A new data privacy bill is being considered by India’s Parliament. The Personal Data Protection Bill 2019 is meant to improve data handling and data privacy outcomes in a way that is similar to the European Union’s General Data Protection Regulation (GDPR), but the two bills differ in at least one key area. The new India data protection bill would allow the government unfettered access to citizen data for “national security” purposes and in several other sets of circumstances, essentially creating a backdoor to all of the online accounts of citizens that could be opened with relatively minimal effort.
The India data protection bill in detail
The Personal Data Protection Bill was introduced to Parliament by Indian Union IT Minister Ravi Shankar Prasad on December 11. The bill calls for the creation of a Data Protection Authority similar to the organizations found among members of the EU, and defines the categories of sensitive personal data that are to be protected. Among other things, the bill would require companies in a “data fiduciary” role to get consent from the individual before processing their sensitive personal data, and would allow Indian citizens to withdraw consent to disclosure of said data. There is also a requirement that personal data be stored on servers located in India.
Consequences for non-compliance would be fairly heavy, at least relative to the country’s economy. Companies would face a maximum fine of the higher of Rs 15 crore or 4% of annual turnover. Companies would also be required to conduct periodic data audits, with a potential maximum fine of Rs 5 crore or 2% of annual turnover for failing to do so. Known processing of withdrawn personal data could carry a prison sentence of up to three years along with additional fines.
In terms of relative penalties, this India data protection bill is even stricter than the GDPR. A fine of Rs 15 crore could wipe out significant amounts of revenue for many companies in the country. It’s the government exemptions that have Indian citizens and privacy advocates concerned, however.
The new India data protection bill grants the government the ability to direct any company to provide it with anonymized and non-personal data upon request. If the government wants access to protected personal data, it merely has to invoke a concern about national security, the “sovereignty or integrity” of the state, relations with foreign countries or the incredibly vague “public order” to compel private companies to give it access. The law has changed from its original form announced to the public two years ago, at which time there was a provision requiring that the government follow lawful procedures to collect any sensitive data.
This follows a November announcement by the Indian government that existing law, namely the 1885 Telegraph Act and the 2000 Information Technology Act, allows federal and state governments to intercept and decrypt any information on any of the country’s computers. The statement was prompted by a report that a number of WhatsApp users in the country had an apparent state-backed malware attempt on their accounts. This position is in seeming conflict with a 2017 ruling by the nation’s Supreme Court that privacy is a fundamental human right.
Impact on international business in India
With the world’s second-largest population and an estimated 600 million internet users, India is a rapidly growing market that has seen recent heavy investment from major international companies such as Amazon and Google. Given recent political difficulties with China, many American companies see India as a potential manufacturing alternative. Silicon Valley technology companies also see it as one of the last major frontiers for growth. The new Indian data protection bill, which some of the country’s politicians have described as “Orwellian” and “totalitarian,” might end up creating similar difficulties.
Some commentators have already expressed concern that the government will not be able to keep up with implementation and enforcement of the new India data protection bill given little legal precedent or national experience with these measures. India’s Data Protection Authority would be managing a population much larger than any comparable organization overseas in Europe.
There is also some concern that the government might request access to confidential business information and protected intellectual property. Tech industry companies are likely to be reticent about granting access even to non-sensitive and anonymized data, as this information is at the core of many of their monetization strategies.
Voluntary social media verification
The law would also require that social media companies provide Indian consumers with a voluntary means of verifying their identities. This would create some sort of mark of verification on their profile, similar to the blue check marks used on Twitter to verify the accounts of public figures. However, the law is not entirely clear on which companies would be regarded as “social media intermediaries” for this purpose.
Government data security concerns
In addition to worries about government overreach into personal data, Indian citizens have valid reason to be concerned about the security of their information once it is in the hands of the government. The new India data protection bill would hand a much greater share of power to government agencies that have struggled with both cybersecurity and integrity.
In early 2018, access to the country’s UIDAI database was found being advertised through Whatsapp. For as little as a mere 300 rupees (about $4.25), an unknown party was selling the same sort of access to the welfare and benefits database that government workers have. By entering an Aadhaar (personal identification) number, anyone paying for access could look up all of the personal information attached to that number. Considering that information on nearly all of the country’s 1.3 billion citizens is available in this database, this was considered the largest data breach in the world by record count.
Corruption is also a serious and ongoing problem in the country. Watchdog group Transparency International ranks India in the bottom half of world nations for corruption issues, and CNN recently reported that about half the country’s population has paid a bribe to a government official at some point.
Recent concerns have also been raised about the Modi government’s willingness to engage in religious profiling, particularly targeting Muslim immigrants from neighboring countries. The new India data protection bill would provide the government with greatly expanded powers to conduct surveillance of citizens.
The new India data protection law is currently being examined by a joint select committee and is not likely to be taken up by the country’s central government until sometime in 2020.