India’s lower house of parliament greenlit the revised data privacy legislation presented the previous week, even as the bill has received criticism, with many believing that it grants significant discretionary authority to the Narendra Modi–led government.
The Digital Personal Data Protection Bill, which was reintroduced in the lower house last week (nearly a year after abrupt withdrawal of a previous proposal last), makes it mandatory for companies collecting user data to obtain explicit user consent before processing it. However, it includes “certain legitimate uses” as an exemption for data collection without user consent. It lets platforms process personal user data without the consent of their users when it is provided voluntarily in certain situations, such as sharing payment receipts with users or offering public services.
The bill allows the Indian government to waive compliance requirements for certain data fiduciaries, such as startups, if necessary. It also empowers the government to establish a data protection board and appoint all its members, including the chairperson.
Additionally, the data privacy bill protects the Indian government and its established data protection board from legal action.
The data privacy bill needs to be approved by parliament’s upper house and the Indian president to become a law.
This proposed legal framework comes at a time when digital services are flourishing in the world’s most populous nation. India’s intensifying focus on data privacy, a strategic move that has been brewing over several years, finds resonance with concurrent initiatives in numerous other countries. India’s IT minister Ashwini Vaishnaw said Monday that the bill was necessary to protect the right to privacy of Indian citizens.
The bill covers handling digital personal information, even if it takes place outside of India, as long as it relates to providing goods or services to Indian individuals. The government has the power to decide which countries are not allowed to receive personal data from users.
Opposition leaders, members of the civil society and independent bodies, including the local journalists’ association Editors Guild of India, expressed apprehension about the data privacy bill’s provisions that grant the central government certain powers and exemptions.
Vaishnaw said the bill was created after a thorough public consultation process involving 48 organizations, 39 ministries, and approximately 24,000 consultations.
New Delhi–based digital rights advocacy group Internet Freedom Foundation said the bill failed to include “several of the meaningful recommendations” that were made during the consultation process of its last draft, and it did not “sufficiently safeguard” the right to privacy of individuals in the country.
“There are many accepted principles of digital data protection,” the minister said, adding that the bill included the principles of legality, purpose limitation, data minimization, accuracy, storage limitation, reasonable safeguards and accountability.
“Today, about 900 million Indians have connected to the Internet. . . . In such a situation, there is a need for protection of rights, security and privacy of citizens in this digital world. For this, bill has been brought,” Vaishnaw said.
He added that unlike Europe’s GDPR, which included 16 exceptions, the data privacy bill introduced by the Indian government has only four exceptions.
Debates over data protection in the South Asian nation started back in 2017. During that year, India’s Supreme Court reaffirmed privacy as a fundamental right. Two years later, the Indian parliament received the first personal data protection bill that was withdrawn last year after privacy advocates and tech companies, including Amazon, Google and Meta, criticized it for its exemptions for government departments, limitations on protecting user data and restrictions over data exports.