India has proposed a comprehensive new data privacy law that will mandate how companies handle its citizens’ data, including the cross-border transfer of information with certain nations, three months after it abruptly withdrew the previous proposal following scrutiny and concerns from the defenders of privacy and technology. giants
The nation’s IT Ministry released a draft of the proposed rules (PDF), called the Digital Personal Data Protection Bill 2022, on Friday for public consultation. He will listen to the opinions of the public until December 17.
“The purpose of this Law is to provide for the processing of digital personal data in a way that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes and for matters related to or related to them. ”, says the draft.
The draft allows cross-border data interactions with “certain notified countries and territories,” in a move seen as a win for tech companies.
“The central government may, after an assessment of factors it deems necessary, notify countries or territories outside of India to which a data trustee may transfer personal data, subject to such terms and conditions as may be specified.” , the draft says, without naming the countries.
The Asia Internet Coalition, a lobby group representing Meta, Google, Amazon and many other tech companies, called on New Delhi to allow cross-border data transfers. “Cross-border transfer decisions should be free from political or executive interference, and should ideally be minimally regulated,” they wrote in a letter to the IT Ministry earlier this year.
“Imposing restrictions on cross-border data flows is likely to result in higher rates of business failure, introduce barriers for start-ups, and lead to more expensive product offerings from existing market players. Ultimately, the above mandates will affect digital inclusion and the ability of Indian consumers to access a truly global Internet and quality of services,” the group said.
The draft also proposes that companies only use the data they have collected about users for the purpose for which they originally obtained it. It also seeks to hold companies to account to ensure that they are processing users’ personal data for the precise purpose for which they collected it.
It also calls for companies not to store data perpetually by default. “Storage should be limited to the duration that is necessary for the stated purpose for which the personal data was collected,” a ministry note said.
The draft proposes a fine of up to $30.6 million if a company fails to provide “reasonable security guarantees to prevent the breach of personal data.” Another $24.5 million fine if the company fails to notify the local authority and users for failing to disclose the personal data breach.
The previously proposed rules were touted to help protect citizens’ personal data by classifying it into different segments based on its nature, such as sensitive or critical. However, the new version does not segregate the data as such, according to the draft.
Like the GDPR in Europe and the CCPA (California Consumer Privacy Act) in the US, India’s proposed Digital Personal Data Protection Bill 2022 will apply to companies operating in the country and any entity processing the data of Indian citizens.
The proposed rules, which are expected to be discussed in parliament after receiving public consultation, would bring no change to select controversial laws in the country that were drafted more than a decade ago. However, New Delhi is working on updating its two-decade-old IT law that would debut as the Digital India Act. It will separate the intermediaries and come as the end game, India’s Minister of State for IT Rajeev Chandrasekhar told TechCrunch in a recent interview.
In August, the Indian government withdrew its previous personal data protection bill that was introduced in 2019 after much anticipation and court pressure. At the time, India’s IT Minister Ashwini Vaishnaw said the withdrawal was seen as “presenting a new bill that falls in line with the comprehensive legal framework.”
Meta, Google and Amazon were among the companies that raised concerns about some of the joint parliamentary committee’s recommendations on the proposed bill.
The move to bring in a data protection law came when privacy was declared a fundamental right by the Supreme Court of India in 2017. However, the country faced heavy criticism over its previous data protection bills due to its intrinsic nature of giving government agencies the power to access citizen data.
In one of the sessions during the G20 Summit in Bali earlier this week, Prime Minister Narendra Modi spoke about the principle of “Data for Development” and said that the country would work with G20 partners to bring “digital transformation into the life of every human being” during his presidency next year for the 19-country intergovernmental forum.