Indian government buildings in New Delhi signifying the new proposal for India's data protection law
What Does India's Proposed New Data Protection Law Mean for the Country – and the Rest of the World?

What Does India’s Proposed New Data Protection Law Mean for the Country – and the Rest of the World?

There has been a lot of talk about data protection and user privacy lately, and for good reason. From the selling of Facebook data by Cambridge Analytica to concerns about shadow banning on Twitter and other social media sites, concerns about data and its usage are everywhere. Now India’s data protection law is taking that concern to the next level, providing citizens of the populous country with additional protections and giving them the tools they need to fight back. Prior to the proposed law, India did not have specific data protection legislations although Section 43A of the Information Technology Act (2000) provides for the right to compensation for the improper disclosure of personal information.

At the same time, India’s data protection law is already being criticized, with some claiming it does too little and others fearing it goes too far. Already privacy advocates are expressing concerns that the proposed new personal data protection bill has the potential to lead to mass surveillance, something that has already been seen in totalitarian countries around the globe.

Does India’s data protection law go too far – Or not far enough?

Others worry about India’s data protection law for other reasons. Some in the data security industry have expressed real concerns that India’s data protection bill is inadequate, and that the August 2018 proposal does not give the data protection authority sufficient power to bring violators to justice.

So which set of concerns are valid, and what are Indian citizens, and privacy and data protection advocates around the world, to do? As with so much in the world of personal data or information protection, the waters surrounding India’s data protection law are somewhat muddied, and the competing opinions surrounding its policies and protections are not making things any easier. Only time will tell how the data protection law is implemented, and how the legal framework that is being built will be used by the Indian authorities.

India’s data protection law as a follow up to the GDPR

In some quarters, India’s data protection law is already being compared to the groundbreaking General Data Protection Regulation, a sweeping European Union regulation designed to protect data privacy and give individual users unprecedented control over the use of their own personal information.

Indeed, many of the same concerns raised about the General Data Protection Regulation are being raised about India’s data protection law, including worries about data localization and the potential for widespread surveillance by a rogue government. This new privacy law does bear some similarities to the EU regulation, but there are some key differences as well. In the end, it is best to consider India’s data protection law on its own merits, separate from the similar but distinct European Union regulations.

Will the proposed regulations be enacted?

While both laws are designed to protect sensitive personal data, and both have been passed in response to widespread data breaches and security concerns, India’s new law is distinctly Indian in nature. Whether a future supreme court judge eventually strikes down the new privacy law or lets its stand, the door has already been opened. Already businesses are changing the way they collect data, and they are caring for the data collected in new ways.

Some firms are appointing a dedicated data protection officer, whose job it is to protect the privacy of individual users and protect the data with which the firm has been entrusted. Others are rethinking their roles in the digital economy, looking for a way to align their business needs with the new data protection requirements.

Even businesses that will not be directly affected by India’s data protection law are taking steps to protect and enhance their own data security practices and procedures. The European Union’s General Data Protection Regulation may have been the first salvo in the data privacy wars, but it was definitely not the last. As the data protection bill 2018 clearly shows, other countries are eagerly following the European Union’s lead, and smart businesses are taking proactive steps to protect their customers and avoid further government regulation.

New challenges for old businesses

Under India’s data protection law, businesses will face additional challenges and a new set of regulations, all designed to oversee the processing of personal data and the protection of private data.

It should be noted that India’s data protection law is still in its early stages, and at this point nothing has been passed into law. Even so, some version of this new data privacy and personal protection law is likely to become law in the coming years, and it is important for everyone in the industry to be aware of the possibilities.

The opposition is gearing up to stop India’s data protection law

The proposed law has faced its fair share of pushback, including from an ex-Cisco CEO. These critics point to some particularly troubling parts of the new legislation, from requirements for localized data storage to the banning of use of some previously anonymized data. But even as the lobbying and back and forth continues, that data protection landscape continues to change.

In addition to the predictable pushback by industry groups and big corporations, which will inevitably face higher costs as a result of the proposed legislation, other groups are pushing back as well. Surprisingly, one of the strongest arguments against India’s new data protection law is that, far from protecting ordinary consumers, the proposed regulations could actually lead to a massive surveillance state, one that could destroy freedom, suppress freedom of speech and destroy the very lives it promises to save.

Critics have pointed out, for instance, that there are serious flaws in the safeguards Indian citizens rely on to keep their data safe. In one infamous example, the head of the country’s telecom regulator posted his ID number online, challenging naysayers to come up with a concrete example of how such a disclosure could be harmful. In just a few hours, the erstwhile regulator found that not only his cell phone number and address, but also his frequent flyer account, had been posted online.

Given this lack of privacy and data protection has served as both proof that additional steps are needed and fostered worries that the implementation of the proposed data protection law could backfire, leading not to a new dystopia of data protection but a dystopian future of constant surveillance. As the two sides fight it out, businesses in India, and around the world, are already taking steps for the things that are likely to pass, like stricter laws governing data storage and the retention of personally identifiable customer information.

India's data #privacy law is already being criticized, with some claiming it does too little and others fearing it goes too far.Click to Tweet

Indeed, India’s data protection law and the proposed regulation is only the latest example of how seriously countries are now taking the ongoing data breaches and privacy violations. Even if the current set of regulations fails or is radically changed, data protection is here to stay, and businesses around the world need to get ready.


Senior Correspondent at CPO Magazine