India has all but formally implemented a much-debated and revised data protection law that will have a significant impact on many companies, thanks to its broad extraterritoriality.
Both houses of parliament voted to approve the revised legislation last week, nearly a year after the abrupt withdrawal of a previous proposal, facing no resistance to it as opposition leaders opted out of participating in the voting. The Digital Personal Data Protection Bill will become law once it receives approval from President Narendra Modi, which is probable and more of a formality.
The law makes it mandatory for companies collecting user data to obtain explicit user consent before processing it.
Data collection
But the law includes “certain legitimate uses” as an exemption for data collection without user consent. It lets platforms process personal user data without the consent of their users when it is provided voluntarily in certain situations, such as in sharing payment receipts with users, offering medical emergency responses, or when offering public services.
In keeping with the UK’s General Data Protection Regulation (GDPR), the privacy law has extraterritorial effect and covers handling digital personal information, even if it takes place outside India, as long as it relates to providing goods or services to Indian individuals. The government has the power to decide which countries are not allowed to receive personal data from users.
Government discretion
The controversial aspects of the law are the ones critics contend give too much discretion to the Modi-led government, such as the one cited above, deciding which countries are not “safe enough” to receive personal data from India-based users.
Plus, the bill allows the Indian government to waive compliance requirements for certain data fiduciaries, such as startups, if necessary. It also empowers the government to establish a data protection board and appoint all its members, including the chairperson.
Modi’s government has the power to seek information from firms and issue directions to block content on the advice of its federally appointed data protection board.
Additionally, the data privacy bill protects the Indian government and its established data protection board from legal action.
The new legislation comes after India withdrew a 2019 privacy bill that had alarmed tech companies like Facebook and Google with its proposals for stringent restrictions on cross-border data flows.
The bill is more liberal on global data transfers, deeming other countries’ data protection regimes generally adequate (instead of third countries’ systems being assumed inadequate, unless proven otherwise, like the GDPR), but, again, a lot of discretion is given to the executive branch of government.
Modi’s government has the power to seek information from firms and issue directions to block content on the advice of its federally appointed data protection board.
That Data Protection Board can suggest blocking public access to specific computer resources or platforms, and the recommendations can be made if the data fiduciary has been subjected to financial penalties on more than two occasions.
Right to information
The Editors Guild of India said it could suppress press freedom and dilute India’s Right to Information law.
“Today, about 900 million Indians have connected to the Internet … In such a situation, there is a need for protection of rights, security and privacy of citizens in this digital world.”
Ashwini Vaishnaw, India’s IT Minister
And digital rights advocacy group Internet Freedom Foundation said the bill failed to include “several of the meaningful recommendations” that were made during the consultation process of its last draft, and it did not “sufficiently safeguard” the right to privacy of individuals in the country.
India’s IT Minister, Ashwini Vaishnaw, refuted claims that there was insufficient consultation in drafting the bill. He said earlier this month that the government took input from 48 organizations, consulted with over three dozen ministries, and considered more than 24,000 comments during the preparation of the legislation.
“Today, about 900 million Indians have connected to the Internet … In such a situation, there is a need for protection of rights, security and privacy of citizens in this digital world,” Vaishnaw said, noting this was the purpose behind the new rules.
The government expects to implement the law within 10 months, Vaishnaw said.
Fifth largest economy
India is the world’s most populated country, its fifth largest economy, and an important tech, pharma and outsourcing hub.
Since this law has extraterritorial effect and India’s government has the power to issue directions to block content on the advice of the data protection board appointed by it, and the scope of exemptions as to its coverage is broadly worded and, again, at the discretion of the board, businesses everywhere should pay attention to its application.