India has proposed a comprehensive new data privacy law that would mandate the way companies handle its citizens’ data, including allowing cross-border transfers of information with certain nations, three months from now suddenly withdrew the previous offer after scrutiny and concerns from privacy advocates and tech giants.
The National IT Ministry has published a draft of the proposed rules (PDF), called the Digital Privacy Act 2022, on Friday for public comment. It will hear the public’s views until December 17.
“The purpose of this Act is to ensure the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes and for matters relating to or relating to them with them,” the project says.
The draft allows for cross-border data sharing with “certain notified countries and territories”, in a move seen as a win for technology companies.
“The Central Government may, after assessing such factors as it may consider necessary, notify such countries or territories outside India to which the data controller may transfer personal data subject to such terms and conditions as may be specified,” the draft says, without naming the countries.
The Asia Internet Coalition, a lobby group that represents Meta, Google, Amazon and many other tech firms, has asked New Delhi to allow cross-border data transfers. “Cross-border transfer decisions should be free from executive or political interference and should ideally be minimally regulated,” they wrote in a letter to the IT ministry earlier this year.
“Putting restrictions on cross-border data flows is likely to lead to higher business failure rates, introduce barriers to start-ups and lead to more expensive products being offered by existing market players.” Ultimately, the above mandates will affect digital inclusion and the ability of Indian consumers to access a truly global Internet and the quality of services,” the group said.
The draft also suggests that companies use the data they have collected about consumers only for the purpose for which they originally obtained it. It also seeks accountability from businesses that they ensure they process personal data about consumers for the exact purpose for which they collected it.
He also wants companies not to keep the data permanently by default. “Storage must be limited to such duration as is necessary for the stated purpose for which the personal data was collected,” the ministry said in a note.
The bill proposes a penalty of up to $30.6 million if a company fails to provide “reasonable security safeguards to prevent the breach of personal data.” Another $24.5 million in fines if the company fails to notify local authorities and consumers of non-disclosure of a personal data breach.
Earlier, the proposed rules were touted to help protect citizens’ personal data by categorizing it into different segments based on their nature, such as sensitive or critical. However, the new version does not split the data as such, according to the project.
Similar to Europe’s GDPR and CCPA (California Consumer Privacy Act) in the US, India’s proposed Digital Privacy Act of 2022 will apply to businesses operating in the country and to all entities processing data of Indian citizens.
The proposed rules, which are expected to be discussed in parliament after a public consultation, will not lead to changes in selected controversial laws in the country, drawn up more than a decade ago. New Delhi, however, is working on updating its two-decade-old IT law, which will debut as the Digital India Act. It will cut out the middlemen and come as the end, India’s Minister of State for IT Rajeev Chandrasekhar told TechCrunch in a recent interview.
In August, the Indian government withdrew its previous privacy bill, which was introduced in 2019, after much anticipation and legal pressure. At the time, India’s IT minister Ashwini Vaishnau said the withdrawal was seen as “the introduction of a new bill that fits into the overall legal framework”.
Meta, Google and Amazon were some of the companies that had concerns expressed for some of the recommendations of the joint parliamentary committee on the proposed bill.
The move to introduce a data protection law came as privacy was declared a fundamental right by the Supreme Court of India in 2017. However, the country has faced strong criticism over its earlier data protection bills due to their inherent nature to give government agencies the power to access citizens’ data.
In one of the sessions during the G20 summit in Bali earlier this week, Prime Minister Narendra Modi talks about the Data for Development principle and said the country would work with G20 partners to bring “digital transformation to the lives of every human being” during its presidency next year of the 19-nation intergovernmental forum.