Independent Research and Policy Advocacy

Defining “Harm” in the digital ecosystem

Save Post

Update: This post is based on the provisions of the Personal Data Protection Bill, 2018. A new Personal Data Protection Bill 2019 was introduced in the Lok Sabha in the Winter Session of the Parliament in December 2019. However, this post is not affected as the provisions it is based on have remained unchanged in the new Bill.

Indian users are rapidly gaining more access to information and communication technology (ICT). Over 1168.89 million telecom subscriptions exist in the country, and internet usage is also growing steadily with more than 512.26 million internet subscribers (TRAI, 2018). India, today, is the second largest user of the internet and the second largest market for smartphones (Bhattacharya, 2018). The digital ecosystem data has the potential to increase the efficiency and speed in delivery of services and align the design of products with the users’ preferences. However, it can also render users vulnerable to a variety of new harms. This blog series introduces the reader to the different kinds of harms which can arise from the digital ecosystem and how the draft Personal Data Protection Bill, 2018 grapples with them. The first article in this series introduces some new harms facing users in the digital ecosystem that players in the Indian ecosystem must contemplate in order to build appropriate safeguards.

In 1993, Peter Steiner published a seminal cartoon in The New Yorker. The caption of the cartoon read, “On the internet, nobody knows you’re a dog” (Fleishman, 2000) highlighting one of the key features of the internet – anonymity. Today this adage no longer seems to be applicable. As people spend more time online generating and consuming a high volume of data, they are creating digital footprints that are replete with their personal information. Consequently, the internet is transforming from being a passive interface between the user and the service provider to an active cache of information that service providers can tap into.

This has important implications for financial services. For instance, traditionally, a person seeking a loan would have to submit information such as name, employment status and financial details. Typically, the lender would assess their creditworthiness through their credit score, issued by regulated credit bureaus. The absence of a credit score could count against a potential borrower, despite other (non-credit scored based) indicators of the person’s repayment-attitudes and ability to pay demonstrated in their general behaviour. Today, digital service providers can overcome these limitations by understanding their customer better through their digital activity (Stewart, 2014). In the case of the same financial loan, by using the alternative, personal data of a prospective borrower, the lender can create a more comprehensive consumer profile to better gauge credit risk-associated with the borrower. In some instances, this enables lenders “to offer consumers new credit opportunities, and in other cases it might illuminate risk” (Experian, 2018). Alternative data typically includes payments of utility bills, telecom bills as well as data generated through social media platforms, as well as data passively collected by the digital credit platform such as browser history.

Given increased usage of ICT technology, such data is abundant. A quintillion bytes of personal data are generated every day on the internet (Marr, 2018) and data analytics has made it possible to ascertain a person’s identity and character by analysing their digital records (Kosinski, Stillwell, & Graepel, 2013). Several entities deploy data analytics to identify users, infer their financial details, health details, personal requirements, preferences, fetishes and quirks. When a user can be decoded in this manner, they also become more susceptible to harm. This article probes harms that may surface in the digital ecosystem.

The Indian Digital Ecosystem

The Indian digital ecosystem also mimics global trends of increased data consumption, generation and internet access. The table shows a significant increase in broadband usage, internet usage and mobile phone usage, over the last two decades.

In addition to the increased usage of internet and mobile phone itself, more than 462 million people also use mobile internet (TRAI, 2018), (TRAI, 2018). Although these translate into a small fraction of the Indian population (Bhattacharya, 2018)—only ~33% of the Indian population uses the internet (Hindustan Times, 2017) and only ~22% of Indian adults own smart-phones (Bhattacharya, 2018))—India is  the second largest user of the internet and the second largest smart-phone market in the world (Bhattacharya, 2018) generating enormous amounts of data: approximately 40000 petabytes every month (ETTech, 2018).

Indians are thought to be consuming 1 GB of data every day as opposed to 0.13 GB a day, one and a half year ago, on their smartphone alone (Nielsen, 2018), (CISCO, 2016). These numbers are expected to rise exponentially, considering, close to 50% of smartphone owners did not subscribe to data as of 2017 (Omidyar Network, 2017). In rural India, close to 58% (~513 million) people use mobile phones but only approximately 16% (~140 million) use the internet (TRAI, 2018) and less than 5% of adults own a smartphone (Omidyar Network, 2017).

If the penetration of ICT services is set to continue at a rapid pace, this also raises new concerns in the ecosystem. Users face a new variety of risks in this new world that demand the urgent attention of all stakeholders.

Harm & its Forms

The increased use of personal data is creating new kinds of harms for the consumer, while also amplifying some of the existing harms. Our earlier work shows that privacy harms, identity theft, harms due to extreme differentiation and harms occurring from the use of untested algorithms are some new forms of harms emerging in the digital ecosystem (Chugh & Kumar, 2017). Over the last two years we have seen some of these harms materialise in India:


Figure 2, briefly illustrates some instances of the different kinds of harm which the Indian user has suffered in the past two years. In 2017, 3.24 million data records were stolen, lost or exposed in India. Close to 52% of Indians reported a data breach in 2017 compared to the global average of 36% (PTI, 2018). Estimates suggest that in 2017, India witnessed approximately 29 major data breaches (Khetarpal, 2018), while each data breach is estimated to cost close to 11.9 crore rupees (IBM & Ponemon Institute LLC, 2018). Unauthorised access to users’ personal data also leaves them vulnerable to a wide variety of immediate and advanced forms of harms. Other jurisdictions are grappling with some advanced harms from improper processing, such as the loss of employment opportunities, as in Robins v Spokeo, Inc (Robins v Spokeo, Inc., 2017); or discrimination by virtue of individuals’ social identity such as in the Amazon Prime Services incident (D. Ingold, 2016).

Our small, deeply qualitative primary research also led us to similar findings. In 2017, we set out to understand how people across different sections of the society in India valued their privacy over their personal data and if they felt prepared to tackle the new challenges presented by the digital ecosystem (Dvara Research, 2017). Our findings show that people value their personal data deeply and most respondents had suffered financial fraud through telephonic impersonation, while many others feared reputational harm. Participants were unwilling to sell their data in for money or privilege. Instead, they were willing to share their personal data if they were assured that no harm would be caused to them through it. They felt ill-equipped to understand and protect themselves from these new harms. Citing their inability to identify potential sources and forms of harms, participants pressed for responsible provider behaviour.

As the Indian digital ecosystem continues to grow at unprecedented levels, stakeholders must be watchful of these new challenges especially since many of Indians who will join the digital ecosystem will be from lower-income households who may be financially and digitally vulnerable. If the digital financial ecosystem is not created responsibly, these households could face unexpected financial shocks created by financial theft or phishing, which would disrupt their economic stability. This could set back their chances of integrating into the formal financial system (Medine, 2016); and may cut them off from various other vital services. These shocks could also dissuade users from using digital services (Medine, 2016) and limit their engagement with new channels of formal finance which have potential to improve their standards of living (Raghavan, 2017) (Omidyar Network, 2017). A dire need for protecting users from harm emerges from this scenario.

Identifying data-related harms

Identifying data-related harms poses a unique regulatory challenge since they are unpredictable and indiscernible. Typically, data harms may be caused after a user’s personal data is breached or when it is processed. When either of these events occur, it is difficult to ascertain when and how they would harm the user. Moreover, technological developments will continue to give rise to new varieties of harms, making a complete list of harms difficult to conceive of. Today, a breach of personal data increases the risk of identity theft, monetary theft, financial fraud or harassment (Kemp, 2017), blackmail and distortion of data (Solove, 2006). It may also cause physical violence against the user. Improper data processing can lead to inaccurate or discriminatory conclusions about a user’s traits which may result in their losing employment or their creditworthiness. It may also be used to manipulate a user’s behaviour online and offline (Kemp, 2017). Breaches and data processing can also be used for surveillance and profiling by private parties as well as the government (Solove, 2006). However, there is no way to know when and how any of these harms would materialise:

Therefore, though it is foreseeable that personal data can be used to cause harm to a user, the form of harm is indiscernible and unpredictable. Regulators must grapple with these issues when regulating harms.

Countries around the world have begun to take cognizance of this fact. More countries are enacting laws to regulate data processing and protect consumers (Consumers International, 2018).[1] The draft Personal Data Protection Bill, 2018 attempts to answer this call. The draft Bill, under section 3(21), defines harm elaborately- as including harms to person, property, reputation et cetera.[2] It builds also its regulatory structure around harm to the consumer which serves as a trigger for initiating regulatory action. However, this approach to defining harm and using it as a trigger may not be an effective solution for consumer protection. The next article will unpack the conception of harm under the draft Bill and illuminate some important concerns about the shortcomings of this approach.



[1]Also see UNCTAD, Data Protection Regulations and International Data Flows: Implications for Trade and Development, 2016 available at

[2]Available at,2018.pdf


Authors :

Tags :

Share via :

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts :