BENGALURU - India has redrafted its proposed digital personal data protection laws in an about-turn that privacy advocates say will weaken key protections and give excessive discretionary powers to the government.
The new Digital Personal Data Protection Bill, published last Friday for public consultation until Dec 17, comes after several iterations over five years.
The law will govern how people’s personal data is collected, stored and used by private companies and the government in one of the world’s biggest online markets.
In August, the Indian Parliament abruptly withdrew an older version that was criticised as too heavy-handed.
Big Tech companies such as Google, Meta and Amazon had complained that the older draft’s restrictions on cross-border data flows were too stringent, and the government’s powers to seek user data from companies were too broad.
The new law would allow companies to transfer user data outside India, but only to certain countries that the government will identify. Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said the countries would be identified on the basis of “reciprocity”, The Indian Express reported.
The draft retains earlier provisions that require companies to seek explicit consent from users before processing their data, and to protect user data and stop storing it when it is no longer needed.
But it now mandates that companies must inform users in the event of a data breach, and adds hefty penalties of up to five billion rupees (S$84.5 million) for non-compliance.
However, privacy advocates say the new draft will not allow individuals whose personal data is leaked or misused to claim compensation from companies or government agencies that collected or processed the data. Penalties for data breaches will be paid only to the government.
Worse, individuals can themselves face penalties for filing “false or frivolous” grievances or not providing accurate personal information.
Privacy lawyers also say that a data protection board to be set up to oversee private and government compliance is not independent enough.
Lawyer Namrata Maheshwari from Access Now, a global digital rights non-profit, noted that the board’s appointments, terms and conditions, and even functions will be prescribed by the government. This could end up discouraging data transfers from European businesses and affecting the Indian outsourcing industry.
The draft law retains wide exceptions that allow the government to access people’s personal data on grounds such as state security and maintenance of public order. The Internet Freedom Foundation, an advocacy group, warned that these standards are “excessively vague and broad” and could result in “immense violations” of user privacy.
The draft also limits the law’s applicability to automated data collection, leaving in a grey zone the manual, offline collection of individuals’ personal data that can then be fed into a database or app.
Among countries worst hit by data breaches, India is second only to Russia.
This month, a non-profit that the Bengaluru city corporation contracted to create voter awareness was found illegally collecting sensitive voter and personal data through volunteers who posed as government officials. Such privacy violations with high stakes could go ungoverned by the draft law as it stands.
The draft law also seeks to remove a clause in India’s Right to Information Act that allows a public information officer to disclose personal data of government officials if it justifies larger public interest, like exposing graft, conflict of interest, or political partisanship that affects fair and uncorrupt discharge of duties.
The proposed data protection Bill seeks to exempt all personal information from being accessed by citizens who apply to see government records.
Former central information commissioner Shailesh Gandhi said the “serious and damaging” provision “allows the Right to Information Act to become a Right to Deny”.
