Privacy and Compliance

What’s next for India’s personal data protection bill?

Published on September 02, 2022

Almost a year ago, India was anticipating the passage of its new personal data protection bill (PDPB). Unfortunately, it looks like the progress on the bill is back to square one, and the current state of affairs does not look good for the citizens of the country which suffers one of the highest numbers of data breaches, losses, and leaks each year.

Due to a glaring lack of privacy laws, India’s users run the risk of having their data sold, misused, or used against them. Recently, there were reports of a huge cache of data found online that included the full names, bank account numbers, and beneficiary details of Indian pension fund holders. Bob Diachenko, a security researcher from Ukraine, discovered two distinct IP addresses housing more than 288 million records online without password protection. Personal digital data safety often falls short of international requirements despite the country’s flourishing tech industry. 

Every nation now requires stringent data protection laws. Although India’s constitution explicitly recognizes the right to privacy, and the various revisions to the Information Technology Act of 2000 have offered protections against the mishandling of personal information, it’s about time the currently outdated laws are updated as they continue to erode digital privacy. This article updates you on the latest developments in India’s personal data protection policies. 

The roadmap and composition

In 2017, the bill had high expectations. In July of that year, a new commission chaired by retired Justice B.N. Srikrishna was established to create guidelines for data protection. The country’s Supreme Court ruled the next month that privacy is a part of a constitutionally recognized right to life and liberty. But it didn’t take long for the optimism to wane. According to Srikrishna, the law submitted to parliament in December 2019 provided the government with unrestricted access to personal data for the sake of sovereignty and public order.

A newer version was proposed by the Joint Parliamentary Committee as the Data Protection Bill 2021. Here are the basic objectives of this bill:

  • To create a data protection authority safeguarding Indian citizens’ data that ensures IT organizations comply with privacy and security regulations, particularly in terms of storing data.

  • To give the government the authority to request user data from businesses and to impose rules on international data flows.

  • To require large tech companies to keep a copy of sensitive personal data in India, and forbid tech companies from exporting critical personal data unless consumer permission has been received.

  • To ensure social media corporations are treated as publishers and are held accountable for the content they host.

The withdrawal 

After five years of deliberations involving the government, internet giants, and civil society activists, India’s PDPB is back to square one. The Indian government has chosen to replace the personal data protection bill with “a comprehensive legislative framework.” Worse than the current state of chaos is that no one knows what the new system will look like, whether it will prioritize the needs of the individual, as in Europe, or vested business and party-state interests, as in China.

Many still wonder: “Why was the original bill withdrawn?”

Opposition to the law mainly included tech giants and civil liberties organizations. Most private enterprises opposed the data localization norms that were part of the bill, which they felt were stringent. Many organizations representing the Indian tech sector also felt that some aspects of the PDPB would hamper the growth of the Indian tech start-up ecosystem. 

On the other hand, the Internet Freedom Foundation, a privacy advocacy group, stated more has to be done to hold the Data Protection Authority accountable and that the Indian State’s use of citizen data also needs to be kept “under control.”

The administration now intends to introduce four comprehensive pieces of legislation to address the digital tech landscape after withdrawing the PDPB. This will involve enacting new rules in the areas of social media accountability, information and technology, personal data and privacy, and telecommunications. 

The impending revamp 

The revamped Bill’s specifics and structure are unknown. According to a senior government official, the government is debating whether to include data localization in the new Information Technology Act that is being developed, and whether to restrict cross-border data transfers to “trusted geographies” exclusively. The official explained, “The idea is that the data should be accessible in the event of a crime and stored in a location that is trusted by the Indian government. 

In terms of data localization, the new bill might eliminate the classification of personal data, and limit its use to assessing damages for individuals whose personal data might have been compromised by an entity. According to sources in the IT Ministry, the government wants to introduce the legislation in parliament’s winter session, if not, the next budget session.

India is currently one of the few nations without a robust legal framework for data protection. In light of India’s ambition to promote a global image of a digital economy with a thriving data services industry, the government must step up to develop a framework that puts it on par with its competitors on the global stage. In contrast to other laws, data protection regulations must cooperate with their international counterparts in order to function effectively in a global context.

Leave a comment

Your email address will not be published. Required fields are marked *

19 + eleven =