India’s new data protection law: how it regulates tech giants and why it’s causing alarm
New legislation provides for penalty of up to $30m for data breaches, but raises concerns about government surveillance
Indian lawmakers have passed a data protection law that will monitor how tech companies process users’ data amid criticism that the legislation gives the government sweeping powers to increase surveillance. The law, which was in the making for six years, provides for penalties of up to 2.5 billion rupees ($30 million) .
Critics claim Prime Minister Narendra Modi’s government is seeking to weaken the Right to Information (RTI) Act, which was introduced in 2005 to promote the transparency and accountability of public authorities. The RTI Act was passed when a coalition government led by Congress, now India’s main opposition party, was in power.
What does the new law say?
The Digital Personal Data Protection Bill 2023, which was passed by parliament last week and received the president’s assent on August 12, will allow tech companies to transfer the personal data of some users to other countries. India is the largest market for Google, Meta and other industry giants in terms of user numbers. An earlier version of the legislation had prohibited the transfer of personal data to certain locations specified by the government. However, this draft was withdrawn last year.
The new law safeguards an individual’s digital personal data and also gives users the right to correct or erase their personal data. It also allows the government to waive compliance requirements for certain data controllers such as start-ups. Now, the government can seek information from private firms and also issue orders to block content on the advice of a state-appointed data protection board. The advisory body has been mandated to suggest blocking public access to specific computer resources or platforms.
The government has argued that the law will enhance the “ease of living” and “ease of doing business” in a boost to the country’s “digital economy and its innovation ecosystem.” Several studies show that India’s digital economy is likely to expand by 600% to $1 trillion by 2030 from the current figure of around $175 billion.
Indian Deputy Minister for Information Technology Rajeev Chandrasekhar has dismissed “misconceptions” regarding the new law amid a growing emphasis on data privacy in the world’s most populous nation. He said the law would protect the rights of all citizens, allowing the innovation economy to expand, and permitting the government legitimate access in the interests of national security and emergencies such as pandemics and earthquakes.
Ashwini Vaishnaw, India’s IT minister and Chandrasekhar’s senior cabinet colleague, also rejected criticism that there had been insufficient consultation before the new law was pushed through ahead of a crucial election next year, in which Modi’s government will seek a third consecutive term.
He said the government had received input from 48 organizations, consulted with more than three dozen ministries, and considered more than 24,000 comments during the preparation of the legislation. “This bill is very pro-citizen and pro-privacy… it is very much in the spirit of the government where we would like to ensure that every citizen’s data is fully protected,” Vaishnaw added, promising that the law would come into effect “very soon.” “This is a very, very big change in the entire digital economy. So, we will take every step with proper checks, proper balance, proper verification; we must make it a robust mechanism.”
The legislation comes after the government withdrew a 2019 privacy bill, which contained stringent restrictions on cross-border data flows that had alarmed tech giants. The bill was withdrawn last August after a parliamentary panel suggested 81 amendments and 12 recommendations, requiring a new “comprehensive legal framework.” The bill was modeled along the lines of the European General Data Privacy Regulation, which came into effect on May 25, 2018, and sought to lay the ground rules for how big technology firms should operate in countries.
What do critics say?
The law has drawn flak from opposition lawmakers and rights groups over the scope of its exemptions. They expressed concern that the government and its agencies could access user data from companies and the personal data of individuals without their consent, claiming that digital freedom had been shrinking in the country.
The Internet Freedom Foundation, a digital rights advocacy group, said the law did not contain any meaningful safeguards against “over-broad surveillance.” The Editors Guild of India has pointed to growing media curbs imposed by Modi’s right-wing Bharatiya Janata Party (BJP). Days before the law was passed in parliament, the non-profit body, which protects press freedom, said it “create[d] an enabling framework for surveillance of citizens, including journalists and their sources.”
Earlier, the guild had accused the government of muzzling dissent, referring explicitly to its recent bid to fight alleged fake news through the enforcement of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021.
Similarly, AccessNow, a digital rights group, said in a statement: “[The law] jeopardizes privacy, grants excessive exemptions to the government, and fails to establish an independent regulator,” adding that the new law would enhance the government’s control over personal data and increase censorship. It pointed out several glaring deficits in the law. “An effective, world-class data protection law requires core tenets: an independent regulator; actionable rights and remedies; clarity on cross-border data flows; and business certainty and meaningful accountability from all data collectors, including the government. The bill is devoid of each of these.”
Murali Rao, cybersecurity consulting leader at EY India, echoed similar reservations in a statement, citing “implementation complexities that could prove to be a challenge for organizations while complying with the requirements of the bill.”
Human Rights Watch, a New York-headquartered global NGO, had expressed concern over the proposed law last December. “India’s proposed data protection law undermines everyone’s, including children’s, fundamental rights to privacy and security by enhancing the power of the state to conduct surveillance,” said Meenakshi Ganguly, South Asia director at organization. “With more and more data becoming available on digital platforms, the Indian government needs to make protecting people’s privacy and security a priority,” she added.
The human rights body has been critical of the government for its unwillingness to respond to allegations over the use of the Israeli-produced spyware Pegasus to target journalists and activists, which was uncovered by The Wire outlet, in May 2021. It also accused the government of not cooperating with the committee set up by the Supreme Court to investigate the use of Pegasus spyware on Indian citizens.
Surveillance was originally governed by the 1885 Telegraph Act – a colonial British-era rule – and later, the 2000 Information Technology Act, which was introduced by a BJP-led coalition government. The Supreme Court twice made observations regarding this legislation – once in 1997 and more recently in 2017 – noting that an order of surveillance could be granted only when strictly necessary and in the absence of any alternative.
Joydeep Sen Gupta, Asia Editor
Comments are closed.