The upper house of India’s parliament greenlit the long-delayed data protection bill on Wednesday, facing no resistance as opposition leaders opted out of participation. The legislation aims to grant the Prime Minister Narendra Modi-led government greater control over the operations of major tech companies in their crucial foreign market.
The Digital Personal Data Protection Bill limits cross-border data transfers and imposes penalties on companies for breaches in data security. Furthermore, it provides New Delhi with a legal framework to ensure adherence to these regulations. The bill also bars companies from processing personal data that could negatively impact a child’s wellbeing and mandates companies to delete user data once it no longer fulfills its original business intent.
The bill allows the Indian government to waive compliance requirements for certain data fiduciaries, such as startups.
The bill was approved by the lower house of the parliament last week even as some lawmakers in the opposition denounced many of its aspects. India’s IT Minister, Ashwini Vaishnaw, refuted claims that there was insufficient consultation in drafting the bill. He said Wednesday that the government took input from 48 organizations, consulted with over three dozen ministries, and considered more than 24,000 comments during the preparation of the legislation. (The bill, six years in the making, was abruptly withdrawn last year.)
“This bill is very pro-citizen and pro-privacy,” he said in the upper house of the parliament Wednesday. “This bill is very much in the spirit of the government where we would like to ensure that every citizen’s data is fully protected.”
The members from the opposition skipped participation in the voting on Wednesday, prompting criticism from Vaishnaw, who alleged that the opposition members’ action is a disservice to the 1.4 billion citizens.
The introduction of the legal framework coincides with the surge in digital services in the world’s most populated country, which is also the largest market by users for Meta and Google. The South Asian nation’s growing emphasis on data privacy, which has been evolving over the past few years, mirrors similar initiatives undertaken in many other countries and regions.
The Digital Personal Data Protection Bill empowers New Delhi to restrict public access to certain information if it is believed to be in the public’s interest. Under this act, the Data Protection Board is established with an advisory role, allowing it to suggest blocking public access to specific computer resources or platforms. Such recommendations can be made if the data fiduciary has been subjected to financial penalties on more than two occasions.
“An effective, world-class data protection law requires core tenets: an independent regulator; actionable rights and remedies; clarity on cross-border data flows; and business certainty and meaningful accountability from all data collectors, including the government. The bill is devoid of each of these,” said advocacy group AccessNow.
The bill has introduced some relaxations compared to an earlier draft proposed by New Delhi. Specifically, companies that handle personal data can now transfer it to any other country for processing, unless the central government has explicitly restricted such transfer. This is a departure from the initial version which only allowed data transfer to destinations specifically identified by the government.
Raman Jit Singh Chima, Asia Pacific Policy Director at Access Now, said last week that the legislation “enables government-led invasions of privacy and the expanding of surveillance,” and “obscures the right to information which is crucial for accountability from public officials.” But “it’s a win-win, for government and big tech.”
More to follow.