India withdraws controversial proposed data protection law

Privacy is an urgent issue in India, which has seen explosive digital growth from increased access to smartphones and data. PHOTO: AFP

BANGALORE - India has withdrawn a proposed personal data protection law amid concerns from big technology companies and privacy advocates about data use and government control.

Four years after being in the works, the highly debated law was revoked in Parliament on Aug 3, leaving one of the world's biggest Internet-use markets without a privacy law.

Minister for Electronics and Information Technology Ashwini Vaishnaw wrote in a parliamentary statement that the proposed law was being withdrawn because a Joint Parliamentary Committee (JPC) had suggested a large set of changes. The JPC's December 2021 report had proposed 81 amendments and 12 recommendations.

"The government will bring a set of new legislation for a comprehensive legal framework for the digital economy," Mr Vaishnaw wrote, promising to introduce a fresh law next year.

The withdrawn law had proposed restrictions on the use of personal data without the explicit consent of individuals, stringent regulations on cross-border data flows, and would give the Indian government powers to seek user data from companies.

The Washington-based Information Technology Industry Council, which represents tech majors such as Google, Meta and Amazon, appreciated the withdrawal of the law, and hoped to engage in any renewed consultations with the government.

New Delhi-based privacy advocacy group Internet Freedom Foundation (IFF) hoped that an improved regulation will involve more public consultations with key stakeholders, civil society and industry.

Debates have focused on how to make entities processing people's data accountable, solutions for unauthorised and harmful processing of data, and the extent of access the government should have.

The withdrawn law had required that companies store "sensitive" and "critical" data, including financial, health and biometric information, only within India.

Companies including Google, Meta, Apple and Amazon had expressed concerns that such "data localisation requirements… are onerous and will hamper the ease of doing business".

Opposition MPs had criticised provisions that sought to give the government powers to exempt its investigative agencies from the law. Privacy advocates like IFF founder Apar Gupta said the draft law put "privacy interests of individuals on the same footing as those of businesses and the state", thereby wrongly placing competing interests on the same plane.

Privacy, declared a fundamental right by India's Supreme Court in 2018, is an urgent issue in the world's biggest democracy that has seen explosive digital growth from access to cheap smartphones and mobile data services. The country has 692 million Internet users, over half of them in villages.

India is the second-worst country hit by data breaches, after Russia. Netherlands-based cyber-security firm Surfshark VPN found that in just the first half of 2022, India recorded 5.1 million instances of personal data being copied, transmitted, viewed, stolen or illegally used.

On Aug 2, the Finance Ministry said Indian private banks reported 248 cyber attacks where business and personal information were stolen between June 2018 and March 2022. There are currently no adequate accountability mechanisms or redressal for customers who have lost data.

Mr Nikhil Pahwa, editor of MediaNama website which covers technology and media policy, said: "Junking the Bill altogether will create a limbo of sorts from a privacy protection standpoint." He hoped that unlike the JPC, the new data privacy law "will include consultation with key civil society stakeholders".

Join ST's Telegram channel and get the latest breaking news delivered to you.