A data protection bill that had been years in the making appears to have been scrapped by India’s parliament, amidst big tech companies airing concerns about infeasible costs of meeting personal data processing and protection requirements as well as strict restrictions on cross-border data transfers.
The decision to scrap the data protection bill came from a parliamentary review process that concluded a new comprehensive legal framework was necessary. IT minister Ashwini Vaishnaw has told reporters that work was already underway on a new personal data law, however, and that a public release could be expected before the end of the year with the overall aim of getting it passed in early 2023.
Big tech companies led pushback against data protection bill
While compliance costs were a primary concern for domestic firms and startups that opposed the data protection bill, big tech companies also aired concerns about restrictions on the cross-border transfer of personal data and the level of access to user information that the Indian government was expecting. Privacy advocate organizations, such as the Internet Freedom Foundation, have taken the opposite tack: they say that the data protection bill was too lenient toward big tech companies, in addition to expressing concerns about the amount of exemptions it handed to government agencies.
India does not presently have a national law comprehensively addressing the protection and processing of personal data. Serious discussions began in 2018 as the EU’s General Data Protection Regulation (GDPR) prompted the world to reconsider its stance on this issue, and the present bill has been bouncing around throughout the government since 2019. The government had been aiming to get the data protection bill finalized and in place in early 2023, taking advantage of the annual parliamentary budget session that runs from January to February.
Vaishnaw told reporters that a revamped bill was in an “advanced” state and was based on feedback gathered from big tech companies and impacted domestic firms. One of the central points of contention was the proposed regulation of “non-personal data” by the data protection bill, a term worded specifically to cover the sort of data that is critical for companies to analyze for business purposes. An additional sticking point for multinationals like Meta and Google was a requirement that certain categories of sensitive personal data be stored in India, reflecting to some degree the terms established under the GDPR by the Schrems II decision.
Privacy advocates note that while private industry seems to be getting a substantial amount of input, the same sort of commentary has not been extended to the general public. The public has been increasingly dissatisfied with government handling of internet privacy issues, as a patchwork of more limited national regulations have increased government reach into private messaging services and effectively forced VPN services out of the country.
Increasingly authoritarian government moves raise concern about future of personal data in India
It remains unclear what the government meant in stating the revamped data protection bill needed to be in closer keeping with “contemporary digital privacy laws” given that the ruling party has shown a strong predilection for unfettered government reach into private communications. While big tech companies have undoubtedly had some impact on the process, the main conflict over the data protection bill appears to be with government opposition in parliament that want to see government agencies held to the same personal data standards that private businesses are.
The issue of cross-border data flows is one that is primarily of interest to big tech companies, however, and a senior official told The Indian Express that the government was still considering whether or not to implement a “trusted partner” system akin to the one employed by the EU and UK. Those systems require the partner country to have national data privacy legislation with terms that are equivalent for personal data to be exported. Lack of parity has created numerous problems in the EU, particularly for big tech companies based in the United States who do all of their data processing in Silicon Valley.
The government exemption is of great public concern in light of the recent moves to curtail privacy, and the revelation that the Modi government made broad use of the Pegasus spyware to surveil political opposition, activists, journalists and an employee of the Supreme Court that had filed a sexual harassment suit. In total about 300 phone numbers were targeted in recent years. The Modi government has called the Pegasus research a “conspiracy” and claimed it has no basis in fact in spite of evidence tying it to surveillance by authoritarian governments throughout the world; Apple issued a warning to infected users in late 2021 and patched its operating system to remove a “zero click” exploit that Pegasus employed as its primary means of breaching iPhones.