SDG)
Consent Mapping Data at Rest
Data at Rest
Access Controls and Access
Data in Transit
Monitoring
Data in Use
Data at Rest
Data Dispersion
D. Systems-Based and Data in Transit
Accountability Technologies Data at Rest
Endpoint Event Detection Data in Transit
Data in Use
Management Interfaces Data at Rest
Data at Rest, Data in Transit and
Data Audits
Data in Use
Confidential Computing
Data at Rest, Data in Transit and
E. Miscellaneous Technologies Privacy Enhanced Hardware
Data in Use
Proxy and Onion Routing

* Note: Some PETs, depending on its capabilities, can be used across multiple stages in the data lifecycle. The
stage mentioned above is where the particular PET is most commonly used.

Privacy-Enhancing Technologies:
8 Global and Cross-Sectoral Regulatory Insights
1.2 Privacy-Enhancing Technologies: A Brief Overview
PETs are a grouping of “systems, processes, and techniques”3 that allows organisations to process data while
adopting a privacy-first approach. According to the Organisation for Economic Co-operation and Development
(OECD), organisations implementing PETs are positioned to derive a high utility level from data while preserving
confidentiality.4 These technologies facilitate in demonstrating that PbD is ingrained in organisations’ technical
architecture. PETs, thereby, meet a business’s unique data processing needs and offer end-to-end security across
the data lifecycle. The categories of PETs mentioned under Table I are outlined below:

1.2.1 Cryptographic Technologies

Cryptographic tools are some of the oldest forms of PETs. They include an array of methods that can be used at
all stages of the data lifecycle aimed at making the data unintelligible or unusable, without altering the underlying
information. These technologies include Encryption , Secure Multi-Party Computation (SMPC), Zero-Knowledge
Proof (ZKP) and Crypto-Shredding.

1.2.2 Obfuscation Technologies

Obfuscation Technologies include diverse tools and techniques to enhance privacy and security by obscuring
sensitive data and information. Obfuscation refers to adding or manipulating the data to ensure that data de-
identification takes place. Data masking, differential privacy and data anonymisation, among others, are used to
obfuscate sensitive data while maintaining data usability. By applying obfuscation techniques, sensitive information
is concealed or altered in a manner that makes it difficult for unauthorised parties to decipher or exploit,
thereby reducing the risk of privacy breaches or data misuse.

1.2.3 Statistical Technologies

Statistical Technologies, as a category of PETs, use statistical methods to protect privacy in data generation and
processing. By leveraging advanced statistical techniques, these types of PETs reduce the risk of data breaches.
These techniques involve Synthetic Data Generation (SDG) or aggregating sensitive data through Federated
Learning and Distributed Analytics. The usage of these techniques minimises unauthorised access and ensures
that sensitive data remains secure while still providing valuable insights.

1.2.4 Systems-Based and Accountability Technologies

Systems-Based Technologies are a category of PETs, that concentrate on enhancing the security and reliability
of system infrastructures.5 They are a broad range of technologies, including hardware and software solutions,
designed to ensure proper oversight for the management, access, transfer and processing of data. Similarly,
Accountability Technologies operate on the principle that data processing should be conducted in a transparent
manner. These technologies not only augment privacy but also ensure that Data Fiduciaries fulfil the due
diligence expected of them throughout the data processing lifecycle.

1.2.5 Miscellaneous Technologies

Certain separate technologies also prevail which are deployed after examining the usage, level of sensitivity,
data access etc. Notably, other such type of PETs include Confidential Computing, Privacy-Enhanced Hardware,
Onion Routing. These technologies prioritise security, anonymity, encryption and multi-level privacy. It is
important to recognise their influence in developing a privacy culture.

Considering these categories of PETs, a thorough exploration of the regulatory impact in incentivising PET
adoption will be undertaken. The next section will detail India’s legal and policy approaches that endorse PET
usage. Subsequent sections will provide high-level insights on global regulatory efforts to recognise privacy tech’s
value additions.

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 9
 2
India-Centric
Study on PETs:
Legal and Regulatory
Developments
The Indian regulatory landscape is governed by a plethora of laws, policies and
guidance that prescribe PET usage for enhanced security across sectors. This
section of the paper discusses key sector-agnostic regulations which endorse
PETs [2.1], highlighting the Information Technology Act, 2000 (IT Act), the
Information Technology (Reasonable Security Practices and Procedures and
Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), and the Digital
Personal Data Protection Act, 2023 (DPDPA). Apart from these laws, guidance
released by (CERT-In), the National Critical Information Infrastructure Protection
Centre (NCIIPC) and the Ministry of Electronics and Information Technology
(MeitY) will be detailed. Additionally, this section delineates the scope of
regulation within specific sectors [2.2], namely, the Banking and Financial Sector,
the Insurance Sector, and the Healthcare Sector.

2.1 Key Sector-Agnostic Regulations

2.1.1 IT Act, 2000

The IT Act was enacted in 2000 and was further amended in 2008. Section
84A6 states that the Central Government may prescribe modes or methods
of encryption for the secure use of electronic mediums and the promotion
of e-governance and e-commerce. However, the National Encryption Policy
of 2015 has been withdrawn and is set to be reformulated. Owing to these
developments, encryption guidelines are currently determined by sectoral
regulators.

Apart from Section 84A, the IT Act does not directly refer to the use of PETs.
However, it provides compensation for failure to protect data due to negligence
in implementing and maintaining “reasonable security practices and procedures”.7
These measures include protecting information from unauthorised access,
damage, use, modification, disclosure or impairment, as may be specified by an
agreement or law.

Privacy-Enhancing Technologies:
10 Global and Cross-Sectoral Regulatory Insights
2.1.2 SPDI Rules, 2011

In the context of key legislative developments that prompted organisations to adopt cybersecurity measures to
safeguard data, the SPDI Rules was indeed significant. The SPDI Rules have been issued by its parent enactment,
i.e., the IT Act. Body corporates are deemed to have complied with the SPDI Rules if they design comprehensive
security programmes that include technical and security control measures to protect sensitive personal data.

Rule 8 mandates body corporates to implement security standards such as IS/ISO/IEC 27001 or best practices
notified by the Central Government. ISO 27001 includes over one hundred controls across categories such
as infosec policies, access control implementation, asset management, encryption, and auditing
requirements, amongst others.8 In case the security practices and standards implemented are not of IS/ISO/
IEC International standards, it will be required to be approved and notified by the Central Government.

It also mandates that the practices and standards are audited by independent auditors at least once a year or at
the time of a significant upgrade to its processes. Lastly, this provision adds that a comprehensive infosec policy
contains “managerial, technical, operation and physical security control measures”. 9

2.1.3 DPDPA 2023

India enacted the DPDPA in August 2023, which heralded a new era for Data Principals to be in control of
what data is being collected and processed by entities. The SPDI Rules are set to be replaced by the DPDPA,
which expands the scope of regulating data processing activities. To elaborate, while the SPDI Rules’ scope is
limited to governing sensitive personal data, the DPDPA governs the processing of all kinds of personal data.
Further, the SPDI Rules were critiqued for being a well-intentioned yet toothless regulation, as they lacked a
robust enforcement mechanism. On the other hand, violating DPDPA compliance requirements attracts hefty
penalties.10

Taking a leaf from the SPDI Rules, Section 8(4) of the DPDPA11 requires a Data Fiduciary to implement
appropriate technical and organisational measures to ensure effective observance of the provisions
in the Act and the Rules. Furthermore, Data Fiduciaries are now required to determine a lawful basis for
processing personal data either by establishing legitimate usage for data processing or through a consent-
based mechanism.12 Other operational challenges include enabling Data Principals to exercise their rights,
including data updating/rectification, consent withdrawal,13 and grievance redressal.14 Additionally, obtaining
parental consent becomes an implementation challenge when the Data Principal is a minor.15

The DPDPA mandates consent management and robust data governance to protect personal data. Given this,
a Consent Manager plays a crucial role in managing Data Principals’ personal data. The main responsibilities of a
Consent Manager, as highlighted by the DPDPA, include:
• Facilitate Consent: Consent Managers enable Data Principals to give, withdraw, review, and manage
their consent regarding the use of their personal data. They act as a single point of contact for these
activities.
• Registration and Compliance: Consent Managers must be registered with the Data Protection Board
(DPB) to ensure compliance with the DPDPA. This involves adhering to the standards and guidelines set by
the DPB.
• Audit and Accountability: Consent Managers integrate with the DPDPA data governance platform
to provide auditable records of consent provided by individuals, ensuring that all actions related to data
processing are documented and can be reviewed.

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 11
The DPDPA thereby introduces concepts such as the ‘Consent Manager’, ‘notice’ and ‘Data Principal Rights’ that
require technical interventions in place to operationalise the law. The law further categorises certain classes of
fiduciaries as Significant Data Fiduciaries (SDF).16 The legislative implications of an entity being classified as an
SDF would entail additional responsibilities to safeguard data, such as appointing Data Protection Officers and
carrying out Data Audits and Data Protection Impact Assessments (DPIA) periodically. This significant piece
of legislation also prescribes adopting reasonable security safeguards and developing data breach mitigation
and incident management strategies. In synthesising these legislative mandates, we have proposed a ‘DPDPA
Compliance: Data Governance Model’ in Annexure 1.

Apart from the aforementioned mandates, it is to be noted that the Central Government has the power
to prescribe supplemental measures an SDF should undertake through notifications or rules.17 At the time
of drafting this paper, the implementation dates of the DPDPA were yet to be notified by the Central
Government. Nevertheless, PETs are set to be widely adopted within domestic and global businesses in India.
Large investments in PETs are anticipated to take place once compliance timelines and a variety of operational
challenges are clarified through delegated legislation.

2.1.4 CERT-In Antivirus Policy and Best Practices

CERT-In issued a detailed policy titled Anti-Virus Policy and Best Practices as a guidance tool for understanding
how to detect, prevent and mitigate risks posed by computer viruses.18 The document highlights the importance
of using various antivirus software, emphasising the need for a multi-layered approach to security. Moreover,
Section 7 of the document provides detailed guidance on integrating antivirus with other tools. Section 8
outlines the recommended best practices for privacy protection. Therein, using Content Filtering Software
while using protocols like HTTP/SMTP/POP3/FTP is suggested to ensure that malicious mobile codes fail in their
attempt to cause virus infection.

2.1.5 NCIIPC Guidelines

The NCIIPC is designated as the National Nodal Agency for Critical Information Infrastructure Protection.
The NCIIPC, incorporated per Section 70 of the IT Act, 2000, aims to safeguard important sectors holding
the nation’s critical information.19 It has been anointed as the National Nodal Agency for safeguarding Critical
Information Infrastructure (CII). The Act further defines CII as a computer resource that, if subject to
incapacitation or destruction, would have a “debilitating impact on national security, economy, public health or
safety”.20 The NCIIPC has, thereby, identified the Banking, Telecom, Power, Transportation and Defence sectors
to fall under its ambit.

On 16th January 2015, the NCIIPC released detailed guidelines concerning safeguarding CII from threat actors.21
This document explains a diverse set of countermeasures and mitigation practices CII entities can utilise to
protect themselves from vulnerabilities. The guidelines also detail controls and best practices suited for the
unique needs of each CII sector. They advocate for identifying classified and sensitive data to be protected
through network monitoring for unauthorised data flow, along with many other operation measures that the
sector can adopt to ensure its data integrity. Chapter 6 onwards, the guidance document details best practices
for sectoral safeguarding. This includes the usage of PETs, such as Role-Based Access and Authentication
Controls, Encryption, Hashed Passwords, Periodic Audits, Whitelisting, and Content Filtering.

Thus, through this guidance, it can be seen that they require entities to uphold principles of confidentiality,
privacy and security but do not provide specific technical measures to be followed to ensure the same. However,
this guideline is not applicable at all levels of players across sectors, considering the scope of regulation is limited
to CII.

Privacy-Enhancing Technologies:
12 Global and Cross-Sectoral Regulatory Insights
2.1.6 MeitY Cloud Security Best Practices

On acknowledging the variety of benefits offered by cloud computing, MeitY released a guidance document
explaining the need for cloud security.22 It details Cloud Security Design Principles, mentioned in Chapter 4,
through a layered approach towards security, safeguarding data at rest and data in transit. In this document,
MeitY also endorses the adoption of a Zero Trust Model. This model requires strict identity cross-checking for
each device and individual attempting to access resources on a private network.23 It prescribed the usage of PETs
for encryption, including Full Disk Encryption (FDE), Format Preserving Encryption (FPE), and Application
Layer Encryption, amongst others.24 To help manage access to cloud resources securely by end users, Access
Control Security and Identity Management were recommended.

2.1.7 National Cyber Security Policy, 2013

The National Cyber Security Policy (NCSP) framework created by the erstwhile Department of Electronics
and Information Technology (now renamed to MeitY), aimed at protecting private and public infrastructure
from cyberattacks and safeguarding personal information, financial and banking information and sovereign data.25
However, its principles and guidelines are advisory in nature. The NCSP encourages organisations to develop
information security policies integrated with their business plans and implement them as per international best
practices.

These policies also establish standards and mechanisms for secure information flow (in process, handling, storage
and transit), proactive security posture assessment, crisis management and forensically enabled information
infrastructure. However, it is to be noted that the Government is set to withdraw the NCSP and replace it
with an updated version shortly. Senior bureaucrats have stated that the 2023 version of the policy is being
scrutinised by an internal committee and will be made public soon.26

2.1.8 Electronic Consent Framework

This technical framework was released by MeitY to provide guidance for ensuring that the interactions between
a user and service provider can be smooth in terms of providing secure and reliable consent electronically for
data sharing.27 This framework suggests that a consent artefact is used for the sharing of data.

A consent artefact is a machine-readable electronic document that specifies the parameters and scope of data
sharing that a user consents to in any data-sharing transaction, and it shall also contain the digital signature. Data
sharing will only take place after validating the consent artefact and additionally, it shall also include a method to
revoke such consent at a later date. This technology framework is advisory in nature and can be adopted by any
kind of enterprise to allow for smooth management of user consent in a paperless system.

2.2 Sectoral Impact on PET Implementation

Certain organisations deal with sensitive data that need additional levels of safeguards in place to protect it from
breaches. These organisations, thereby, must not only abide by the sector-agnostic laws but also their respective
sectoral regulations. For this part of the study, sectors that commonly deal with sensitive datasets were pertinent
to our study. Thereby, the sectoral regulations present in the banking, insurance and healthcare industries are
explored in this section.

2.2.1 Banking and Financial Sector

The Indian banking ecosystem comprises various regulatory bodies for effective governance. Key bodies that
have emphasised PET usage include the National Payments Corporation of India (NPCI), the Reserve Bank of
India (RBI), and the Securities and Exchange Board of India (SEBI). Regulated entities in this sector are often

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 13
banking institutions, Non-Banking Financial Companies (NBFCs), Non-bank System Participants (NBSPs), and
Credit Information Companies (CICs).28 Below are the key sectoral PET usage guidelines in the financial sector:

A. NCPI Cybersecurity Defense and Data Privacy

On 31st July 2020, the NCPI, in a press release, highlighted the robust security framework implemented by it in
consonance with the National Institute of Standards and Technology (NIST)’s “Protect, Detect, Respond, Predict
and Recover” methodology.29 The five core cybersecurity functions ensure that a developed cybersecurity
program is robust and holistic, laying the groundwork for effective risk management strategies.

For effective risk management and safeguarding information assets, the NCPI has adopted varying technologies,
including but not limited to, Proxy Servers, Tokenisation and Encryption of sensitive data elements, Deceptive
Technologies (Decoys) for cyber-incident detection, Multi-Factor Authentication, Privileged Identity and Access
Management Solutions, among many others.30

The NCPI’s state of the art Security Operations Centers (SOCs) recently embraced proactive monitoring
and incident detection tools for mitigation, like Zero Trust Architecture, Endpoint Protection and
Network Security Tools.31 Further, the NCPI’s Information Security Strategy32 details multiple security
standards33 and data privacy controls to be adhered to for effective protection.

B. RBI Governance on PETs

Among the regulators, the RBI has particularly championed the cause of releasing guidelines, circulars, advisories
and other references around PETs. The RBI’s watchful eye enables the effective operation of online banking
procedures, key stakeholder obligations and allied matters. Further, the RBI has shown a progressive outlook
towards recommending the general usage of PETs by various players while providing catered solutions for
concentrated matters. Some of the notable directions and highlighted relevant PETs are as follows:

i) Master Direction on Outsourcing of Information Technology Services: The RBI prescribes

Cryptographic Controls and Access Controls for Regulated Entities (REs) to mandate security in
transmission channels, data processing and authentication when dealing with information access.34 In terms
of Access Controls, access must be restricted to a “Need to Know” basis, and when there is an existence
of Multiple Service Provider Relationships, Access Monitoring is imperative. In addition, multi-factor
authentication and Role-Based Access are prescribed. In terms of Cryptographic Controls, Isolation of
Regulated Entities’ Data, Encryption Keys and controlled Hardware Keys are prescribed.

ii) Internet Banking-Security Features (Annex II): In this document, the RBI provides technical
features and guidelines for secure and safe internet banking transactions. The RBI, with an aim to promote
PET deployment, mentions specific technologies such as Encryption for all online activity and banking
transactions. Further, a secure Two-Factor Authentication architecture is termed essential to prevent
specific attacks, such as Man-In-The-Middle Attack, among others. Lastly, Digital Signatures is a secure
authentication mechanism prescribed for critical transactions and online processing.35

iii) Master Direction on Information Technology Governance, Risks, Controls and Assurance
Practices: This Master Direction primarily focuses on IT Governance, IT Infrastructure and Services
Management, Information Security Risk Management and Disaster Recovery Management. It prescribes
Cryptographic Controls in the form of strong key length, algorithms, cipher suites and applicable protocols.
Additionally, specific Access Controls include Need-Based Access and Multi-Factor Authentication for
business IT framework security.36

iv) Master Direction on Digital Payment Security Controls: The Master Direction details best
practices for developing an effective governance structure and implementing security standards for digital

Privacy-Enhancing Technologies:
14 Global and Cross-Sectoral Regulatory Insights
 payment products and services. REs must employ Data Masking or Redaction when transmitting Sensitive
Customer Information via SMS or emails. Additionally, REs should implement Multi-Factor Authentication
for payments through electronic modes and fund transfers. Lastly, the direction recommends using
Non-Replicable Authentication Methods. Suggested methodologies include the usage of biometric
authentication, Hardware Tokens, and Public Key Infrastructure (PKI), amongst others.37

v) Master Directions on Prepaid Payment Instruments (PPIs): The Master Direction provides a
framework for authorisation, regulation and supervision of entities issuing and operating PPIs. An important
section of the Master Direction relates to Security, Fraud Prevention and Risk Management Framework.
The Direction calls upon an Issuer to provide a system wherein all wallet transactions involving debit,
including cash withdrawal, shall be permitted only by Two-Factor Authentication.38

vi) Framework for Outsourcing of Payment and Settlement-related Activities by Payment

System Operators: The Framework aims to enact minimum standards to manage risks in outsourcing
payment and/or settlement-related activities.39 Service Providers are instructed to isolate and clearly
identify the PSO’s customer information, documents, records and assets to confidentiality. Further, there
should be strong safeguards, including encryption of customer data to avoid co-mingling of information.

vii) Master Direction on Information Technology Framework for the NBFC Sector: The
Master Direction aims to enhance protection and productivity for NBFCs and their customers. Regarding
PET implementation, there are three key considerations. Access to information should be based on well-
defined user roles, such as the system administrator. Secondly, a robust PKI must be in place to uphold
confidentiality, data integrity and non-repudiation of transactions. It is also imperative to utilise Digital
Signature Certificates for verification and transactional security.40

viii) Cyber Security Frameworks in Banks: The circular provides an indicative list of requirements
for banks to achieve baseline cybersecurity and resilience. These baseline requirements include periodic
evaluation to integrate risks arising from newer threats, products or processes.41 The circular also provides
equal importance to PET deployment. The framework recommends establishing User Access Controls
and Centralised Authentication to secure access within and outside the bank’s networks by protecting data
at rest. Lastly, necessary controls must be in place so that access to critical systems is granted only through
permitted means, monitored and recorded.

ix) Guidelines on Information Security, Electronic Banking, Technology Risk Management

and Cyber Frauds: The guidelines, issued by the Department of Banking Supervision, provide an all-
encompassing framework for technology risk management, information security, cyber fraud, and planning.
The guidelines prescribe a variety of PET categories, including Cryptographic Controls, Systems-Based and
Accountability Technologies.42 According to the guidelines, banks must utilise a variety of encryption-based
safeguards to ensure that unsecured domains or communications do not prevail. Further, Access Control
policies would actively govern authorisation and network controls. The guidelines categorically highlight
using a Network Intrusion Prevention System (NIPS) to filter all content and supplement the authentication
architecture.

C. SEBI Governance on PETs

SEBI has promoted cyber resilience and policy enhancement primarily among key Mutual Fund Companies and
Portfolio Managers through its various circulars, frameworks, and directions. Many of the issuances are based
on the NIST Cybersecurity Framework. The framework has five critical steps, i.e., Identify,43 Protect, Detect,
Respond, and Recover.44 These steps expound on organisations identifying critical assets and infrastructure
requiring technical and physical safeguards for protection. Having identified and established protective measures
on critical assets, the framework emphasises having round-the-clock alerting mechanisms for providing

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 15
immediate information about cyber-attacks. This step paves the way for planning seamless threat mitigation and
response strategies. Lastly, the framework highlights the importance of enhancing organisational cyber resilience
and maintaining operations despite security breaches or cyber incidents. Aligning with this approach, noteworthy
SEBI Frameworks promoting PETs are given below:

i. Cyber Security & Cyber Resilience Framework for Stockbrokers/Depository Participants:

The framework highlights the need to create an all-encompassing cybersecurity and cyber resilience
framework for conducting sensitive functions connected with the securities market. In terms of PET
endorsements, the framework strongly advocates for access controls to achieve access limitation, purpose
definition and duration restriction. The framework, thereby, underscores a “need-to-use basis” approach
for ensuring that the granted access is not unrestricted.45 Secondly, strong authentication mechanisms
must precede access to critical systems, with two-factor security (such as usage of VPNs, Firewall controls,
etc.). Thirdly, the installation of network security devices, such as firewalls, proxy servers, and intrusion
detection and prevention systems (IDS), is essential to protect IT infrastructure. Fourthly, critical data must
be encrypted in motion and at rest by using strong encryption methods. Annexure A provides strong
encryption algorithms (e.g.: RSA, AES etc.). Certain specifications have been made related to software
deployment, with only “hardened hardware/software” being promoted, which reduces exposure. Any
unnecessary services being provided should be disabled, on any device. When it comes to the final stage,
i.e., removal of critical data on storage systems and devices, technologies like Crypto Shredding must be
used.

ii. Guidelines for MIIs Regarding Cyber Security and Cyber Resilience: The framework
is catered towards advising Market Infrastructure Institutions (MII) to develop and implement all-
encompassing cybersecurity and cyber resilience frameworks for effectively carrying out sensitive functions
connected with the securities market.46 It recommends data backup encryption to ensure confidentiality
and integrity. MIIs should also have up-to-date Endpoint Detection and Response mechanisms (EDR)
or Endpoint Protection Platforms (EPP). Further, Application Directory Whitelisting is promoted to
restrict the installation of unauthorised software. Multi-factor authentication, access controls and network
segregation are also promoted to contain cyber incidents. Lastly, for effective integration, Privileged Identity
Management (PIM) or Privileged Access Management (PAM) must be in place for all systems and services.

iii. Cyber Security and Cyber Resilience Framework for Mutual Funds/Asset Management
Companies (AMCs): SEBI, through this cybersecurity framework has sought to regulate Mutual Fund
Management Companies and AMCs. It advises them to develop an up-to-date cybersecurity framework
to safeguard critical operations. The adoption of access controls to prevent misuse of confidential data,
resources, and systems is promoted by the framework. Further, access must be purpose-oriented, with a
pre-defined period and need-to-use basis. Strong authentication mechanisms with two-factor security are
recommended to be deployed in critical systems. Thirdly, critical data must be encrypted in motion and
at rest using strong encryption methods, along with technologies such as crypto shredding, degauss, or
physical destruction.47

iv. Advisory for SEBI Regulated Entities (REs) Regarding Cybersecurity Best Practices: The
framework aims to provide a mechanism for an efficient and effective response to cyber incidents by
REs. REs must implement a secure password policy, including a clause for periodic review of ex-employee
accounts. To this end, password reuse or storage must be banned across multiple accounts. Further, REs
should enable MFA for online facilities, virtual private networks, webmail and accounts that access critical
systems.48 Most importantly, SEBI encourages widely adopting Zero-Trust Models to mitigate insider
threats. Similarly, a ‘least privilege’ approach is a recommended practice as it provides security for both on
and off-premises resources. Lastly, whitelisting ports is critical at the Firewall level.

Privacy-Enhancing Technologies:
16 Global and Cross-Sectoral Regulatory Insights
v. Cyber Security and Cyber Resilience Framework for Portfolio Managers: The Framework
is key for portfolio managers in terms of policy making for ensuring all-round defense against cyberattacks,
response, mitigation and planning. A set of effective PETs has been prescribed, including Access Controls
and Two-Factor Authentication. Concerning access controls, the framework highlights that access must be
for a pre-defined purpose and restricted on a need-to-use basis for a set period. A dedicated Password
Policy must be in place for users seeking system or other access. The policy must have certain inclusions,
such as the duration till when the password shall remain valid, password complexity, what should be the
minimum length and so on. Additionally, user credentials should be stored using secure hashing algorithms.
For data security, strong encryption methods such as Advanced Encryption Standard (AES), RSA, SHA-2,
etc., must be used to safeguard data in motion and at rest. Lastly, only hardened hardware/software should
be deployed, including replacing default passwords with strong passwords and disabling services identified as
unnecessary.

2.2.2 Insurance Sector

The insurance sector has always been data-driven as it collects and processes large amounts of customer data,
from health data to financial data. This data-intensive industry has evolved and adopted modern technology
to improve its operations through data analysis and automation. These practices help grow the industry by
providing an in-depth understanding of customer behaviour, risk prediction and effective market campaigning.

However, the insurance sector contains players at many different levels, thus creating many variations of data
fiduciaries and processors. Third-party Administrators, online and human brokers, contractual agents, and
various other players are involved in the process of policy-buying. All these players handle sizeable amounts of
personal data. Thus, a robust regulatory framework must exist to protect the data during collection, processing
and storage. This section shall identify the current regulations that promote the use of PETs in the Indian
insurance industry.

The key regulator within the insurance industry is the Insurance Regulatory and Development Authority of India
(IRDAI). This body has released various regulations for different players within the insurance market that provide
various measures to maintain the confidentiality of personal data and create security systems to protect the data.
For the purposes of this study, key IRDAI regulations have been bucketed into three major categories:
A. Insurance Sector Player-Specific Regulations
B. Insurance Sector Data Security Practices
C. IRDAI Information and Cyber Security Guidelines, 2023

The first category of regulations is specific to the players in the insurance market such as those entities who
outsource activities or are utilising e-commerce platforms. The second category of regulations looks to ensure
data security in the practices of an insurance provider by taking a policyholder-friendly approach and regulating
insurance record maintenance activities. The last category of IRDAI regulations is the overarching cybersecurity
guideline that is applicable to every significant player in the insurance market, known as the ‘IRDAI Information
and Cyber Security Guidelines, 2023’, which provides directions to maintain information security and privacy. In
this section, each category of these regulations will be studied to identify any prescription of PETs.

A. Insurance Sector Player-Specific Regulations

The IRDAI also mandates regulated entities who outsource their activities to do so only to trusted service
providers who have adequate security policies to protect the confidentiality and security of policyholder
information.49 Another player-specific regulation includes IRDAI’s E-Commerce Guidelines, which apply to
insurance companies and intermediaries who set up an Insurance Self Network Platform (ISNP), i.e., a website
or mobile application, to sell and service insurance products.50

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 17
ISNPs are required to maintain internal mechanisms to review, monitor and evaluate controls, systems,
procedures and safeguards to ensure the integrity of automatic data processing systems and data privacy. They
are also required to audit these mechanisms every year. Additionally, they must maintain confidentiality
and prevent the misuse of personal information; have in place measures to ensure privacy; install adequate
systems to avoid the manipulation of records and transactions before commencing operations;
and review and report the safeguards in place to sub-committees of the board of directors for any required
corrective measures.

B. Insurance Sector Data Security Practices

Under this category, key PET-specific guidance includes mandating insurers to maintain total confidentiality of
policyholders’ records unless they are legally required to disclose this information to statutory authorities.51
Further, the IRDAI requires that regulated entities ensure a system established within which the policy and claim
records are maintained with adequate security features and that the records (including electronic forms)
about policies issued and claims made in India are stored in data centres located in India.52 According to
IRDAI’s Health Insurance Regulations, insurers, third-party administrators, and network providers must comply
with the data security guidelines prescribed by the IRDAI.53 The only data security guidelines prescribed by the
IRDAI in this case, however, are the Information and Cyber Security Guidelines that will be discussed below.

C. IRDAI Information and Cyber Security Guidelines, 2023

The CS Guidelines54 were notified on April 24, 2023, and replaced the 2017 Guidelines55. They apply to all
insurers, including Foreign Re-Insurance Branches (FRBs) and Insurance Intermediaries regulated by the IRDAI.
However, Insurance Agents, Micro-Insurance Agents, Point of Sale-Persons and Individual Surveyors will not
fall under the ambit of these guidelines. However, the responsibility is placed on insurers to ensure that those
entities follow the minimum-security framework as per the insurers’ board-approved policy.

These guidelines advocate for creating a risk management committee within an organisation through
which an effective data governance framework is designed and implemented. Guidelines also require
organisations to develop Cryptographic Controls and Cloud Security Policies to protect their
information. These guidelines provide varying security measures based on the data classification.

They require confidential and restricted information transmitted outside the organisation to be sent in
encrypted form or via a secured channel. The encryption keys shall be managed and protected
by authorised resources as defined in the Cryptographic Security Policy of the Guidelines. Sensitive Personal
Information shall accord the same level of security as confidential information, irrespective of the classification
of such information. Other personal information shall be accorded the same level of security as Restricted
Information, regardless of the classification of such information. Personal data of customers and employees shall
be stored in a secure manner and in accordance with the IT Act.

An organisation’s Cryptographic Controls Policy shall apply to all information systems where information assets
are stored or processed and all communications and network connections that transmit such information assets
which utilise cryptography as a security mechanism. Risk assessments are also required to identify the
needs, methodology, business areas, and usage of encryption or cryptography.

The criticality of the business information handled shall determine the encryption algorithms’ type and
strength. The length of the cryptographic key shall be in accordance with contractual requirements and
regulations. Furthermore, the organisation shall devise encryption and key management procedures in
accordance with the already existing organisation’s information security policy for the following: to encrypt data
in transit, at rest; backup media; to secure key store; to protect encryption keys; to ensure encryption is based
on industry/government standards; to limit access to key stores; key backup and recoverability; and to test these
procedures.

Privacy-Enhancing Technologies:
18 Global and Cross-Sectoral Regulatory Insights
Thus, the adoption of PETs in the sector is still at a nascent stage and guidelines are required to prescribe the
adoption of specific technical measures. The failure to do so will leave the players in the sector to determine the
level of technical security to be adopted in certain aspects of data management and security, thus making user
data vulnerable to unauthorised use and access.

2.2.3 Healthcare and Pharma Sector

The healthcare and pharmaceutical sector in India is grappling with significant volumes of personal data,
necessitating attention to various privacy obligations. Diverse stakeholders, both governmental and private,
contribute to the sector’s landscape, including hospitals, healthcare providers, insurance firms, pharmaceutical
companies, and research and development institutions.

Currently, there exists no dedicated legislation or regulations specifically tailored for governing data management
within the healthcare and pharmaceutical sectors in India. However, concerning data security, three sector-
agnostic regulations discussed in Section 2.1 of this paper are pertinent, namely, the IT Act of 2000, the SDPI
Rules of 2011, and the DPDP Act of 2023.

Notwithstanding the above, spearheading the management of healthcare matters is the Ministry of Health and
Family Welfare (MoHFW). Within this Ministry, regulatory oversight is conducted by bodies like the National
Health Authority (NHA), the Central Drugs Standard Control Organisation (CDSCO), and the National
Council for Clinical Establishments. These authorities deal with different aspects of healthcare, and the NHA
plays a pivotal role in digitization and privacy management of healthcare data.

A. Health Data Security Standards

The basic requirements for security and privacy are prescribed under – “ISO/TS 14441:2013 Health Informatics
– Security and Privacy Requirements of EHR Systems for Use in Conformity Assessment”. The advisory standard
for overall information security management in health is “ISO 27799 Health Informatics - Information Security
Management in Health using ISO/IEC 27002”. Further, the ‘Implementation Guideline: The ISO 27799’ is a basic
advisory standard for security management.

Other security management and standards given by sector-agnostic laws or regulatory/ /certification bodies,
such as the National Accreditation Board for Hospitals and Healthcare Providers (NABH) should be considered
when designing or implementing health record systems. Further, the EHR standards dictate that all electronic
data must undergo a minimum of 256-bit encryption.56 This encrypted data must employ Secure
Transmission Standards and mechanisms. According to the regulation, protocols such as HTTPS, SSL v3.0,
and TLS v1.2 should be utilised to securely transfer and access health information.

B. Ministry of Health and Family Welfare Regulations

The operational guidelines57 mandated under the Clinical Establishment Act of 2010 stipulate that clinics
must maintain electronic medical records (EMR) in the format and condition specified by the Central or State
Government. This requirement encompasses all clinical establishments, whether public, private, or single-doctor
clinics, with exceptions outlined in the Act. In 2016, MoHFW released updated EHR Standards under the Clinical
Establishments Act of 2010 to standardise the collection and storage of EHR at Local, State and National Levels.
EHR Standards58 state that stringent access controls59 must be implemented for health data, and systems
housing this data must meet requisite architectural specifications.60

The MoHFW released a draft of the Digital Information Security in Healthcare Act (DISHA)61 in 2018 for
public consultation. The DISHA focuses on standardising and regulating processes concerning the collection,
storage, transmission, and utilisation of digital health data, prioritising reliability, data privacy, confidentiality, and

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 19
security. Key provisions include anonymisation,62 consent requirements63 ensuring informed and explicit
approval for data use, storage, or disclosure, and de-identification64. DISHA also talks about establishing a
National Digital Health Authority as a statutory body tasked with promoting and adopting e-health standards,
safeguarding privacy and security in electronic health data, and regulating the storage and exchange of Electronic
Health Records.

The MoHFW published a Consultation Paper on the Proposed Health Data Retention Policy.65 The paper
emphasises efficient measures to ensure secure health data retention at the local, State, and Central levels. It
advocates for cloud-based healthcare data-sharing frameworks, incorporating measures such as data
encryption and operational anonymisation. It acknowledges user apprehensions regarding transferring
private and sensitive data to cloud platforms due to associated risks and proposes blockchain-based solutions to
address these concerns. Furthermore, it recommends anonymisation or pseudonymisation as viable alternatives
to data deletion without prescribing specific technologies for implementing these methods.

C. National Digital Healthcare Ecosystem

The National Health Policy66 (NHP) released by MoHFW in 2017 discussed establishing a National Digital
Healthcare Ecosystem (NDHE). The policy aims to create an integrated health information system to enhance
efficiency, transparency, and citizen experience for all stakeholders. This involves establishing a federated
national health information architecture to connect systems across public and private health providers
at state and national levels, aligning with Metadata and Data Standards (MDDS) and Electronic Health Record
(EHR) standards.

In alignment with this NDHE, the National Digital Health Blueprint (NDHB)67 was unveiled in 2019, which
outlines the standards required for ensuring interoperability within the NDHE. The NDHB focuses on a
federated architecture where only a few things will be centralised, and the rest of the system will be
completely decentralised, easing the process of data sharing between various entities. It also contains a standard
for consent mapping68 and data privacy through access control mechanisms,69 as well as measures
ensuring the security of data both in transit and at rest. Additionally, the blueprint addresses vital
aspects such as data immutability and non-repudiation, incorporating features like audit trails to bolster
the integrity and accountability of healthcare data management. The blueprint makes a reference to the EHR
Standards of 2016 for ensuring security and privacy.

Further, the Policy emphasises PbD by highlighting the need for data protection considerations to be made by all
the entities involved in the NDHE. It points out how the federated design of NDHE requires a minimal amount
of personal data to identify and create records of an individual; the unique Ayushman Bharat Health Account
(ABHA) Number is sufficient to create a record of the individual.

D. National Health Authority

The NHA released the updated Draft on National Health Data Management Policy in 2022.70 This policy
establishes a consent framework for the collection, storage, transmission and processing of health data. The
updated version of the HDMP does not explicitly specify any technology for anonymisation. However, it outlines
provisions for sharing de-identified data to support various endeavours such as health and clinical research,
academic studies, archival purposes, statistical analysis, policy formulation, and advancing diagnostic solutions.
Additionally, the HDMP discusses the responsibilities and obligations of Data Fiduciaries collecting health
information and establishes a grievance redressal mechanism for breach of such obligations. Clause 29.5 of the
Policy stipulates that the process of data anonymisation will be determined and communicated by the NHA in
collaboration with MeitY.

Privacy-Enhancing Technologies:
20 Global and Cross-Sectoral Regulatory Insights
The NHA has initiated transformative programs such as the Ayushman Bharat Digital Mission (ABDM)71 and the
Pradhan Mantri Rashtriya Swasthya Suraksha Mission to align itself with the NHP. The NHA plays a crucial role in
creating a robust NDHE. The Privacy Policy under the ABDM is also in consonance with the HDMP. It initiated
the National Digital Health Mission (NDHM),72 which envisions the creation of a Unified Health Interface (UHI)
to facilitate seamless data exchange among diverse stakeholders in the healthcare sector.

E. Non-Governmental Guidelines

Due to a lack of dedicated policies, we at DSCI released the Healthcare Sectoral Privacy in 2021. While these
guidelines underscore adherence to data protection principles prescribed by the Draft HDMP, they primarily
serve as a reference for healthcare service providers, aiming to streamline and bolster privacy practices within
the sector.73

All in all, through this exploratory exercise, we find an umpteen number of regulations across sectors in India
recommend PET usage. A common PET endorsed across all three sectors and sector-agnostic laws is that of
encryption, anonymisation and establishing access controls. In the next chapter of the paper, we
conduct the same exploratory exercise in global jurisdictions.

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 21
 3
Global Trends In
Privacy-Preserving
And Enhancing
Technologies
In this section, we undertake an expansive literature survey to map global
compliance requirements that endorse the usage of PETs. Through this mapping
exercise across select jurisdictions, we envision the benefits to be two-fold.
First, valuable insights into the current trends within the global PET landscape
can be derived. Second, by taking a leaf from the best global practices, sound
recommendations on the way forward for Indian entities can be formulated.

With an aim to explore diverse jurisdictions to obtain balanced viewpoints, this

section seeks to gain insight into recent trends in the PET landscape in the following
regions:
1. Asia: Japan, Singapore, Philippines, South Korea
2. Europe: European Union, United Kingdom
3. North America: Canada, United States of America
4. Oceania: Australia, New Zealand

3.1 Asian Landscape Study on PET Adoption

3.1.1 Japan

PETs, specifically cryptographic and obfuscation technologies, are referenced by

multiple sectoral and sector-agnostic guidance and legislations in Japan. The Act on
the Protection of Personal Information Guidelines (APPI) is the key Japanese sector-
agnostic privacy legislation that mandates businesses to take necessary security
measures while handling personal data.74 These security measures, unlike most
jurisdictions, also apply to anonymised and pseudonymised personal data.

The Personal Information Protection Commission Secretariat (PIPCS) of Japan has

released a report to assist accredited organisations in setting policies and standards
while handling and creating anonymously processed data.75 The report notes utilising

Privacy-Enhancing Technologies:
22 Global and Cross-Sectoral Regulatory Insights
cryptography and hash functions for data anonymisation. Specifically, the hash functions endorsed by the
Government of Japan’s Cryptography Research and Evaluation Committees (CRYPTREC) were recommended
for this purpose. In addition to cryptography, data swapping, noise addition, top-bottom coding, generalisation,
randomisation, and k-anonymity were enlisted as appropriate techniques to anonymise data.

In terms of sectoral guidance, the Bank of Japan’s 2023 report explores the benefits of utilising PETs in digital
currencies.76 The report proposes PETs including k-anonymity, Differential Privacy and Trusted
Execution Environment (TEE) for securing digital payments. It also suggests using homomorphic
encryption in combination with secret computation to add layers of safeguards while handling bank
customers’ data.

3.1.2 Singapore

The key legislation that governs personal data protection in Singapore is the Personal Data Protection Act
(PDPA). The PDPA mandates organisations to make “reasonable security arrangements” to protect personal
data from unauthorised processing.77 Additionally, the enactment establishes the Personal Data Protection
Commission (PDPC), which has the power to issue advisory guidance vis-a-vis interpreting provisions of the
PDPA.

The PDPC has clarified select topics referenced by the PDPA through its guides and advisories.78 Concepts
surrounding handling access requests79 and strengthening ICT systems80 have been deliberated by the PDPC to
enhance data protection measures. The ICT systems report has advocated for network segregation and
using endpoint security solutions, web proxies and web application firewalls to defend entities
against malware, SQL injection and XSS attacks.81 The report also lays strong emphasis on encryption. This
includes full disk encryption, virtual disk encryption, volume encryption, file/folder encryption and application-
level encryption. For remote access, 2FA, in addition to encryption, is put forward by the report.

PDPC guidance and advisories observe a common theme of interlinking encryption to prevent unauthorised
access. The PDPC’s Advisory Guidelines on PDPA key concepts, for instance, suggest encrypting personal data.
Additionally, the report delineates adopting access control measures to mitigate data breaches.

Singapore is an especially noteworthy jurisdiction as it has adopted an approach to balance data privacy measures
while meeting business requirements. For instance, if entities require utilising aggregated data to perform data
analytics or require storing data beyond the retention period, the PDPC recommends anonymising such
data.82 Similarly, for testing purposes, the PDPC suggests generating Synthetic Data from production data to
avoid exposing personal data to production environments.

Apart from the aforementioned PDPA and advisories, trends in PET uptake in Singapore can be corroborated
through the Singapore Centre for Research in Innovation, Productivity and Technology (SCRIPT)’s focus on
developing scalable PETs.83 SCRIPT’s research activities are funded by the InfoComm Media Development
Authority (IMDA) and the National Research Foundation (NRF)’s USD 15.3 million grant.

3.1.3 Philippines

The Data Protection Act of 2012 (DPA) and the National Privacy Commission (NPC) of the Philippines have
recommended the usage of PETs in multiple circulars, advisories and guidelines. Section 28 of Implementing
Rules and Regulations of the DPA states that encryption of data is essential during transmission, storage,
or processing, whether it is at rest or in transit, especially in the context of government emails and portable
media.84 Circular 16-01 recommends Advanced Encryption Standard with a key size of 256 bits (AES-256) as
the most effective standard.85

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 23
The NPC recommends the implementation of access control policies through physical and technical
security measures for off-site and online access to personal and sensitive information.86 Additionally, NPC
circulars state that user authentication should comprise reasonably secure methods of assigning and
selecting passwords, or the use of unique identifier technologies, such as biometrics or token devices.87 A
comprehensive Privacy Toolkit has also been created by the NPC to assist organisations in meeting their
privacy obligations, setting out expectations around the format of DPIAs and data protection standards to be
implemented.88

On the note of the health sector specifically, encryption has been mandatorily prescribed for personal data
processing during public health emergencies using Advanced Encryption Standards.89 If such data is to be used
for research, it should be in the form of aggregate, pseudonymised, or anonymised data.

3.1.4 South Korea

South Korea enacted the Personal Information Protection Act (PIPA)90 in 2011 and recently amended it in 2023.
It regulates any entities that collect, use, disclose, and process personal data. These regulations have prescribed
the use of PETs to ensure data security and privacy throughout the lifecycle of personal data. The Act requires
personal information controllers to take necessary steps, such as encryption, to process personally identifiable
information91.

The PIPA prescribes the processing of personal information through anonymisation, where possible or
otherwise, through pseudonymisation.92 The Act also recognises the need to establish technical and
managerial measures by adopting internal management plans and maintaining access records93
to ensure that personal information is not lost, stolen, forged, altered, and other such harms. Further, if an
organisation intends to process pseudonymised information, it must prepare and retain records94 of such
processing details.

Along with PIPA, South Korea has enacted various other sectoral laws, such as the Act on Use and Protection of
Credit Information95 (UPCIA) and the Enforcement Decree of the Act on the Protection and Use of Location
Information96 (Location Information Act) that prescribe the use of PETs. The UPCIA requires credit information
companies to adopt encryption measures when credit information is shared with trustees.97 It also requires
them to store additional information for pseudonym processing separately98 and maintain access
records99 to protect pseudonymised personal credit information from illegal access. Lastly, any transfer of credit
information must always be delivered in a pseudonymised or anonymised state.100

The Enforcement Decree on the Location Information Act prescribes the application of encryption101 for
storing and transmitting location information through communication networks to prevent leakage, hacking, etc.
Furthermore, it requires the installation of firewalls and security programs102 to prevent illegal access to
location information systems and the identification and accreditation of authorities103 to provide access
to the systems while also maintaining automatic recording of access104 to the system.

The PIPA has established the Personal Information Protection Commission, which has issued guidelines such
as the Pseudonym Information Processing Guidelines105 and the Biometric Protection Guidelines.106 The
Financial Services Commission has also created a Handbook on the Pseudonymisation and Anonymisation of
Personal Data in the Financial Sector.107 These guidelines provide sector-specific requirements and clarity on the
implementation of such technical measures. Key requirements detailed in the guidelines include the appointment
of a person in charge of access control to information, establishing duty management systems and external
hacking prevention, and implementation of procedures for the safe storage of encryption keys.

Privacy-Enhancing Technologies:
24 Global and Cross-Sectoral Regulatory Insights
3.2 PET Trends in Europe
3.2.1 United Kingdom (UK)

Regulatory trends in PET usage in the UK can be primarily reflected in the UK General Data Protection
Regulation (GDPR) and its supplementary recitals108 on the controller and processor’s data security obligations.
One of the suggestions is to employ technical measures such as pseudonymisation and encryption of
personal data.

To expand on implementing encryption, the UK Information Commissioner’s Office (ICO) recommended

that organisations select the right algorithm, key size, and software.109 The UK Anonymisation Network, a best
practices consortium set up by the ICO, has formulated checklists for organisations to effectively undertake
anonymisation by evaluating the data involved and the context in which it is to be used.110 With specific
reference to Cloud Security, the National Cyber Security Centre (NCSC) of the UK has recommended using
encryption, network protection and authentication.111 In addition to this, the NCSC has highlighted
principles for implementing zero-trust architecture in enterprise environments,112 and for organisations to
gain and maintain control of their supply chains.113

In 2023, the ICO released guidance on PETs to provide Data Protection Officers and researchers with a
holistic and comprehensive view of Homomorphic Encryption, SMPC, ZKP, Federated Learning,
Synthetic Data, TEE and Differential Privacy.114 The associated risks and benefits accompanying each
PET are examined in the report. In addition to the aforementioned PETs, the report recommends establishing
access controls and monitoring, carrying out data protection impact assessments and auditing
to comply with the UK GDPR and sectoral laws.

The importance of encryption was further demonstrated in the Investigatory Powers Act 2016 and
Regulation of Investigatory Powers Act 2000. According to these enactments, law enforcement and investigation
agencies must obtain approval from a Judicial Commissioner if they require access to encrypted information.

Lastly, the Centre for Data Ethics and Innovation (CDEI) of the UK underpins PETs as enablers of privacy and
confidentiality. To this end, an interactive adoption guide was released by the CDEI, which focuses on Encryption,
De-identification Techniques, TEE, SMPC, Differential Privacy, and Federated Learning.115

3.2.2 European Union (EU)

The EU GDPR, considered to be one of the most robust data protection regulations in the world, has given rise
to a plethora of legal obligations to entities processing and handling data. A key ripple effect of this regulation
was that organisations began to significantly increase investments in updating their technical systems and security
measures. PET adoption in the EU, thus, enabled entities to meet compliance needs under the GDPR. It is worth
noting that Encryption is explicitly mentioned as a possible technical and organisational measure to secure
data, under Article 31(1) of the GDPR.

A variety of PETs have been highlighted amongst various bodies in the EU. For instance, the European
Union Agency for Cybersecurity (ENISA) has identified and recommended cryptographic methods such as
encryption, hashing, digital signing and authentication in the context of securing personal data,
briefly delving into the appropriate use of cryptographic primitives.116 Additionally, any protocols developed in
the future must consider algorithmic agility, simplicity, potential for upgradation and secure version negotiation.117
Further, the European Commission, in a 2015 regulation, adopted an electronic identification scheme that sets
out specifications for technologies to be used for authentication for different assurance levels.118

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 25
In February 2024, the European Parliament amended this regulation, manifesting the EU Digital Identity Wallet,
a cross-border interoperable identity and credential infrastructure centred around selective disclosures and
unlinkability.119 For electronic attestation of attributes, the European Telecommunications Standards Institute
(ETSI), an independent standard-setting organisation, has examined the efficacy of a variety of signature
schemes, credential formats and zero-knowledge proofs and recommends the use of ISO mDL and/
or SD-JWT for eIDAS2 compliance.120 At the same time, ETSI has recognised that other organisations may
benefit from the use of non-approved technologies, such as the BBS signature scheme, as well as those protocols
developed with specific use cases in mind (e.g.- zk-SNARK for blockchain-based cryptocurrencies).

In 2014, Article 29 of the Working Party on Data Protection highlighted technical methods for anonymisation
through noise addition, permutation, differential privacy, aggregation, k-anonymity, l-diversity
and t-closeness.121 Post the enactment of GDPR,122 ENISA has also explored technical methods for achieving
the recognised practice of pseudonymisation, comprising advanced solutions for complex scenarios based on
asymmetric encryption, ring signatures and group pseudonyms, chaining mode, pseudonyms based on multiple
identifiers, pseudonyms with proof of knowledge and secure multi-party computation.123

The EU has also collectively moved to rein in statistical and newly emerging technologies like federated learning
and artificial intelligence. In order to promote training, testing and validation of machine-learning models, the
European Data Protection Supervisor (EDPS) has compiled a dashboard on federated learning, synthetic
data, and metaverse, among other topologies, which monitors region-wise publications in the fields and EU-
funded projects.124 One such project is Confidential6G, which has been tasked with developing tools, libraries,
and blueprints to ensure confidentiality in 6G networks, using post-quantum and privacy-preserving
cryptography, confidential computing, and confidential communication.125

Further, ETSI has expanded on Permissioned Distributed Ledger-based federated data management
architecture, suggesting operational guidelines for using proxies and developing nodal capacities to resolve its
challenges.126 Similarly, an EU cybersecurity certification scheme on Common Criteria (EUCC) has also been
adopted to certify infrastructural components. A voluntary scheme, it allows ICT suppliers desirous of
showcasing proof of assurance to go through a commonly applicable assessment process to certify ICT products
such as hardware and software.127

3.3 North American Guidance on PET Usage

3.3.1 Canada

Regulatory guidance surrounding PETs in Canada is primarily offered by the Office of the Privacy Commissioner
(OPC) and Canada’s federal data privacy legislation titled the Personal Information Protection and Electronic
Documents Act (PIPEDA). Principle 7 of PIPEDA mandates organisations to implement appropriate safeguards
to protect data. To this end, the usage of technological measures such as encryption is highlighted. The
Safeguards Principle includes carefully disposing of and destructing personal data to prevent unauthorised access.
Although the provision does not refer to any particular PET, usage of PETs (for example, crypto shredding)
becomes an imperative means to comply with this requirement.

While PIPEDA provisions are legislative mandates, it is to be noted that OPC publications only offer guidance
and recommendations for operationalising federal law. It is also observed that most OPC publications stem from
the privacy principles outlined in the PIPEDA. For instance, the OPC in its “Privacy Guide for Business” published
in 2020,128 recommended using technological tools such as encryption and firewalls to comply with PIPEDA.
The guide also illustrated appropriate security safeguards including conducting regular security audits and
establishing access controls.

Privacy-Enhancing Technologies:
26 Global and Cross-Sectoral Regulatory Insights
The OPC’s 2017 report on PETs shed light on a variety of tools and techniques in the market to protect
individual privacy. The report, however, categorically refrained from recommending the usage of any particular
PET. Nevertheless, the OPC report outlined the benefits of using anonymisers, endpoint event
detection and access control technologies.129 To continue tracking developments in the PET landscape,
the OPC’s informal blog post forums explored the usage of federated learning, differential privacy,
homomorphic encryption and SMPC.130

3.3.2 United States of America

A significant observation specific to the PET trends in the USA is that cryptographic technologies have
been widely endorsed by various regulators. To illustrate this claim, the Federal Trade Commission (FTC)
of USA reiterated the importance of encryption vis-a-vis data in transit in its guidance on Standards for
Safeguarding Customer Information.131 Further, the National Institute of Standards and Technology (NIST), in
its Privacy Framework Core132 and Cybersecurity Framework133 endorsed the usage of privacy-preserving
cryptography and encryption for data at rest and data in transit. To supplement the NIST Cybersecurity
Framework with relevant examples, encryption, digital signatures, and cryptographic hashes were recommended
to secure the confidentiality and integrity of data.134 Lastly, cryptographic protocols such as Transport Layer
Security were endorsed by the NIST to provide network security for communications and online transactions.135

In terms of sectoral guidance, PET trends are observed especially within the healthcare sector. For example, the
Security Standards for the Protection of Electronic Protected Health Information mandates entities to establish
encryption and decryption mechanisms when handling electronic protected health information (ePHI).136
Similarly, the USA’s key legislation governing health data protection titled the Health Insurance Portability and
Accountability Act, establishes de-identification standards to safeguard patient privacy under Section
164.514.137

As for de-identification in the context of sector-agnostic regulations, the California Consumer Privacy
Act (CCPA) mandates organisations to implement technical safeguards that prohibit re-identification of
consumer data.138 It is worth noting that the CCPA has been lauded for its catalysing effects in bringing about
PET adoption139 On a similar note, the NIST Privacy Framework advises organisations to build in disassociated
processing through de-identification, privacy techniques, and tokenisation into their risk strategy.140
Considered a more mature version of identification,141 Differential Privacy has also been utilised by
commercial142 and government143 actors within the USA.

3.4 Oceania Regulatory Endorsements of PETs

3.4.1 Australia

The Office of the Australian Information Commissioner (OAIC) is the key regulatory authority in Australia that
provides guidance on privacy and information rights. The OAIC, in its 2021 consultation paper on the National
Health Privacy Rules, has noted the merit of utilising PETs. From a sectoral perspective, the PET advancement
within the Australian healthcare ecosystem has enabled “large human service datasets from multiple different
sources to be linked together to produce insights while preserving the privacy of individual subjects”.144

Baseline data protection safeguards across sectors are accorded by the Australian Privacy Principles (APPs)
enlisted in the Privacy Act. Under Chapter 11, entities under APP must take reasonable steps to secure the
personal information it holds.145 This includes taking necessary steps to destroy or de-identify personal
information when it is no longer required unless retained for lawful purposes. While this provision does not
refer to any particular PET, anonymisation and cryptographic technologies, amongst other PETs, are commonly
employed to comply with this mandate. In fact, the OAIC refers to encryption, network security, access
security and monitoring controls, and audit trails as key strategies organisations can take to comply
with the Privacy Act.146

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 27
Apart from the OAIC, the Australian Law Reform Commission (ALRC) has undertaken an expansive study to
operationalise key privacy legislations. ALRC has urged the OAIC to publish educational material on technologies
that exhibit functionalities that PETs offer.147 The ALRC has acknowledged the importance of PETs in imbibing
PbD principles. Specific PETs referenced in the report were asymmetric and symmetric encryption systems
used conjointly with hash functions and federated identity systems to keep personal data disclosure at a
minimal level.148

3.4.2 New Zealand

The framework surrounding privacy-enhancing techniques has been fleshed out substantially through thirteen
privacy principles delineated by the primary regulatory authority, the Office of the Privacy Commissioner (Te
Mana Mātāpono Matatapu) in the Privacy Act, 1993.149 In order to operationalise these principles, a Privacy
Impact Assessment (PIA) Handbook has been published, especially for the benefit of projects or enterprises
with technological elements. The handbook establishes a stepwise assessment framework for privacy
responsibility, through which responses to data risks should consider PETs such as encryption, access levels, and
anonymisation.150

In February 2024, the Privacy Commissioner released detailed guidance on the mitigation of risks by
ensuring encrypted communication channels within and outside of enterprises, encryption for storage
and transmission of data and use of cryptographic tokens such as ZKPs for authentication.151 The
document also suggests enhancing unlinkability and anonymisation of data to meet purpose limitation
requirements, and masking video footage collected from CCTVs to fulfil the data minimisation principle.
In addition to this, the official data agency of New Zealand, Stats NZ, has recommended specific methods
to achieve data anonymisation or pseudonymisation based on corresponding use cases. These include
perturbation, aggregation, suppression, limiting data access and synthesizing synthetic unit record
files (SURFs) and confidential unit record files (CURFs) for general publication.152

Thus, in this chapter, we analysed the trends in the adoption of several critical technologies, including
Cryptographic Technology, Obfuscation Technology, Statistical Technology, and Systems-Based and Accountability
Technology in ten diverse regions. The primary objective was to identify regulatory endorsements that are
specific to each jurisdiction. Through this analysis, we gained insight into the regulatory landscape of each region
and the factors that influence PET adoption. In the final chapter, we will provide a summary of our findings and
chart out key recommendations.

Privacy-Enhancing Technologies:
28 Global and Cross-Sectoral Regulatory Insights
 4
Conclusion
Through this paper, an extensive study has been conducted, which involved tracking
regulatory developments across key sectors in India, as well as ten diverse global
jurisdictions. The discourse centred around regulatory changes in India for PET
adoption in areas such as banking, insurance, healthcare, and pharma.

In the final section of this paper, key observations and insights gained from this
study are presented. Based on this exploratory exercise, we have also provided
recommendations that we believe can help government and industry stakeholders
navigate the changing regulatory landscape effectively. We hope our research will
prove valuable for those looking to make informed decisions in their respective
industries.

4.1 The Role of Global Regulators and Cultural

Variance in PET Uptake
Several regulators from the Global North acknowledged the need to enable
regulations to encourage PET uptake in the 1990s. Countries in the Global South,
like India, however, only recently caught up with the global regulations. By the
2010s, however, jurisdictions from the Global North as well as the Global South
had battened down the hatches with a laundry list of compliance requirements that
proposed technical interventions.

The primary reason for this development could be attributed to the proactive role
specialised regulators play in mandating PETs for legal compliance. Table II depicts
the year in which specialised sector-agnostic bodies were established to safeguard
data privacy at a national level. With the Central Government of India yet to notify
the date to establish the Data Protection Board of India, we can anticipate the
adjudicatory body to clarify PET usage through its forthcoming orders and with the
expansion of the Indian privacy jurisprudence.

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 29
Table II:
Year of
Region Country/Union Regulator for Data Protection
Formation
India Data Protection Board of India TBD
Japan Personal Information Protection Commission Secretariat 2016
Asia Singapore Personal Data Protection Commission 2013
Phillippines National Privacy Commission 2016
South Korea Personal Information Protection Commission 2011
United Kingdom Information Commissioner’s Office 1984
Europe
European Union European Data Protection Board 2018
Canada Office of the Privacy Commissioner 1997
North
United States of
America Federal Trade Commission* 1914
America
Australia Office of the Australian Information Commissioner 2010
Oceania Office of the Privacy Commissioner (Te Mana Mātāpono
New Zealand 1993
Matatapu)

* As proposed by the Draft American Privacy Rights Act, 2024.

It should also be noted that privacy cultures vary across regions.153 Even within the same region, privacy
cultures vary depending on the respective countries’ level of technological advancement and the scale at which
businesses undertake data processing activities. Literature on global data protection laws also demonstrates the
existence of dichotomous cultural attitudes towards privacy.154 This dichotomy is reflected in individualism, which
dictates Western countries’ privacy cultures. On the contrary, collectivism dominates and influences East Asian
privacy attitudes.155

These cultural leanings also delineate regulatory dimensions, as reflected in Table II and Chapter III. For
instance, the Western countries explored for the purposes of this study are observed to have set up dedicated
data protection regulators in the 1900s. In case of the EU, however, the EDPS replaced the European Data
Protection Supervisor, which was formed in 2004. Individualistic privacy cultures in these countries signify their
sensitivity towards individual-level privacy controls, as reflected in multiple regulations’ PbD endorsement.

Collectivist countries, on the other hand, are characterised by a tightly knit social fabric. Research suggests
that these cultures tend to display sensitivity towards social groups’ privacy. Interestingly, studies reveal that
Indian privacy attitudes are more willing to disclose personal information to the government and employers
than most individualistic cultures.156 This cultural variability indicates the need for robust and comprehensive
measures to regulate Indian data principals’ data processing activities undertaken by the government and
employers. In the upcoming rules that accompany the DPDPA, operational guidelines that allow state entities
to engage in necessary data collection activities are recommended to balance privacy with effective governance
considerations.

4.2 Key Cross-Sectoral Trends and Observations

In the case of most businesses within India, sector-agnostic as well as sectoral laws guide cybersecurity and cyber
hygiene practices. On collating an umpteen number of sector-agnostic and sectoral laws, we have found that
every sector-agnostic law and all three sectors have endorsed the usage of Encryption and
Access Controls. Apart from Encryption and Access Controls, Technology-Neutral specifications,
Data Audit, and Management Interface requirements make a recurring mention. Our findings have
been presented in Tables III and IV.

Privacy-Enhancing Technologies:
30 Global and Cross-Sectoral Regulatory Insights
Table III:

Sector Agnostic Legal Framework Key PETs/Technical Measures Endorsed

Encryption
IT Act, 2000 Access Controls
Reasonable Security Practices
Encryption
Access Controls
SPDI Rules, 2011
Data Audits
Technical and Security Control Measures
Consent Mapping
Management Interfaces
DPDPA, 2023
Data Audits/DPIAs
Technical and Organisational Measures
CERT-IN Anti-Virus Policy and Best
Endpoint Event Detection
Practices, 2005
Encryption
Access Controls
NCIIPC Guidelines Hashed Passwords
Data Audits
Endpoint Event Detection
Encryption
MeitY Cloud Security Best Practices, 2020 Access Controls
Management Interfaces

Legend

Colour Category
Cryptographic Technologies
Systems-Based and Accountability Technologies
Technology-Neutral Requirements

Additionally, findings from cross-sectoral research have been synthesised below in Table IV. Studying key
regulatory mandates and best practices reveals that the Banking and Financial Sector is the most regulated
of the three. Strict regulation within this sector is primarily due to the expansive mandates released by the
RBI and SEBI. Further, as revealed below, these regulators have routinely endorsed the use of Cryptographic
Technologies and Systems-based and Accountability Technologies. Additionally, findings from cross-sectoral
research have been synthesised below in Table IV. Studying key regulatory mandates and best practices reveals
that the Banking and Financial Sector is the most regulated of the three. Strict regulation within this sector
is primarily due to the expansive mandates released by the RBI and SEBI. Further, as revealed below, these
regulators have routinely endorsed the use of Cryptographic Technologies and Systems-based and Accountability
Technologies.

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 31
Table IV:

Sectoral Legal Frameworks Key PETs/Technical Measures Endorsed

Encryption
Hash Function
Crypto-Shredding
Multi-Factor Authentication
Access Controls
Banking and Financial Sector
Management Interfaces
Endpoint Event Detection
Proxy
Data Masking
Reasonable Security Practices
Cryptographic Controls
Encryption
Access Controls
Insurance Sector
Management Interfaces
Adequate systems and security features to avoid the
manipulation of records and transactions
Encryption
Pseudonymisation/Anonymisation
Access Controls
Healthcare and Pharma Sector Consent Mapping
Data Audits
Federated Learning
Ensure security of data both in transit and at rest

Legend

Colour Category
Cryptographic Technologies
Obfuscation Technologies
Systems-Based and Accountability Technologies
Statistical Technologies
Miscellaneous Technologies
Technology-Neutral Requirements

Despite having less stringent regulations than the Banking and Financial Sector, the Healthcare and Pharma
Sector is observed to recommend the usage of the most diverse set of PETs. Additionally, the Healthcare
Sector especially focuses on the usage of Obfuscation Technologies such as Anonymisation and
Pseudonymisation for health data security.

We also find that apart from endorsements of specific PETs, the usage of PETs has been indirectly
referenced through technology-neutral requirements across all three sectors. Technology-neutral regulatory
recommendations are especially favourable, as this gives ample amount of wiggle room to procure and
implement PETs that meet the unique business and regulatory needs of each regulated entity.

Privacy-Enhancing Technologies:
32 Global and Cross-Sectoral Regulatory Insights
4.3 Cross-Sectoral and Cross-Jurisdictional Regulatory Challenges
As observed from the foregoing, the overlap of several sectoral laws and cross-jurisdictional regulations adds
to compliance challenges. For instance, the EU GPDR and the UK’s International Data Transfer Agreement and
Guidance mandate entities to implement technical and/or contractual measures before transferring data. In
terms of sector-specific global regulations, the USA’s HIPAA provides that entities must ensure that additional
security measures are taken while transferring ePHI across borders. Even within India, we observe that there are
umpteen number of sectoral regulations governing EHR transfers.

While comprehensive and robust regulations are a step in the right direction to foster consumer trust and
ethics-driven practices, there still exists a substantial gap in terms of how Data Fiduciaries should operationalise
regulatory mandates across sectors and jurisdictions. Thus, the evolving landscape of legal compliance, coupled
with new avenues for cyber threats, has led to uncertainty in terms of harmonising diverse regulatory mandates.

It is worth mentioning that operationalising legal requirements and PbD principles is a sizeable investment.
This is considering entities must develop internal technology stacks or software to create unified audit trails,
build data inventory and implement robust technical controls. Keeping these considerations in mind, a sense of
foreboding emerged even amongst start-ups and small to medium-scale businesses, as a challenge unique to
these organisations is having to grapple with compliance requirements while lacking abundant financial, technical
and human resources at hand.

4.4 Strategic PET Investment for DPDPA Compliance

The ubiquitous reach of the DPDPA impacts all entities within the digital economy. Industries, irrespective of
their size and annual turnovers, are brought within the mandate of the law. In studying the DPDPA, we have
found that the law mandates the usage of primarily System-Based and Accountability Technologies,
which include Consent Mapping, Consent Management Interfaces and carrying out Data Audits and
DPIAs. With this significant legal development, industries are advised to earmark an appropriate sum from their
annual budget to invest in PETs.

While certain classes of Data Fiduciaries, such as start-ups and hospitals, have been promised to be exempt
from certain provisions of the DPDPA, the scope of such exemptions remains uncertain. Similarly, while the
Central Government promises longer implementation timelines for certain Data Fiduciaries, at the time of
releasing this paper, no particular timeline has been announced by the Central Government to comply with the
DPDPA. In view of these developments, we recommend entities to batten down the hatches and recognise the
value-additions PETs bring to their DPDPA compliance journeys.

Keeping these compliance challenges in mind, we recommend any supplementary DPDPA obligations laid
on SDFs be in line with global standards and the existing sectoral framework. By taking a leaf from all three
sectors analysed for the purpose of this study, we recommend forthcoming rules under the DPDPA that clarify
operational considerations to endorse technology-neutral best practices, to provide organisations leeway to
select PETs that align with their cross-jurisdictional and cross-sectoral legal considerations.

4.5 Balancing Compliance and Innovation: The Road Ahead

If organisations were to meet multifarious legal and technical requirements, it would pose detrimental effects
on the economy. Entrepreneurs would be disincentivised to take business risks after factoring in the investment
required to comply and the penalties for non-compliance. Further, global companies would be hesitant to
expand their operations in India if operational roadblocks became onerous and challenging. While legal
compliance indeed plays a key role in regulating data processing activities, it should not come at the cost of
innovation and progress.

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 33
Additionally, several organisations, be it through risk-based assessments or operational assessments, require a
variety of PETs to meet multifarious business objectives. Non-prescriptive operational requirements, thereby,
position regulators to effectively balance privacy considerations alongside the ease of doing business in India.
With this approach, businesses can operate with minimal compliance roadblocks while safeguarding privacy.

Lastly, a ripple effect of the various sectoral and sector-agnostic data protection regulations calls for organisations
to modify their technical architecture significantly. Therefore, in view of the current state of regulations, be it
sectoral or sector-agnostic, domestic or global, we anticipate a sharp increase in the adoption of PETs across
entities in India. The anticipated surge in PET adoption especially holds true for Indian entities that lack prior
experience navigating legal and regulatory frameworks. Thus, as several Indian Data Fiduciaries are at a nascent
stage vis-a-vis PET usage, we advocate for a privacy-first model to be adopted.

Moving away from compliance issues, PET-enabling regulations only partially solve the issue of establishing a
holistic privacy culture within organisations. Thereby, while the PETs discussed in this paper play a critical role
in mitigating data security vulnerabilities, they only partially address the situation. Holistic privacy cultures can
be formed by an inherent organisational mindset shift in addition to deploying PETs. This mindset shift includes
viewing privacy as a unique market differentiator rather than reducing it to a mere compliance checklist.
Developing these notions ingrain privacy into the ethical cornerstones of an organisation, making entities stay
true to the term Data Fiduciary.

Privacy-Enhancing Technologies:
34 Global and Cross-Sectoral Regulatory Insights
Annexure I
DPDPA Compliance:
Data Governance
Platform
Forming a robust Data Governance Platform is a key preliminary step Data
Fiduciaries must take to consolidate all compliance requirements introduced by the
DPDPA. This platform enables all key governance tasks to be undertaken in a single
platform, thereby reducing administrative and operational friction. A comprehensive
platform provides augmented support throughout DPDPA compliance journeys and
encapsulates the following governance dimensions:

• Identify all the critical Personal Identifiable Information (PII) data fields across
all their applications, databases, and other data repositories. By identifying PII
flows, organisations are better positioned to delineate the scope of data that
must be addressed from a DPDPA compliance standpoint;

• Design internal compliance policies by identifying all PII data fields. Further,
Data Protection Rules can be set to supplement the internal policies;

• Consolidate continuous data audits to ensure that internal data protection

policies and rules are being adhered to;

• Monitor breach management workflow;

• Respond to DPDPA breaches, which involves informing the particular Data

Principal, the DPB and sector-specific regulators.

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 35
Key Capabilities of a Data Governance Platform for DPDPA Compliance
Through a Data Governance Platform, Data Fiduciaries seek to benefit from the following capabilities:

1. Auto Data Discovery

• Need: Identify all personal data across all applications and databases within the organisation. Additionally, it
maps all personal data that is shared across organisations.

• Implementation: Utilise automated tools to scan databases, servers, and other data repositories to
locate personal data. Automation is recommended to ensure thorough accounting in all fields. This activity
must be repeated every time there are changes to data sources. Therefore, automating it streamlines
compliance efforts and improves accuracy.

2. Data Inventory Creation

• Need: Maintain an up-to-date inventory of all personal data.

• Implementation: Develop a comprehensive data inventory that details data sources, types, usage, and
storage locations. This will help create a holistic picture of PII data distribution across the organisation.

3. Auto Data Classification

• Need: Categorise data based on type, sensitivity, and usage.

• Implementation: Implement automated classification systems to label data according to predefined

categories, balancing technology-based decisions with user insights.

4. Data Accuracy

• Need: Ensure the correctness and completeness of personal data.

• Implementation: Regularly verify and update data to maintain accuracy. This can be done through
validation processes and consistency checks.

5. Data Minimisation

• Need: Limit data collection to what is necessary for specific purposes.

• Implementation: Implement policies and systems that restrict data collection and retention to the
minimum necessary and regularly review and delete unnecessary data.

6. Data Audits

• Need: Conduct regular reviews to ensure compliance with data protection policies.

• Implementation: Establish periodic audit schedules, leveraging automated tools to detect non-
compliance and areas for improvement.

Privacy-Enhancing Technologies:
36 Global and Cross-Sectoral Regulatory Insights
7. Data Breach Management

• Need: Respond effectively to data breaches to mitigate damage and notify affected parties.

• Implementation: Develop an incident response plan that includes detection, containment, eradication,
recovery, and communication steps.

8. Data Protection

• Need: Meet DPDPA’s legal mandates to safeguard personal data and to build customer trust.

• Implementation: Through the usage of PETs, such as encryption, data masking and allied techniques,
data protection can be enforced during data transit, data at rest and data in use.

Integrating Governance into the Data Lifecycle

In view of the capabilities offered by the proposed Data Governance Platform, we have identified four key
phases where DPDPA compliance considerations apply. The identified phases are as follows:

Image I: Compliance Considerations across the Data Lifecycle

Define Design Deploy Defend

Define: Design: Deploy: Defend:

• Data discovery • Data minimization • Test • Data audit
• Data classification • Data protection • Validate • Data sharing
• Data protection • Data policy • Deploy • Data Breach management
• Auto report generation

• Define: In this phase, all applications, databases, and other data repositories are surveyed, and PII
compliance fields are identified. A comprehensive inventory of such elements is created and maintained.

• Design: In this phase, compliance policies are designed and assigned to each PII field. In view of data
protection being a critical element for DPDPA compliance, this phase is critical.

• Deploy: All changes are made, tested and deployed to staging and then into production environments.

• Defend: In this phase, data in production is monitored continuously for policy violations. If there are any
violations, alerts are created and reported. Depending on the severity of violations, this may lead to breach
management.

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 37
Accounting for Change Management Workflows
In any given organisation, changes within application, database and data semantics are constant. As depicted
in Image II, changes can appear in various ways, including modifications to the data schema or through
introducing new or additional PII fields may be added to existing applications and databases. It is also worth
mentioning that compliance interpretations and techno-legal requirements to protect personal data are ever-
evolving. Given the dynamic changes at play, effective DPDPA compliance can be achieved by revisiting the Data
Governance Platform for periodic change alignment.

Image II

Application, DB Feedback from

changes production
Define Design Deploy Defend

PII policy
changes

Change Management workflows

In conclusion, it is critical that organisations factor these elements into their compliance plan. The proposed Data
Governance Platform will accommodate these considerations inherently and is designed to meet the DPDPA’s
compliance requirements. Hence, every organisation must plan to either build or invest in such comprehensive
platforms for seamless compliance. This is how the proposed platform brings all aspects of DPDPA compliance
into one unified application and integrates with an organisation’s current application landscape.

Privacy-Enhancing Technologies:
38 Global and Cross-Sectoral Regulatory Insights
References

1 TJX Companies Inc. / Winners Merchant International L.P., Report of an Investigation into the Security, Collection
and Retention of Personal Information (2007) PIPEDA Report of Findings #2007-389, <https://www.priv.gc.ca/
en/opc-actions-and-decisions/investigations/investigations-into-businesses/2007/tjx_rep_070925/> accessed 9
May 2024
2 ‘Privacy Enhancing Technologies – A Review of Tools and Techniques’, Office of the Privacy Commissioner of
Canada, (2017) <https://www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2017/
pet_201711/#heading-0-0-3> accessed 9 May 2024
3 Asrow K and Samonas S, ‘Privacy Enhancing Technologies: Categories, Use Cases, and Considerations’ San
Francisco Fed (June 1, 2021) <https://www.frbsf.org/research-and-insights/publications/fintech-edge/2021/06/
privacy-enhancing-technologies/> accessed 9 May 2024
4 Organisation for Economic Co-operation and Development (OECD), Emerging privacy-enhancing technologies:
Current regulatory and policy approaches (OECD Digital Economy Papers No. 351, 2023)
< https://doi.org/10.1787/bf121be4-en> accessed 9 May 2024
5 Asrow K (n 3)
6 Information Technology Act 2000, s. 84A
7 Information Technology Act 2000, s. 43A
8 ISO/IEC 27001:2022, ‘Information security, cybersecurity and privacy protection — Information security
management systems — Requirements’ (2022)<https://www.iso.org/obp/ui/en/> accessed 9 May 2024
9 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or
Information) Rules 2011, Rule 8
10 Digital Personal Data Protection Act 2023, Schedule [21]
11 Digital Personal Data Protection Act 2023, s. 8(4)
12 Digital Personal Data Protection Act 2023, s. 4(1)
13 Digital Personal Data Protection Act 2023, s. 6(4)
14 Digital Personal Data Protection Act 2023, s. 13
15 Digital Personal Data Protection Act 2023, s. 9(1)
16 Digital Personal Data Protection Act 2023, s. 10(1)
17 Digital Personal Data Protection Act 2023, s. 40(2)(l)
18 ‘Anti-Virus Policy and Best Practices’ (2005) <https://tripura.gov.in/sites/default/files/Anti%20Virus%20Policy%20
and%20Best%20Practices.pdf> accessed 9 May 2024
19 Website of National Critical Information Infrastructure Protection Centre, <https://www.india.gov.in/website-
national-critical-information-infrastructure-protection-centre> accessed 9 May 2024
20 Information Technology Act 2000, s. 70
21 ’Guidelines for the Protection of Critical Information Infrastructure’, National Critical Information Infrastructure
Protection Centre, (2015) <https://www.asianlaws.org/gcld/cyberlawdb/IN/guidelines/NCIIPC_Guidelines_
V2.pdf > accessed 9 May 2024
22 Cloud Management Office (CMO), Ministry of Electronics and Information Technology (MeitY), ’Cloud Security
Best Practices’ (2020) <https://www.meity.gov.in/writereaddata/files/2.%20WI3_Cloud%20Security%20Best%20
Practices_06112020.pdf> accessed 9 May 2024
23 ibid, [33]
24 ibid, [19]

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 39
25 Department of Electronics and Information Technology, ‘National Cyber Security Policy’ (2013)
<https://www.meity.gov.in/content/national-cyber-security-policy-2013-0> accessed 9 May 2024
26 Singh R, “Centre May Push Enterprises to Use Security Products Developed in India” Business Standard (2024)
<https://www.business-standard.com/economy/news/centre-may-push-enterprises-to-use-security-products-
developed-in-india-124013000276_1.html> accessed 9 May 2024.
27 Ministry of Electronics and Information Technology, ‘Electronic Consent Framework (Ver 1.1)’
< https://dla.gov.in/sites/default/files/pdf/MeitY-Consent-Tech-Framework%20v1.1.pdf>
28 Reserve Bank of India, ‘Master Direction - Reserve Bank of India (Internal Ombudsman for Regulated Entities)
Directions’ (2023), <https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=12586> accessed 9 May
2024
29 ’The CSF 1.1 Five Functions’ (2018, updated 2024) <https://www.nist.gov/cyberframework/getting-started/
online-learning/five-functions> accessed 9 May 2024
30 ‘NPCI leads the way in Cyber Security Defense & Data Privacy’ (2020) < https://www.npci.org.in/PDF/npci/
press-releases/2020/NPCI_Press_Release-NPCI_leads_the_way_in_Cyber_Security_DefenseandData.pdf>
accessed 9 May 2020
31 National Payments Corporation of India, ’Cyber Risk Management and 10 Essential Security tools’ (Paper, Paper
No: 01/2016-17) < https://www.npci.org.in/PDF/npci/white-papers/White-Paper-on-Cyber-Security-in-banking-
Essential-tools-rev10.pdf > accessed 9 May 2024
32 <https://www.npci.org.in/who-we-are/cyber-security> accessed 9 May 2024
33 PCI DSS v4.0, ISO 27001:2013 - Information Security Management System (ISMS) ISO 22301: 2019 - Business
Continuity management System (BCMS) and ISO 27701: 2019 - Privacy Information Management System
(PIMS).
34 Reserve Bank of India, ’Master Direction on Outsourcing of Information Technology Services‘(2018) < https://
rbidocs.rbi.org.in/rdocs/notification/PDFs/102MDITSERVICES56B33FD530B1433187D75CB7C06C8F70.PDF>
accessed 9 May 2024
35 Reserve Bank of India, ’Internet Banking - Security Features’ (Annexure II) < https://www.rbi.org.in/hindi1/
Upload/content/PDFs/C229260416_2.pdf > accessed 9 May 2024
36 Reserve Bank of India, ’Master Direction on Information Technology Governance, Risk,
Controls and Assurance Practices’ (2023) <https://rbidocs.rbi.org.in/rdocs/notification/
PDFs/107MDITGOVERNANCE3303572008604C67AC25B84292D85567.PDF > accessed 9 May 2024
37 Reserve Bank of India, ’Master Direction on Digital Payment Security Controls’ (2021) <https://rbidocs.rbi.org.in/
rdocs/notification/PDFs/MD7493544C24B5FC47D0AB12798C61CDB56F.PDF> accessed 9 May 2024
38 Reserve Bank of India, ’Master Directions on Prepaid Payment Instruments (PPIs)’ (2021) < https://rbidocs.rbi.
org.in/rdocs/notification/PDFs/82MDPPIS2708202181CF0A6FCD1B47B88CAE8E92A228B160.PDF > accessed
9 May 2024
39 Reserve Bank of India, ’Framework for Outsourcing of Payment and Settlement-related Activities
by Payment System Operators’ (2021) < https://rbidocs.rbi.org.in/rdocs/notification/PDFs/
NOT765729DDE076804962B2A6A35CA343D2F2.PDF > accessed 9 May 2024
40 Reserve Bank of India, ‘Master Direction - Information Technology Framework for the NBFC Sector’ (2017) <
https://rbidocs.rbi.org.in/rdocs/notification/PDFs/MD53E0706201769D6B56245D7457395560CFE72517E0C.
PDF > accessed 9 May 2024
41 Reserve Bank of India, ’Cyber Security Framework in Banks’ (2016) < https://www.rbi.org.in/commonman/
Upload/English/Notification/PDFs/NT41802062016.pdf > accessed 9 May 2024
42 Reserve Bank of India, ’Guidelines on Information security, Electronic Banking, Technology risk Management and
Cyber Frauds‘ <https://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf > accessed 9 May 2024

Privacy-Enhancing Technologies:
40 Global and Cross-Sectoral Regulatory Insights
43 IBM, ‘What is the NIST Cybersecurity Framework?’ (October 14, 2021) < https://www.ibm.com/topics/
nist#:~:text=IBM-,What%20is%20the%20NIST%20Cybersecurity%20Framework%3F,security%20and%20
cybersecurity%20risk%20management.> accessed 20 May 2024
44 PTI, ’SEBI Issues Consultation Paper on Cyber Security, Resilience Framework for Regulated Entities‘ (July 5,
2023) <https://bfsi.economictimes.indiatimes.com/news/financial-services/sebi-issues-consultation-paper-on-
cyber-security-resilience-framework-for-regulated-entities/101509921> accessed 9 May 2024
45 Security and Exchange Board of India (SEBI), ’Cyber Security & Cyber Resilience framework for Stockbrokers /
Depository Participants’ (Circular No.: SEBI/HO/MIRSD/CIR/PB/2018/147, 2018)
< https://www.sebi.gov.in/legal/circulars/dec-2018/cyber-security-and-cyber-resilience-framework-for-stock-
brokers-depository-participants_41215.html > accessed 9 May 2024
46 Security and Exchange Board of India (SEBI), ’Guidelines for MIIs regarding Cyber security and Cyber resilience’
(Circular No.: SEBI/HO/MRD/TPD/P/CIR/2023/146, 2023) < https://www.sebi.gov.in/legal/circulars/aug-2023/
guidelines-for-miis-regarding-cyber-security-and-cyber-resilience_76056.html > accessed 9 May 2024
47 Security and Exchange Board of India (SEBI), ’Cyber Security and Cyber Resilience framework for Mutual Funds
/ Asset Management Companies (AMCs)’ (Circular No.: SEBI/HO/IMD/DF2/CIR/P/2019/12, 2019)<https://
www.sebi.gov.in/legal/circulars/jan-2019/cyber-security-and-cyber-resilience-framework-for-mutual-funds-asset-
management-companies-amcs-_41589.html> accessed 9 May 2024
48 Security and Exchange Board of India (SEBI), ’Advisory for SEBI Regulated Entities (REs) regarding Cybersecurity
best practices’ (Circular No.: SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/032, 2023)
<https://www.sebi.gov.in/legal/circulars/feb-2023/advisory-for-sebi-regulated-entities-res-regarding-cybersecurity-
best-practices_68334.html> accessed 9 May 2024
49 IRDAI (Outsourcing of Activities by Indian Insurers) Regulations 2017, Regulation 12
50 IRDAI, ’Guidelines on Insurance E-Commerce and Electronic Issuance‘(2017),
<https://irdai.gov.in/document-detail?documentId=386260> accessed 9 May 2024
51 IRDAI (Protection of Policyholders’ Interests) Regulations 2017, Regulation 19(5)
52 IRDAI (Maintenance of Insurance Records) Regulations 2015, Regulation 3(3)(b), 3(9)
53 IRDAI (Health Insurance Regulations) 2016, Regulation 35(c)
54 IRDAI’s Information and Cyber Security Guidelines, notified April 2023.
55 IRDAI, ’Information and Cyber Security Guidelines’ (2019)
56 Department of Health & Family Welfare, Ministry of Health & Family Welfare Government of India (MoHFW),
‘EHR Standards for India’ (2016) <https://main.mohfw.gov.in/sites/default/files/17739294021483341357.pdf
”https://main.mohfw.gov.in/sites/default/files/17739294021483341357.pdf> accessed 9 May 2024
57 MoHFW, ‘Operational Guidelines for Clinical Establishments Act‘ <http://clinicalestablishments.gov.in/
WriteReadData/2591.pdf> accessed 9 May 2024
58 Department of Health & Family Welfare (n 56) [19]
59 The standard prescribed for access control - ISO 22600:2014 Health informatics - Privilege Management and
Access Control (Part 1 through 3)
60 Prescribed standard for architectural requirement - ISO 18308:2011 Health Informatics – Requirements for an
Electronic Health Record Architecture
61 MoHFW, ‘Digital Information Security in Healthcare, Act’ (Draft for Consultation, 2017)
<https://main.mohfw.gov.in/sites/default/files/R_4179_1521627488625_0.pdf> accessed 9 May 2024
62 Draft Digital Information Security in Healthcare Act 2017, s. 3(a)
63 Draft Digital Information Security in Healthcare Act 2017, ss. 3(c), 28, 30, 33(3)
64 Draft Digital Information Security in Healthcare Act 2017, s. 3(d)

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 41
65 National Health Authority, ‘Consultation Paper on Proposed Health Data Retention Policy’ (Consultation
Paper 04/2021, 2021) <https://abdm.gov.in:8081/uploads/Consultation_Paper_on_Health_Data_Retention_
Policy_21_28557f9a6a.pdf> accessed 9 May 2024
66 MoHFW, ‘National Health Policy’ (2017) [25] <https://main.mohfw.gov.in/sites/default/
files/9147562941489753121.pdf> accessed 9 May 2024
67 National Health Authority, ‘Final Report on National Digital Health Blueprint (NDHB)’ (2019) [31]-[37],
< https://main.mohfw.gov.in/sites/default/files/Final%20NDHB%20report_0.pdf > accessed 9 May 2024
68 ibid
69 Recommended standard for access control - ISO 22600:2014 Health informatics Privilege Management and
Access Control (Part 1 through 3)
70 Ayushman Bharat Digital Mission, ‘Draft Health Data Management Policy’ (Draft Policy, 2022)
<https://abdm.gov.in:8081/uploads/Draft_HDM_Policy_April2022_e38c82eee5.pdf >
accessed on 9 May 2024
71 ‘Official Website of Ayushman Bharat Scheme’ <https://abdm.gov.in/> accessed 9 May 2024
72 National Health Authority, ‘National Digital Health Mission: Unified Health Interface’ (Consultation Webinar,
2021) <https://abdm.gov.in:8081/uploads/Presentation_for_UHI_a7037b79d3.pdf >
accessed 9 May 2021
73 Data Security Council of India, ‘DSCI Sectoral Privacy Guide – Healthcare’ (2021)
<https://www.dsci.in/sectoral-privacy-project/healthcare-sector/ > accessed 9 May 2024
74 Japanese Translation, ‘Act on the Protection of Personal Information’ (2021)
<https://www.japaneselawtranslation.go.jp/en/laws/view/4241/en> accessed 9 May 2024
75 Personal Information Protection Commission Secretariat, ‘Report by the Personal Information Protection
Commission Secretariat: Anonymously Processed Information’ (2017) <https://www.ppc.go.jp/files/pdf/The_
PPC_Secretariat_Report_on_Anonymously_Processed_Information.pdf> accessed 10 May 2024
76 Bank of Japan, ‘Privacy Enhancing Technologies: Payments and Financial Services in a Digital Society’ (January
2023) <https://www.boj.or.jp/en/research/brp/psr/data/psrb230120.pdf> accessed 10 May 2024
77 Personal Data Protection Act 2012, s 24(a).
78 Personal Data Protection Commission Singapore, ‘ADVISORY GUIDELINES ON THE PERSONAL DATA
PROTECTION ACT FOR SELECTED TOPICS’ (May 2022) <https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-
Files/Advisory-Guidelines/AG-on-Selected-Topics/Advisory-Guidelines-on-the-PDPA-for-Selected-Topics-17-
May-2022.pdf> accessed 10 May 2024
79 Personal Data Protection Commission Singapore, ‘Guide to Handling Access Requests’ (2016) <https://www.
pdpc.gov.sg/-/media/files/pdpc/pdf-files/other-guides/guide-to-handling-access-requests-v1-0-(090616).pdf>
accessed 10 May 2024
80 Personal Data Protection Commission Singapore (PDPC), ‘Guide to Data Protection Practices for ICT Systems’
(2013) <https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Tech-Omnibus/Guide-to-Data-
Protection-Practices-for-ICT-Systems.ashx?la=en%20> accessed 10 May 2024
81 ibid
82 Personal Data Protection Commission Singapore (n 80) [24]; Personal Data Protection Commission Singapore
(n 78) [24]
83 OECD Digital Economy Papers, ‘Emerging Privacy Enhancing Technologies: Current Regulatory &
Policy Approaches’ (2023) <https://www.oecd-ilibrary.org/docserver/bf121be4-en.pdf?expires=
1712218299&id=id&accname=guest&checksum=8275D92D1EBE4FDCA673A50E4495488B>
accessed 10 May 2024
84 Data Privacy Act 2012, s 28.

Privacy-Enhancing Technologies:
42 Global and Cross-Sectoral Regulatory Insights
85 National Privacy Commission, ‘NPC Circular No. 2016-01: Security of Personal Data in Government Agencies’
(October 2016) s 8 < https://privacy.gov.ph/npc-circular-16-01-security-of-personal-data-in-government-
agencies/ > accessed 10 May 2024
86 National Privacy Commission, ‘NPC Privacy Toolkit’ (May 2018) [53] <https://privacy.gov.ph/wp-content/
uploads/2022/01/3rdToolkit_0618.pdf> accessed 10 May 2024
87 ‘Data Security’ (National Privacy Commission)
<https://privacy.gov.ph/data-security/> accessed 10 May 2024
88 National Privacy Commission (n 86).
89 National Privacy Commission, ‘NPC Circular No. 2021-01: Guidelines on the Processing of Personal Data during
Public Health Emergencies for Public Health Measures’ (November 2021) <https://privacy.gov.ph/wp-content/
uploads/2021/11/Circular-on-Processing-for-Public-Health-Emergencies-FINAL.pdf>
accessed 10 May 2024
90 Personal Information Protection Act 2023 (Republic of Korea).
91 Personal Information Protection Act 2023, Article 24(3) (Republic of Korea).
92 Personal Information Protection Act 2023, Article 3(7) (Republic of Korea).
93 Personal Information Protection Act 2023, Article 29 (Republic of Korea).
94 Personal Information Protection Act 2023, Article 28-4(3) (Republic of Korea).
95 Act On Use and Protection of Credit Information 2023 (Republic of Korea).
96 Enforcement Decree of the Act on the Protection and Use of Location Information 2022
(Republic of Korea).
97 Act on Use and Protection of Credit Information 2023, Article 17(4) (Republic of Korea).
98 Act on Use and Protection of Credit Information 2023, Article 40-2(1) (Republic of Korea).
99 Act on Use and Protection of Credit Information 2023, Article 40-2(2) (Republic of Korea).
100 Act on Use and Protection of Credit Information 2023, Article 17-2(2) (Republic of Korea).
101 Enforcement Decree of the Act on the Protection and Use of Location Information 2022, Article 20(2)
(Republic of Korea).
102 Enforcement Decree of the Act on the Protection and Use of Location Information 2022, Article 20(2)
(Republic of Korea).
103 Enforcement Decree of the Act on the Protection and Use of Location Information 2022, Article 20(2)
(Republic of Korea).
104 Enforcement Decree of the Act on the Protection and Use of Location Information 2022, Article 20(2)
(Republic of Korea).
105 Personal Information Protection Commission, ‘Pseudonym Information Processing Guidelines’ (29 April 2022)
<https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS217&mCode=D010030000&nttId=8000>
accessed 9 May 2024.
106 Personal Information Protection Commission, ‘Biometric Information Protection Guidelines’ (September 2021)
<https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS217&mCode=D010030000&nttId=7529>
accessed 9 May 2024.
107 Kim & Chang, ‘Guideline for Pseudonymization Published’ (11 September 2020) <https://www.kimchang.com/en/
insights/detail.kc?sch_section=4&idx=21964> accessed 28 May 2024
108 UK General Data Protection Regulation 2018, Recital 83 <https://gdpr-info.eu/recitals/no-83/> accessed 10 May
2024.

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 43
109 UK Information Commissioner’s Office, ’How should we implement encryption?’ (2022)
<https://ico.org.uk/media/for-organisations/uk-gdpr-guidance-and-resources/security/encryption-1-0.pdf>
accessed 10 May 2024
110 UK Anonymisation Network, ’The ADF’ (UKAN) <https://ukanon.net/framework/> accessed 10 May 2024.
111 UK National Cyber Security Centre, ‘Cloud Security Guidance’ (2018) <https://www.ncsc.gov.uk/collection/
cloud/the-cloud-security-principles/principle-1-data-in-transit-protection> accessed 10 May 2024.
112 UK National Cyber Security Centre, ‘Zero Trust architecture design principles’ <https://www.ncsc.gov.uk/
collection/zero-trust-architecture> accessed 10 May 2024.
113 UK National Cyber Security Centre, ’Supply Chain Security Guidance’ <https://www.ncsc.gov.uk/collection/
supply-chain-security> accessed 10 May 2024.
114 UK Information Commissioner’s Office, ’Privacy-enhancing technologies (PETs)’ (2023) <https://ico.org.uk/media/
for-organisations/uk-gdpr-guidance-and-resources/data-sharing/privacy-enhancing-technologies-1-0.pdf> accessed
10 May 2024.
115 Centre for Data Ethics and Innovation (CDEI), ’Privacy Enhancing Technologies Adoption Guide’
<https://cdeiuk.github.io/pets-adoption-guide/adoption-guide> accessed 10 May 2024
116 ENISA, ‘Recommended cryptographic measures - Securing personal data’ <https://www.enisa.europa.eu/
publications/recommended-cryptographic-measures-securing-personal-data> accessed 10 May 2024.
117 ENISA, ’Study on Cryptographic Protocols’ (November 2014) <https://www.enisa.europa.eu/publications/study-
on-cryptographic-protocols> accessed 10 May 2024
118 European Commission, ’Commission Implementing Regulation (EU) 2015/1502’ (September 2015)
<https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015R1502> accessed 10 May 2024
119 ’European Digital Identity (EUDI) Regulation’ (European Commission) <https://digital-strategy.ec.europa.eu/en/
policies/eudi-regulation> accessed 10 May 2024
120 ETSI, ’Electronic Signatures and Infrastructures (ESI); Analysis of selective disclosure and zero-knowledge proofs
applied to Electronic Attestation of Attributes’ (August 2023) <https://www.etsi.org/deliver/etsi_tr/119400_119
499/119476/01.01.01_60/tr_119476v010101p.pdf> accessed 10 May 2024
121 Article 29 Data Protection Working Party, ’Opinion 05/2014 on Anonymisation Techniques’ (April 2014) <
https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf>”
https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf>
accessed 10 May 2024
122 General Data Protection Regulation 2016, art 4(5)
123 ENISA, ’DATA PSEUDONYMISATION: ADVANCED TECHNIQUES & USE CASES’ (January 2021) <https://
www.enisa.europa.eu/publications/data-pseudonymisation-advanced-techniques-and-use-cases/@@download/
fullReport> accessed 10 May 2024
124 European Data Protection Supervisor, ’Federation Learning’ <https://www.edps.europa.eu/press-publications/
publications/techsonar/federated-learning_en#:~:text=Federated%20learning%20is%20a%20relatively,the%20
way%20parameters%20are%20shared> accessed 10 May 2024
125 ’About CONFIDENTIAL6G’ (Confidential6G) <https://confidential6g.eu/about-confidential6g/> accessed 10
May 2024
126 ETSI, ’Permissioned Distributed Ledger (PDL); Federated Data Management’ (September 2021)
<https://www.etsi.org/deliver/etsi_gr/PDL/001_099/009/01.01.01_60/gr_PDL009v010101p.pdf>
accessed 10 May 2024
127 ENISA, ’European Cybersecurity Certification’ <https://certification.enisa.europa.eu/#EUCC>
accessed 10 May 2024

Privacy-Enhancing Technologies:
44 Global and Cross-Sectoral Regulatory Insights
128 Office of the Privacy Commissioner of Canada, ‘Privacy Guide for Businesses’ (2020)
<https://www.priv.gc.ca/media/2038/guide_org_e.pdf> accessed 10 May 2024
129 Office of the Privacy Commissioner of Canada, ‘Privacy Enhancing Technologies – A Review of Tools
and Techniques’ (2017) <https://www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-
research/2017/pet_201711/#heading-0-0-2> accessed 10 May 2024
130 Office of the Privacy Commissioner of Canada, ‘Privacy Tech-Know blog: Privacy Enhancing Technologies for
Businesses’ (2021) <https://www.priv.gc.ca/en/blog/20210412/> accessed 10 May 2024
131 Part 314-Standards for Safeguarding Customer Information, 2003 sub-s 314.4 (c)(3); Federal Trade Commission
(FTC), ‘FTC Safeguards Rule: What Your Business Needs to Know’ (2022) <https://www.ftc.gov/business-
guidance/resources/ftc-safeguards-rule-what-your-business-needs-know>
accessed 10 May 2024
132 National Institute of Standards and Technology (NIST), ‘NIST Privacy Framework Core’ (2020)
<https://www.nist.gov/system/files/documents/2021/05/05/NIST-Privacy-Framework-V1.0-Core-PDF.pdf>
accessed 10 May 2024
133 National Institute of Standards and Technology (NIST), ‘NIST Cybersecurity Framework 2.0: RESOURCE &
OVERVIEW GUIDE’ (2024) <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1299.pdf> accessed 10
May 2024
134 National Institute of Standards and Technology (NIST), ‘NIST CSF 2.0 Implementation Examples’ (2024)
<https://www.nist.gov/system/files/documents/2024/02/21/CSF%202.0%20Implementation%20Examples.pdf>
accessed 10 May 2024
135 National Institute of Standards and Technology, ‘Security and Privacy Controls for Information Systems and
Organizations’ (2020) <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf> accessed 10
May 2024
136 Security Standards for the Protection of Electronic Protected Health Information 2003, s164.312(a)(2)(iv).
137 US Department of Health and Human Services (HHS), ‘Guidance Regarding Methods for De-identification
of Protected Health Information in Accordance with the Health Insurance Portability and Accountability
Act (HIPAA) Privacy Rule’ (2012) <https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/
coveredentities/De-identification/hhs_deid_guidance.pdf> accessed 13 May 2024
138 California Legislative Information, ‘s1798.140(ab)(3) California Consumer Privacy Act of 2020’ (2020) <https://
leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.140.&lawCode=CIV> accessed 13
May 2024
139 Federal Reserve Bank of San Francisco, ‘Privacy Enhancing Technology: Categories, Use Cases, and
Considerations’ (2021) <https://www.frbsf.org/economic-research/wp-content/uploads/sites/4/Privacy-
Enhancing-Technologies-Categories-Use-Cases-and-Considerations.pdf> accessed 10 May 2024
140 National Institute of Standards and Technology (n 132) [29]
141 Federal Reserve Bank of San Francisco (n 139) [30]
142 Apple, ‘Apple Differential Privacy Technical Overview’ (2016) <https://www.apple.com/privacy/docs/Differential_
Privacy_Overview.pdf> accessed 10 May 2024
143 National Conference of State Legislatures, ‘Differential Privacy for Census Data Explained’ (2021)
<https://www.ncsl.org/technology-and-communication/differential-privacy-for-census-data-
explained#:~:text=%20Differential%20Privacy%20for%20Census%20Data%20Explained%20,to%20
differential%20privacy%20was%20made%20in...%20More> accessed 10 May 2024
144 The Office of the Australian Information Commissioner (OAIC), ‘Consultation Paper: National Health (Privacy)
Rules 2018 review’ (2020)<https://www.oaic.gov.au/__data/assets/pdf_file/0017/5642/oaic-version-consultation-
paper-s135aa-final.pdf> accessed 10 May 2024

Privacy-Enhancing Technologies:
Global and Cross-Sectoral Regulatory Insights 45
145 Office of the Australian Information Commissioner (OAIC), ‘Ch 11: Australian Privacy Principle 11 — Security
of personal information’ (2019) <https://www.oaic.gov.au/__data/assets/pdf_file/0018/1287/app-guidelines-
chapter-11-v1.2.pdf> accessed 10 May 2024
146 Office of the Australian Information Commissioner (OAIC), ‘Guide to securing personal information:
‘Reasonable steps’ to protect personal information’ (2018) <https://www.oaic.gov.au/privacy/privacy-guidance-
for-organisations-and-government-agencies/handling-personal-information?external-uuid=2bc65cdd-f52f-4981-
9f16-f4ec8716b507> accessed 10 May 2024
147 Australian Law Reform Commission, ‘For Your Information: Australian Privacy Law and Practice’ (2008) 1 ALRC
Report 108 <https://www.alrc.gov.au/wp-content/uploads/2019/08/108_vol1.pdf>
accessed 10 May 2024
148 ibid
149 Privacy Commissioner - Te Mana Matapono Matatapu, ‘Privacy Act 2020 and the Privacy Principles’ <https://
www.privacy.org.nz/privacy-act-2020/privacy-principles/> accessed 10 May 2024
150 Privacy Commissioner - Te Mana Matapono Matatapu, ‘Privacy Impact Assessment Handbook’ (2015) <https://
privacy.org.nz/publications/guidance-resources/privacy-impact-assessment-handbook/>
accessed 10 May 2024
151 Privacy Commissioner - Te Mana Matapono Matatapu, ‘The privacy principles & examples of risks and
mitigations’ <https://privacy.org.nz/assets/New-order/Resources-/Publications/Guidance-resources/PIA/2023-
PIA-toolkit-files/PIA-Toolkit-The-privacy-principles-and-examples-of-risks-and-mitigations.pdf> accessed 10 May
2024
152 Stats NZ, ‘Data Confidentiality Principles and Methods Report’ (October 2018) <https://data.govt.nz/assets/
Uploads/data-confidentiality-principles-methodology-report-oct-2018.pdf> accessed 10 May 2024
153 Li, Y., ‘Cross-Cultural Privacy Differences’ in Bart P. Knijnenburg (eds.), Modern Socio-Technical Perspectives on
Privacy, (Springer, 2022) < https://doi.org/10.1007/978-3-030-82786-1_12> accessed 7 May 2024
154 Ibid
155 Yamagishi, T. and Yamagishi, M., ‘Trust and commitment in the United States and Japan’ (1994) 18 Motiv Emot,
Springer Link <https://doi.org/10.1007/BF02249397> accessed 10 May 2024
156 Li, Y., (n 153)

Privacy-Enhancing Technologies:
46 Global and Cross-Sectoral Regulatory Insights
Author
Deepika Nandagudi Srinivasa
Associate, Data Security Council of India

Editor
Anisha Koshy
Senior Associate, Data Security Council of India

Contributors
• Devanshi Singh
• Neelangini Tiwari
• Palaaksha Kandari
• Samarth Jain
• Samrudh Shirolkar
At the heart of every enterprise lies a vast amount of sensitive data, created by numerous data
producers, such as applications and databases, and consumed by various data consumers for
different purposes. The journey of this data from producers to consumers is a critical one that requires
proper protection at every stage. Aldefi’s Data Product Lifecycle Management platform leverages
data contracts as the underlying technology, to understand the importance of data integrity, trust,
and security between data producers and consumers. Through data contracts, Aldefi ensures data
immutability, guaranteeing that sensitive and private data remains unaltered and tamper-proof
throughout its lifecycle.

Aldefi also addresses the challenge of data and metadata drift—where data changes subtly over
time, potentially leading to inconsistencies and inaccuracies. Aldefi’s solution provides a unified
audit trail and change tracking mechanism, enabling enterprises to monitor and manage data and
metadata drift, providing a means to track privacy and integrity of data across the enterprise. To
learn more visit https://www.aldefi.io.

Data Security Council of India (DSCI) is a premier industry body on data protection in India, setup
by nasscom, committed to making the cyberspace safe, secure and trusted by establishing best
practices, standards and initiatives in cybersecurity and privacy. DSCI brings together governments
and their agencies, industry sectors including ITBPM, BFSI, telecom, industry associations, data
protection authorities and think-tanks for policy advocacy, thought leadership, capacity building
and outreach initiatives. For more info, please visit www.dsci.in

DATA SECURITY COUNCIL OF INDIA

Nasscom Campus, Fourth Floor, Plot. No. 7-10, Sector 126, Noida, UP - 201303

+91-120-4990253 | [email protected] | www.dsci.in

DSCI_Connect dsci.connect dsci.connect data-security-council-of-india dscivideo

All Rights Reserved © DSCI 2024

Privacy-Enhancing Technologies:
48 Global and Cross-Sectoral Regulatory Insights