Big Tech's going to love India's new personal data protection bill
Big fines for breaches. Also big powers – including takedowns – for planned Data Protection Board
India's long awaited digital Personal Data Protection Bill was tabled in parliament on Thursday, complete with stiff penalties for data breaches and enough exemptions that digital rights orgs have rated it a "win-win" for Big Tech and government.
India has spent the past six years trying to put together some form of data privacy rules, without any solid results.
A court ruled in 2017 that Indian citizens have a right to privacy, and the next year a bill was drafted. It was tabled in parliament, but never passed. The bill, then called Personal Data Protection Bill, 2019, was scrapped in August 2022 when, according to telecom minister Ashwini Vaishnaw its 99 sections received recommendations for 81 amendments.
Criticism of the 2019 iteration included that it offered weak protection from surveillance and its definitions were too generic.
The latest bill debuted in November of 2022, and was tabled yesterday by Vaishnaw, amid opposition calls to have it further scrutinized.
Among the 33-page bill's provisions are penalties for data breaches – making companies and institutions potentially liable for $6 million (Rs 50 crore) to $30 million (Rs 250 crore) each breach.
On the flip side, those who make what's deemed false or frivolous grievances and complaints can be fined up to $120 (10,000 INR).
It also spells out a new regime for use of data, requiring consent to be sought by operators and allowing individuals to withdraw their consent later. Parents are authorized to consent to data use for children up to 18 years of age.
And while it seeks to limit cross-border transfer of data, it does allow flow to certain jurisdictions. And it also allows the retention of data in some cases after its use is complete.
If passed, the bill will be administered by a Data Protection Board that has powers including recommending blockage of services that abuse data.
"This new bill, after it is passed by parliament, will protect rights of ALL citizens, allow innovation economy to expand and permit Govt's lawful and legitimate access in national security and emergencies like pandemics & earthquakes etc,” tweeted IT minister Rajeev Chandrasekhar.
New Delhi-based digital rights org The Internet Freedom Foundation (IFF) had a different take. In its analysis of the bill, the org found it "disappointing" and complained that it widened government exemptions.
"In its essence, very little has changed with the DPDPB, 2023. Rather than protecting Indians' privacy, the bill prioritizes facilitating the processing of their personal data by private & state actors & disregards years of inputs by stakeholders,” tweeted IFF.
Raman Jit Singh Chima, Asia Pacific policy director and senior international counsel at digital rights advocacy group Access Now, called the bill a "win-win, but only for government and big tech."
Access Now called the current draft "the most damaging one yet in terms of the unrestricted powers it grants to the government and its failure to effectively regulate private firms dealing with data."
The org makes this assessment because it says the bill lacks: an independent regulator; clarity on cross-border data flows; meaningful accountability from data collectors and government; and actionable remedies.
"People whose privacy has been breached are not entitled to compensation, and are threatened with penalties for submitting certain complaints," explained Access Now policy counsel Namrata Maheshwari.
Debate about the bill will soon reach India's parliament, where its passage is likely.
Next: the long-awaited Digital India Bill – a replacement for telecoms laws that literally don't mention the internet. The forthcoming legislation is expected to define how media, carriers, and internet platforms are allowed to operate in India. ®