TCS to Join Race for India’s New Data Privacy Permits

Tata Consultancy Services (TCS) is preparing to apply for a ‘consent manager’ permit under India’s Digital Personal Data Protection (DPDP) rules, aiming to tap into a compliance-as-a-service market projected at ₹10,000 crore over the next three years, with consent management alone worth about ₹1,000 crore. This positions TCS alongside Reliance Jio, which is already in the race.

A “consent manager” permit under India’s Digital Personal Data Protection Act (DPDP) is an official registration granted by the Data Protection Board of India to entities that act as neutral intermediaries, helping individuals give, review, and withdraw consent for the use of their personal data. In simple terms, it’s a license that allows a company to legally operate as a trusted platform for managing user permissions around data sharing.  

What This Means for TCS

• Strategic Move: Entering one of India’s largest emerging data-governance opportunities.
• Revenue Potential: Consent management is expected to be a ₹1,000 crore market.
• Competition: Reliance Jio Platforms has already applied, making this a competitive space.

DPDP Act & Consent Managers

• DPDP Act, 2023: India’s first dedicated digital privacy law, operationalized through DPDP Rules, 2025.
• Consent Managers: Registered entities that facilitate user consent for data fiduciaries.
• Must meet net worth and incorporation requirements to qualify.
• Serve as intermediaries ensuring individuals can grant, review, and withdraw consent easily.

Market Opportunity Breakdown

Segment	Estimated Value (3 yrs)	Key Drivers
Compliance-as-a-Service	₹10,000 crore	Privacy automation, regulatory compliance
Consent Management	₹1,000 crore	User-centric data governance, legal mandates
Other DPDP Services	₹9,000 crore	Breach management, compliance audits, automation

Implications for Businesses

• Legal Compliance: Companies must align with DPDP rules, making consent managers
• Operational Efficiency: Outsourcing reduces compliance burden.
• Trust & Transparency: Enhances consumer confidence in data handling.

Risks & Challenges

• Regulatory Scrutiny: Consent managers will be closely monitored by India’s Data Protection Board.
• Implementation Costs: High upfront investment in infrastructure and compliance systems.
• Competition: Market share will depend on speed, scalability, and trust.

Key Takeaway

TCS’s move to apply for a consent manager permit under DPDP rules is a strategic bet on India’s growing digital privacy ecosystem, potentially unlocking a scalable revenue stream while strengthening its role in governance and compliance services.

India’s New Data Law Creates ₹10,000 Crore Opportunity

India has introduced new rules under the Digital Personal Data Protection (DPDP) Act, 2023, and experts say this will open up a huge business opportunity worth ₹10,000 crore over the next three years.

What is the DPDP law?

• Purpose: The DPDP law is India’s first full-scale data protection law.
• Control: It gives people more control over their personal information online.
• Obligations: Companies must handle data carefully, take consent before using it, and report breaches quickly.

Why ₹10,000 crore?

• Compliance spend: Businesses will need to spend money to follow the law.
• Investments: This includes buying new software, hiring experts, and setting up systems to manage consent and protect data.
• Estimate: Consulting firm EY India estimates that firms will spend ₹10,000 crore on compliance in the next three years.

What companies need to do

• Consent management: Ask permission before using customer data.
• Data mapping: Know where all personal data is stored.
• Incident reporting: Inform authorities and users quickly if data is leaked.
• Vendor checks: Ensure partners and service providers also follow the rules.

Who benefits?

• IT service providers: Indian and global tech firms will offer privacy solutions.
• Consultants: Legal and compliance experts will guide companies.
• Startups: New businesses can build tools for consent management and data security.

Why it matters

• For consumers: People will have more trust in digital platforms.
• For businesses: Following the law builds credibility and avoids penalties.
• For India: Aligns with global standards like Europe’s GDPR, strengthening the digital economy.

In simple words

India’s new data law is like a safety shield for your personal information. To follow the rules, companies will spend big money—creating a new ₹10,000 crore market for compliance services. This means more jobs, more startups, and safer digital experiences for everyone.

Linkedin Fined €310 Mn for GDPR Infringement

The Irish Data Protection Commission (DPC) has fined LinkedIn €310 million (approximately $335 million) for violating the General Data Protection Regulation (GDPR). The fine was issued due to LinkedIn's inadequate handling of user data for behavioral analysis and targeted advertising. 

LinkedIn was fined for inadequate handling of user data for behavioral analysis and targeted advertising. The DPC found that LinkedIn did not obtain valid consent from users and failed to provide clear information about how user data was being used. 

This fine is one of the largest ever issued under the GDPR and serves as a strong reminder of the importance of data protection compliance. 

Key points of the infringement include:

• Invalid Consent: LinkedIn did not obtain valid consent from users for processing their data. 
• Lack of Transparency: LinkedIn failed to provide clear information about how user data was being used. 
• Fairness and Lawfulness: The. processing of personal data was found to be unfair and unlawful 

LinkedIn has stated that it is working to ensure its ad practices comply with the DPC's decision.

LinkedIn attempted to justify its data processing practices using consent, legitimate interests, and contractual necessity, but the DPC found these justifications invalid.

The professionals networking platform did not properly inform users about its data processing activities, violating the GDPR principles of transparency and fairness.

LinkedIn has been given three months to bring its data processing practices into compliance with the GDPR

Last year in May, Meta was fined €1.2 billion (approximately $1.3 billion) by the Irish Data Protection Commission for transferring personal data of European users to the United States without adequate data protection mechanisms.

In July 2021, Amazon was fined €746 million (approximately $888 million) by the Luxembourg National Commission for Data Protection for its advertising targeting system that operated without proper consent.

In 2019, Google was fined €50 million (approximately $57 million) by France's data protection authority for failing to provide clear information about its data processing activities and not seeking proper consent for targeted advertising. 

Mastercard Debuts New Open Banking-powered Tools

Mastercard has recently introduced a suite of open banking-powered tools designed to give consumers greater control over their financial data.

Mastercard has introduced Connect Plus, a data-consent command center that allows consumers to manage where, how, and with whom their financial data is shared.

With Connect Plus, customers will get Enhanced Identity and Device Intelligence as it has features that help ensure secure and seamless sharing of financial data with third parties.

Connect Plus will deliver a streamlined and secure platform for individuals to manage their data shared through Mastercard’s Open Banking network. Offering a 360-degree view of the third parties a consumer has granted data access to and the tools to manage the access, Connect Plus empowers individuals to take charge of their financial lives, safely and with ease.

And to ensure the consumer is kept in the loop at all times, Connect Plus will notify users when a third-party’s permission to access account data is expiring or needs additional attention.

The Mastercard Account Owner Verification solution, along with a library of APIs for open banking and beyond are available now at Mastercard Developers.

Open banking can drive innovation by enabling the development of new financial products and services that leverage consumer-permissioned data.

Consumers can use a secure, easy-to-use digital web application to search for and link their bank accounts, view which third parties have access to their data, and manage permissions.

Mastercard is piloting Connect Plus this year and expects to expand to full availability in the U.S. in 2025.

Mastercard has been actively working on expanding its open banking-powered tools globally. While the initial launch is focused on the U.S., the company has expressed its commitment to bringing these solutions to other markets as well. The timeline for the global rollout will depend on various factors, including regulatory approvals and partnerships with local financial institutions.

Open banking enables consumers to access valuable financial experiences, such as easier ways to pay recurring bills, build credit, and secure loans.

This initiative aims to make financial data sharing more secure and convenient for consumers, empowering them to take control of their personal information.

Mastercard's new open banking-powered tools are likely to have several significant impacts on the credit card industry.

By providing consumers with greater control over their financial data, these tools can help reduce the risk of data breaches and fraud. This increased security can build consumer trust in digital financial services.

Open banking allows for seamless integration of financial services, making it easier for consumers to manage their finances, pay bills, and access credit.

With easier access to financial data, fintech companies and other non-bank entities can offer more competitive products and services, potentially challenging traditional credit card issuers.

Keystroke Technology Got An 18-Yrs Old Employed Women Fired from Her WFH Job

After spending 18 years with a major insurance company, an Australian woman was let go after the company, using keystroke technology, found that she wasn’t typing enough while working from home.

Aussy woman, a 38-year-old Suzie Cheikho was fired from Insurance Australia Group (IAG) for not typing enough while working remotely. Australia's Fair Work Commission (FWC) rejected her "unfair" dismissal application, saying that she was fired for a "valid reason of misconduct".

The insurance firm used a sneaky technology referred as keystroke technology to monitor the work-from-home performance and productivity of an employee. Keystroke technology refers to any technology that records or analyzes keystrokes. It can include software-based keyloggers or hardware-based keyloggers. This particular software managed to pinpoint the employee’s inefficient working style using something as simple and mundane as typing.

Keystroke logging, often referred to as Keylogging/Keyloggers is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored.

According to the insurance firm's logger data, Cheikho recorded zero keystrokes over 117 hours in October, 143 hours in November and 60 hours in December. At most, she was found to be averaging 54 strokes per hour during the surveillance period.

Though Keyloggers are legal, with many designed to allow employers to oversee the use of their computers, keyloggers are most often used by by hackers for sinister activities like stealing passwords and other confidential information.

Speaking to few experts also gave an another perspective, that since the keystroke technology was primarily created for hacking confidential information (developed in 1970s by Soviet Union to target typewriters), for monitoring employees the technology wouldn't work all the time. Citing an example, the executive in one of the Big-four companies said, "the job profile of the Aussy woman in this case isn't clear. Some insurance employees or recruitment executives, for example, have to make calls then typing on their keyboards. So they might miss or have less key strokes than a software developer."

Notably, today most companies provide company-laptops at time of on-boarding employees and the number of companies providing laptop increased post COVID-19 pandemic when working remotely became a new norm, and new employees were welcomed with welcome-kits and laptops. Very few of these companies did have pre-installed keylogger software to track performance of their WFH employees.

Besides, Microsoft also publicly accepted that Windows 10 has a built-in keylogger in its final version "to improve typing and writing services". [Read – How to disable Microsoft keylogger in Windows 10]

Moreover, the web browser used within the TikTok app can track every keystroke made by its users. According to a research report, TikTok inserts code that can track activity on sites its browser is used to access. Although, TikTok said it uses the code for things like debugging. Noteworthy, TikTok is banned in both US and India, but keyloggers are not. 

Keyloggers are also being installed in the user’s smartphone through the keyboard apps and are being installed by the hackers silently without the user’s acknowledgment. It send the data to hackers secretly in the background. Android smartphone experts advice to install the authenticated keyboard from a trusted source and never install the keyboard from third-party platforms. If your phones' battery drains fast or the phone gets heated then you could also be carrying Keylogger in your phone. [Read – Remove Keylogger from Android]

Digital Personal Data Protection Bill Industry-Friendly: IAMAI

The Internet and Mobile Association of India (IAMAI, www.iamai.in) in a statement issued today has lauded the Digital Personal Data Protection Bill (DPDP) as industry-friendly. It has struck the right balance between protecting the interests of the data principals while leaving enough room for tech start-ups to innovate and grow.

According to the feedback received from the majority of IAMAI members, the reconceptualization of the data protection framework in the DPDP to balance innovation and economic growth with the interests of users will go a long way to assuage concerns of digital businesses and help make India a trillion-dollar digital economy by 2025. In particular, IAMAI appreciates the more liberalized framework for cross-border data flows and the exclusion of non-personal data from the ambit of the DPDP Bill. IAMAI also appreciates that the Bill imposes only financial penalties for non-compliance as opposed to both financial and criminal penalties.

Commenting on the Bill, Dr. Subho Ray, president, IAMAI stated, “By following a deep and wide process of consultation including that of a joint parliamentary committee, excluding non-essential provisions, by making a clear commitment that no Rules exceeding the provisions of the Act would be made, and yet protecting the interests of the state, citizens and the digital economy, this Bill has possibly set up new standards of law-making”.

On behalf of its members, the association has requested the government to provide clarifications regarding the DPDP so that once it is passed into an Act, there is better compliance by IAMAI members. In particular, there remain ambiguities surrounding the timelines for implementing the various provisions of the Bill and mechanisms for obtaining verifiable parental consent to process the personal data of children. As the inclusion of specific timelines will provide a roadmap for the industry to better comply with the Bill, IAMAI has requested the government to clearly indicate reasonable timelines by which the various provisions of the DPDP will be implemented and to adopt a graded approach to prescribing such timelines. IAMAI has also urged the government to consider a flexible approach to obtaining parental consent, as prescriptive mandates may have an adverse cascading impact on sectors that provide services to younger individuals.

IAMAI is confident that through consultation and collaboration, the final version of the law will help stakeholders who are invested in and committed to the digital ecosystem of India.

About Internet and Mobile Association of India

Established in 2004, Internet and Mobile Association of India (IAMAI) is a not-for-profit industry body and the country's only organization representing the digital services industry with over 400 Indian and multinational corporations as its members, which include established companies in diverse sectors of the digital ecosystem as well as start-ups. Its mandate is to expand and enhance the online and mobile value-added services sectors. It is dedicated to presenting a unified voice of the businesses it represents to the government, investors, consumers and other stakeholders. IAMAI represents varied sectors such as digital advertising, digital entertainment, traveltech, online gaming, digital payments, fintech, digital commerce, edtech, healthtech, agritech, big data, ML, AI & IoT, AR/ VR, logisticstech and so on

AI-driven Chat Service Company Shares People's Data with Its For-Profit Spin-Off

Crisis Text Line, which is a global not-for-profit organization providing free & 24X7 mental health texting service through confidential crisis intervention via SMS message, has allegedly used and shared the data as a sliced and repackaged version of that information to create and market customer service software.

The non-profit company collects data from its online text conversations with people and uses big data and Artificial Intelligence (AI) to help people cope with traumas such as self-harm, emotional abuse and thoughts of suicide, said a report by Politico, a political journalism company based in the United States and internationally.

According to the report, Crisis Text Line has allegedly shared data with its spin-off called 'Loris.ai', an AI-driven customer service software platform that uses machine-learning to provide companies AI-driven customer conversations with empathy. Customer companies can install Loris.AI as an app into their existing customer service platform such as Zendesk, Salesforce, etc.

Loris.AI is headquartered in New York, U.S. and also has an office in Tel Aviv, Israel. 

The report further said that Loris.AI has pledged to share some of its revenue with Crisis Text Line. Moreover, Crisis Text Line also holds an ownership stake in Loris.AI, and the two entities shared the same CEO for at least a year and a half. The two call their relationship a model for how commercial enterprises can achieve charity-tasks.

Crisis Text Line, however says that any data it shares with Loris.ai, has been wholly “anonymized,” stripped of any details that could be used to identify people who contacted the helpline in distress. Both entities say their goal is to improve the world — in Loris’ case, by making “customer support more human, empathetic, and scalable.”

Notably, Crisis Text Line has got financial backing from some of biggest tech names and VC funds including Reid Hoffman, Melinda Gates, The Ballmer Group, and Omidyar Network.

The services of Crisis Text Line are available 24 hours a day, every day, throughout the United States, Canada, UK, and Ireland.

Further, in a statement on its website, Crisis Text Line, said -"During these past days, we have listened closely to our community’s concerns...We hear you. Crisis Text Line has had an open and public relationship with Loris AI. We understand that you don’t want Crisis Text Line to share any data with Loris, even though the data is handled securely, anonymized and scrubbed of personally identifiable information.” Loris.ai will delete any data it has received from Crisis Text Line.

A recent story cherry-picked and omitted information about our data privacy policies. We want to clarify and fill in facts that were missing so people understand why ethical data privacy is foundational to our work.

A thread 🧵:

— Crisis Text Line (@CrisisTextLine) January 29, 2022

This incidence also raised questions on currently prevalent 'AI Ethics' in businesses. In an ideal "Ethical AI standards", a system of moral principles and techniques intended to inform the development and responsible use of artificial intelligence technology should be practiced.

Social Media Platforms Will Have To Adhere To Indian Privacy Laws Now: Tsaaro Survey

Tsaaro Conducts Survey On People's Expectations from Draft Personal Data Protection Bill 2019

Tsaaro, India's premier Data Protection as a services provider, today announced the key findings of its survey on people's expectations from the upcoming Personal Data Protection Bill 2019. The extensive study saw participation from more than 200 Privacy Professionals across Education, Healthcare, Information Technology, Banking & Finance, and other sectors. Tsaaro aimed to gather valuable insights and on that basis drafted a detailed report which depicted the stand of people on the draft of the Personal Data Protection Bill.

Over 51% of respondents said they thought the drafted Bill was at par with other global privacy laws such as the GDPR, CCPA & the PIPL. However, most of the participants recommended that the drafted Bill should provide for an independent Data Protection Authority similar to the GDPR. The drafted Bill in its current form allows for excessive Government intervention and therefore it is unlikely that the DPA will function independently.

When participants were asked whether they agree with the proposed provision of inculcating Data Localisation in reference to the organizations which are operating outside India, 70% of the participants agreed to the provision. 93% agreed that Social Media Platforms will have to adhere to Indian Privacy Laws now. A majority of the participants felt that the definition of critical data needs to be worked upon and a total of 71% of participants felt that the definition, as of now, was not up to the standard.

When asked if there should be a restriction on the number of Data Subject Requests an individual is entitled to, 69 % of participants agreed that there should be some form of limit that allows access without infringing on an individual's rights. While 76% of the respondents agreed that there should be a retrospective application of the provisions of the drafted PDP Bill. Only 10% of the participants responded that the upcoming Bill should be enacted as it is. When asked if consent should be the sole legal basis on which data may be processed, the majority of participants said no, adding that the law should allow for another legal basis on which data can be processed.

Regarding data subject rights, Tsaaro discovered that the majority of participants were worried that the drafted Bill does not guarantee the same rights to Data Subjects as privacy legislation such as the GDPR do.

Further, a majority of the participants were not satisfied that the existing data protection principles are sufficient in light of evolving technology. They felt that once the Bill is enacted there should be a given time wherein the organisation can ensure compliance and there must be a retrospective application of provisions and agreement on Data Localisation as a mandate for Social Media Platform especially to operate in India.

It was suggested that the upcoming Bill should state that in case of data breaches by public bodies they should be held liable for such a breach. Government bodies collect and processes large amounts of Personal Data and Sensitive Personal Data. Therefore they should not be exempted from complying with the provisions in the drafted Bill. In case of data access requests by public bodies, the entity subject to such a request should be obliged to inform this publicly unless the request is for crime or fraud prevention.

The majority of the participants felt that there must exist clear definitions of terms in the upcoming statute, as vague definitions create grey areas and further obstruction in the natural course.

Akarsh Singh, CEO & Co-founder, Tsaaro says, “Data Privacy is a growing concern amidst increasing number in Data Breach Incidents. The much-awaited personal data protection bill which is scheduled to be tabled in the winter session of the parliament starting today has received a mixed response. We wanted to deep-dive into the several possibilities, recommendations as well as a general overview of data privacy experts and professionals. The survey, conducted over the last 3 weeks, has been effective in bringing to light the key pain points of the industry and we hope to bring insights for people in general as well as the policy-makers to consider.”

The company aims to modernise training technologies and become a digital competence centre. The Academy is developing suitable strategies to partner with more specific and industry players to extend their services and also to provide more improvised training. The company take a pragmatic, risk-based approach to provide its clients with real-world, workable advice, guidance, and support that helps them to deal with a wide range of security and privacy-related challenges.

German State's Data Watchdog Warns Govt Against Zoom for GDPR Violation

Data Protection Authority for the German state of Hamburg, The Hamburg DPA (Hamburgische Beauftragte für Datenschutz und Informationsfreiheit), has been formally warned against using Zoom over data protection concerns, reported Techcrunch.

The Hamburg DPA has warned to use the video conference solution from Zoom Inc. in the so-called on-demand variant. This violates the General Data Protection Regulation (GDPR), as such use is associated with the transmission of personal data to the USA, said the public warning.

Zoom allegedly violated the European Data Protection Board's guidelines for transferring personal data to a third country.

In the public press release, the Germam Senate Chancellery further said - "The European Data Protection Committee has formulated requirements in order to be able to transfer personal data to a third country such as the USA in accordance with the GDPR. The HmbBfDI is based on this standard in business and public administration. The documents submitted by the Senate Chancellery on the use of Zoom show that these standards are not being adhered to. Other legal bases such as the consent of all parties concerned are also not relevant here."

Ulrich Kühn, the acting Hamburg commissioner for data protection and freedom of information said, "Public bodies are particularly bound to comply with the law. It is therefore more than regrettable that such a formal step had to be taken. At the FHH (Free and Hanseatic City of Hamburg), all employees have access to a tried and tested video conference tool that is unproblematic with regard to third-country transmission. As the central service provider, Dataport also provides additional video conference systems in its own data centers. These are used successfully in other countries such as Schleswig-Holstein. It is therefore incomprehensible why the Senate Chancellery insists on an additional and legally highly problematic system."

Earlier in July, the Federal Data Protection Commissioner (Golem) of Germany has ordered govt authorities and agencies to leave social networking platform Facebook by the end of the year, due to the similar data privacy concerns.

How To Protect Your Data Networks Against A State-Sponsored Cyber-Attack

- By Sonit Jain, CEO of GajShield Infotech

Many data security experts believe that the number of state-sponsored cyber-attacks will continue to rise in the near future. Big organisations in any country represent the most attractive and vulnerable targets for state-sponsored cybercriminals. Such organisations' data security measures are no match for the tools and techniques used by the criminals to break into their databases. 

To protect your organisation against such threats, the following ideas can be implemented:

Isolating organisational data

Perhaps unsurprisingly, one of the ways to prevent a state-sponsored cyber-attack is to remove the files and folders containing sensitive data from your organisation’s cloud storage facilities. Maintaining local copies of digital documents can prevent attackers from accessing them through the internet. 

Moreover, if such files are shared online, the transfer channels (organisational networks) must be safeguarded with intelligent firewalls and other cyber-security tools. Most importantly, data sent online must be encrypted to ensure the prevention of information breach along the way.

Deploying quantum computing

Quantum computing can be a potent tool in the hands of cybercriminals. Quantum computing tools are powerful enough to blitz through most data security barriers in organisations. To counter that, entanglement, a concept related to quantum physics, can be used. Entanglement is a property by which the physical and chemical natures of two particles are strongly interconnected. A change in the structure or composition of one particle triggers a perceptible change in the other one too. Using this concept, organisations can create evolving data security frameworks to protect their digital assets.

Radical solutions must be used to protect your company from state-sponsored cyberthreats.

This content has been authored by Mr, Sonit Jain. With over 26 years of industry experience, Mr. Sonit Jain has been working in the area of Information Technology since 1993.