The upper house of India’s parliament greenlit the country’s first data protection act on Wednesday, facing no resistance as opposition leaders opted out of participation. The bill — which is set to become law once it receives approval from the President of India, which is highly probable as it’s just a formality — grants the Prime Minister Narendra Modi-led government greater control over how tech companies process users’ data amid concerns that the law will be used to increase surveillance.
The Digital Personal Data Protection Bill allows companies to transfer some user data abroad and imposes penalties on companies for breaches in data security. Furthermore, it provides New Delhi with a legal framework to ensure adherence to these regulations and enforce a penalty of up to $30 million for violations and non-compliance.
The bill also bars companies from processing personal data that could negatively impact a child’s wellbeing, requires verifiability of parental consent for processing personal data of children, and mandates companies to delete user data once it no longer fulfills its original business intent.
Murali Rao, Cybersecurity Consulting Leader at EY India, said in a statement that there are “implementation complexities that could prove to be a challenge for organizations while complying with the requirements of the bill.”
The bill allows the Indian government to waive compliance requirements for certain data fiduciaries, such as startups.
The bill was approved by the lower house of the parliament last week even as some lawmakers in the opposition denounced many of its aspects. India’s IT Minister, Ashwini Vaishnaw, refuted claims that there was insufficient consultation in drafting the bill. He said Wednesday that the government took input from 48 organizations, consulted with over three dozen ministries, and considered more than 24,000 comments during the preparation of the legislation.
“This bill is very pro-citizen and pro-privacy,” he said in the upper house of the parliament Wednesday. “This bill is very much in the spirit of the government where we would like to ensure that every citizen’s data is fully protected.”
In a briefing with reporters on Wednesday evening, Vaishnaw said the government has started to work on the implementation of the legislation and the rollout will be apparent “very soon.”
“This is a very, very big change in the entire digital economy. So, we will take every step with proper checks, proper balance, proper verification; we must make it a robust mechanism,” he said.
The bill, six years in the making, was abruptly withdrawn last year and a version of it was withdrawn in 2019 after many of its proposals rattled Meta, Google and other tech giants.
The members from the opposition skipped participation in the voting on Wednesday, prompting criticism from Vaishnaw, who alleged that the opposition members’ action is a disservice to the 1.4 billion citizens.
The introduction of the legal framework coincides with the surge in digital services in the world’s most populated country, which is also the largest market by users for Meta and Google. The South Asian nation’s growing emphasis on data privacy, which has been evolving over the past few years, mirrors similar initiatives undertaken in many other countries and regions.
The Digital Personal Data Protection Bill empowers New Delhi to restrict public access to certain information if it is believed to be in the public’s interest. Under this act, a government-appointed Data Protection Board is established with an advisory role, allowing it to suggest blocking public access to specific computer resources or platforms. Such recommendations can be made if the data fiduciary has been subjected to financial penalties on more than two occasions.
If content blocking is to be enabled by central government on the recommendation of the board then there has to be a strong framework detailing the criteria for blocking, quipped EY’s Rao.
Advocacy group AccessNow said: “An effective, world-class data protection law requires core tenets: an independent regulator; actionable rights and remedies; clarity on cross-border data flows; and business certainty and meaningful accountability from all data collectors, including the government. The bill is devoid of each of these.”
The bill has introduced some relaxations compared to an earlier draft proposed by New Delhi. Specifically, companies that handle personal data can now transfer it to any other country for processing, unless the central government has explicitly restricted such transfer. This is a departure from the initial version which only allowed data transfer to destinations specifically identified by the government.
Raman Jit Singh Chima, Asia Pacific Policy Director at AccessNow, said last week that the legislation “enables government-led invasions of privacy and the expanding of surveillance,” and “obscures the right to information which is crucial for accountability from public officials.” But “it’s a win-win, for government and big tech.”
The Internet Freedom Foundation, another advocacy group of digital rights, said the law lacks adequate measures to prevent “over-broad surveillance,” whereas the Editors Guild of India said it believes the law will hamper press liberty and weaken the right to information law.
Jagmeet Singh contributed to the report.