The surge of government activity on citizen data protection — what’s actually happening
Governments are moving fast on citizen data protection — and the activity is real, not rhetorical.
In India, the Ministry of Electronics and Information Technology convened a National Consultative Workshop in New Delhi specifically to strengthen cybersecurity frameworks for State-held citizen data. S. Krishnan chaired the session, which brought together officials from States, Union Territories, CERT-In, the National Informatics Centre, and the National e-Governance Division. The consultation sits within a four-stage national initiative designed to produce a comprehensive cybersecurity policy framework covering all States and Union Territories — a significant bureaucratic undertaking driven by one central pressure point: governments digitising public services faster than they can secure them.
Singapore moved on legislation. Parliament passed an amended Public Sector Governance Act on January 12, authorising government agencies to share citizen data with external partners, including social service agencies. The framework requires ministerial authorisation before any data sharing occurs. External parties that misuse shared data face penalties equivalent to those applied to public officers, with additional obligations under Singapore’s Personal Data Protection Act layered on top.
Both moves reflect genuine institutional momentum. Governments are not simply issuing statements — they are building policy architecture, convening stakeholders, and passing binding legislation. The problem is timing. Digital public infrastructure expanded first; the frameworks to govern it came after. India’s workshop is explicitly reactive, an attempt to catch up with the scale of service digitisation already underway. Singapore’s amendment addresses a data-sharing gap that existed because government agencies were already operating with external partners before formal legal authority was in place to regulate how citizen data moved between them.
The activity is substantive. The sequencing reveals the deeper issue: protection frameworks are being retrofitted onto systems built without them.
The uncomfortable contradiction: governments undermining the very privacy they promise
Governments talk about protecting citizen data while simultaneously dismantling the infrastructure that makes protection possible.
The clearest recent example: the UK government issued a Technical Capability Notice ordering Apple to provide backdoor access to encrypted iCloud data. Apple’s response was immediate and blunt — it removed Advanced Data Protection, its end-to-end encryption option, for all UK users. Not just for suspects under investigation. Not just for individuals flagged by law enforcement. For everyone in the country. A security feature that existed for millions of ordinary people disappeared because one government demanded a skeleton key.
The Internet Society and Internet Society UK England filed expert evidence in a UK court challenging that order, warning that secret government directives compelling companies to restructure encrypted services create systemic vulnerabilities. The argument is technical, not political: a backdoor built for state access doesn’t stay exclusive to the state. The same architectural weakness that lets law enforcement in lets hostile actors in too — criminal networks, foreign intelligence services, anyone with the capability and motivation to exploit it.
This is the context that goes missing in coverage of government data protection legislation. Singapore’s amended Public Sector (Governance) Act, passed in Parliament in January, introduces frameworks for sharing citizen data with external partners, with ministerial authorisation requirements and penalties for misuse. The safeguards are real. But safeguards governing how data is shared mean nothing if the encryption protecting that data has already been hollowed out at the technical level by separate government action elsewhere — action that sets international precedent.
The contradiction isn’t accidental or isolated. Governments pursue surveillance capabilities and data protection frameworks through different ministries, different legislative tracks, different public messaging. The surveillance side rarely appears in the press releases about citizen privacy commitments. What results is a gap between the legal protections governments announce and the technical security those protections depend on — a gap that governments themselves are actively widening.
The knowledge gap inside government that no workshop can paper over
The officials responsible for protecting citizen data frequently lack the foundational knowledge to design protections that actually work. Snowflake field CTO Fawad Qureshi puts it plainly: what the commercial world treats as basic data literacy is still emerging in parts of government. “There is a knowledge gap between the public and the commercial sector,” Qureshi said. “What we assume is common sense or straightforward is not always so common in government.” That gap is not a minor operational inconvenience — it means the people writing data protection policy often cannot evaluate whether what they are writing will function in practice.
The UK government’s stated ambition to become a global AI leader runs directly into this problem. Strategy papers and summit speeches rest on an assumption that the state already governs its data with maturity. It does not. Without internal data literacy, protection frameworks become performative — documents that signal intent without delivering security.
India’s Ministry of Electronics and Information Technology took a concrete step by convening a National Consultative Workshop on cybersecurity frameworks for state data in New Delhi. The workshop, chaired by Secretary S. Krishnan, brought together officials from states, Union Territories, CERT-In, the National Informatics Centre and other agencies. It forms part of a four-stage national initiative to build a comprehensive cybersecurity policy framework across states and Union Territories. That is a necessary structural move.
But the workshop model has a hard ceiling. Convening officials creates awareness; it does not automatically install the technical and institutional capacity needed to act on it. A meeting that surfaces problems is only as valuable as the sustained investment that follows. Governments that run consultations without funding the expertise to implement their conclusions end up with frameworks that look serious on paper and collapse under scrutiny. The knowledge gap Qureshi identifies cannot be papered over with a single convening, however well-attended.
The global regulatory patchwork: who is actually setting the standard?
The EU’s General Data Protection Regulation remains the single most consequential data protection framework operating globally. It mandates that companies obtain explicit consumer consent before using personal data, explain precisely how that data is used, and report breaches as they occur. Critically, the EU’s adequacy mechanism means any country wishing to receive European personal data freely must demonstrate equivalent protections — a standard that effectively exports GDPR requirements far beyond European borders. Countries that fail to qualify face legal barriers to receiving European data transfers, making adequacy a genuine enforcement lever rather than a diplomatic courtesy.
The United States has no federal privacy law. American companies serving European users must comply with GDPR, yet those same companies face no equivalent obligation toward their domestic users. European courts have twice invalidated transatlantic data-sharing arrangements — first Safe Harbor, then Privacy Shield — precisely because US national security services can access data in ways GDPR prohibits. That structural gap makes any American claim to global privacy leadership untenable on its face.
India and Singapore are building frameworks, but neither holds EU adequacy status. India’s Ministry of Electronics and Information Technology convened a National Consultative Workshop in New Delhi to develop cybersecurity policy across States and Union Territories — a genuine institutional effort. Singapore passed amendments to its Public Sector Governance Act in January, allowing government agencies to share citizen data with external partners under ministerial authorisation and with penalties attached to misuse. Both moves signal regulatory intent. Neither closes the adequacy gap. Indian and Singaporean citizen data flowing into international systems can still land in jurisdictions with weaker protections, regardless of what domestic workshops commit to on paper.
The result is a fragmented global landscape where GDPR sets the de facto ceiling, the US operates without a floor, and emerging frameworks remain works in progress. Citizens in non-adequate countries carry the exposure.
What genuine citizen data protection would actually require
Genuine citizen data protection demands technical consistency, and right now governments are failing that test. A government cannot run public cybersecurity workshops while simultaneously ordering tech companies to break encryption — the two positions are not in tension, they are technically incompatible. The UK demonstrated this contradiction in practice when it issued a Technical Capability Notice ordering Apple to provide access to encrypted iCloud data. Apple responded by removing its Advanced Data Protection end-to-end encryption option entirely for UK users. The Internet Society filed for standing in the UK court challenge to that order, arguing the secret mandate creates security vulnerabilities that extend far beyond any single user or investigation. Every backdoor built for one government is a backdoor that hostile actors can find.
Singapore’s Public Sector (Governance) Act amendments, passed in Parliament in January 2025, offer a partial blueprint for structured data sharing. The framework requires ministerial authorisation before government agencies share citizen data with external partners such as social service organisations, and it extends Personal Data Protection Act obligations to those third parties, with penalties for misuse matching those applied to public officers. That architecture — defined authorisation, downstream liability, legislative grounding — is more rigorous than most. The gap it leaves is transparency: citizens are not systematically informed when their data moves beyond the public sector or why.
Closing the broader gap between privacy rhetoric and state surveillance practice requires three things none of which are currently on the table in most jurisdictions. First, binding international adequacy standards modelled on the EU’s GDPR framework, which already forces companies operating across the bloc’s 27 member states to meet baseline protections and restricts data transfers to countries without equivalent laws. Second, mandatory government data literacy programmes — Snowflake’s field CTO Fawad Qureshi has identified a clear knowledge gap between public sector and commercial practice, and that gap directly undermines the state’s ability to govern data responsibly. Third, an end to legislative backdoor mandates. Encryption is infrastructure. Governments that weaken it for surveillance purposes weaken it for everyone, including the citizens they claim to protect.
