Indian Parliament House showing data protection bill

Fourth Draft of India Data Protection Bill Proposes Government Exception From All Provisions

India’s journey toward a national data protection bill has been going on for over four years, in fits and starts as drafts have been proposed and then subsequently shot down. The latest draft looks to be no less contentious, as it adds vital protections but also exempts the country’s government from all of its terms and appears to give tech platforms a fairly free hand in sending citizen data overseas.

Annual data protection bill draft proposal already raising alarms over government surveillance

This is the fourth draft data protection bill to go up for consideration since India’s Supreme Court determined that privacy was a fundamental human right in 2017. This has turned into an almost annual event, as drafts are proposed and then eventually shot down due to some sort of political opposition. Prior bills had been rejected due to opposition by tech firms; this iteration of the data protection bill is instead raising hackles over the power it grants to government and the lack of protection for overseas data transfers.

It’s unclear if this one will fare any better than the previous data protection bills, particularly due to it essentially eliminating any privacy from government monitoring. The Digital Personal Data Protection Bill 2022 will be open to public comment until December 17, and privacy groups are already sounding off against it.

The proposed law does incorporate a wide range of consumer protections that one would expect from a data protection bill. Data processors would be subject to new requirements in terms of protection of user personal information, breach notifications, data minimization requirements and limits on how long old information can be held. They would also be required to allow data subjects to see what third parties their personal information has been transferred to, and to access stored data for updates to inaccuracies and requests for deletion.

Organizations would also face some fairly steep fines for violating these terms: up to ₹250 crores (about $30.6 million) for data breaches, and ₹500 crores (about $61.3 million) if there is a failure to notify data subjects of a breach. All of this would be overseen by a new government-appointed Data Protection Board.

Privacy concerns could stall new bill

All of that sounds like the fundaments of a solid data protection bill on paper, but the big caveat in this draft is that none of this will necessarily apply to state governments out of listed concerns ranging from national security to “preventing incitement.” The Internet Freedom Foundation (IFF) has already characterized the terms as “excessively vague and broad” and raised concerns about potential misapplication, misuse and violations of citizen privacy.

The possibility of government overreach also ultimately sunk the last draft data protection bill. Big tech was a big part of the charge against that iteration of the bill, primarily due to requirements that certain categories of sensitive personal data be stored in India. The new version of the bill appears to have been tailored to placate those concerns, allowing data transfers to certain “approved” nations in a system that appears to resemble the EU’s “adequacy decision” system.

And while data protection bills generally focus exclusively on protecting consumers from abuses and negligence by companies that handle their data, the new law would implement a fine of ₹10,000 (about $122) to individuals that knowingly supply false or unverifiable identity information when applying for any service or document (or registering a complaint with a regulator).

The data protection bill could be introduced to Parliament as early as February 2023, but prior history does not indicate that it will sail through quickly or smoothly. Part of the debate over the bill centers on general opposition to the Modi government, and suspicion of a long list of existing personal privacy violations it has been tied to. The government has shown willingness to surveil and harass critics, journalists, political opposition and activists in a number of ways since shortly after it took power in 2014: sporadic internet shutdowns, the regulation of VPNs in the country, rules for social media platforms that effectively compromise end to end encryption, politically motivated arrests, and deployment of the notorious Pegasus spyware to track individuals not under investigation for any crime.

Fourth draft #dataprotection bill looks to be no less contentious, as it exempts the country's government from all of its terms and appears to give tech platforms a fairly free hand in sending citizen data overseas. #privacy #respectdataClick to Tweet

Some social media companies have already engaged in legal battles over the Indian government’s orders to take down certain content. In July, Twitter filed a legal challenge over orders to take down posts critical of the Modi government, escalating a months-long standoff over the issue. In 2021, WhatsApp sued the Indian government over rules that required encrypted messages to be stored in a traceable database. The government responded with an affidavit claiming that the company does not have standing in the country to bring the challenge; that case is ongoing.