India’s revamped data protection bill is “balanced” and designed to encourage growth, the country’s IT minister said, after the government scrapped a previous draft criticised by tech companies and civil liberties groups.
Ashwini Vaishnaw, minister of railways, communications, electronics and IT, said Narendra Modi’s government would seek passage of the draft by the end of the next parliamentary season in April or May 2023.
“We had very extensive consultations with all the stakeholders including the civil society groups, including industry, including the start-up ecosystem,” Vaishnaw said in an interview with the Financial Times. “And this bill is basically an outcome of all these consultations.”
India’s fitful and protracted efforts to regulate the digital space are being watched closely at home and abroad by companies ranging from Amazon to Walmart-owned Indian retailer Flipkart, as one of the leading countries whose legislation will shape the future of online commerce.
The country, the world’s largest democracy, has about 760mn active internet users in a population of 1.4bn, a number the government forecasts will hit 1.2bn later this decade.
In drafting the new law, India says it studied “global best practices,” including data protection laws in Singapore, Australia, the EU and the US.
“Since India is one of the major participants in the digital economy, we definitely would like to create a framework which is in a sense very much in tune with the times, balances all the stakeholders, and creates a system which helps in further growing the economy,” Vaishnaw said. “It’s a very balanced bill.”
India began deliberations on legislating protection of personal data after a 2017 Supreme Court ruling recognised privacy as a fundamental right in a ruling on a case challenging the government’s digital ID system called Aadhaar.
After five years of discussions and consultations, the Modi government withdrew the most recent draft of the bill in May, describing it as unwieldy after it was heavily amended in response to submissions from the public. The draft published last week is India’s fourth.
Civil liberties groups had complained that previous drafts gave government agencies too much scope to access personal data without users’ consent.
Facebook parent Meta was among the tech companies that criticised provisions of the legislation, including a requirement to store personal data locally, which industry lobbyists said were onerous and would hamper the ease of doing business online.
The free movement of data across borders has emerged as one of several contentious issues in negotiations on a proposed free trade agreement between India and the UK, according to people briefed on the talks.
The new draft eases the localisation requirements, allowing personal data to be transferred outside India to “certain notified countries and territories” where it thinks users’ data will be protected.
“The trusted geography should be able to protect Indian citizens’ data in the way we protect our citizens’ data,” Vaishnaw said. “That’s the fundamental construct.”
Arghya Sengupta, founder of the Vidhi Centre for Legal Policy, a think-tank, said the latest draft of the law was “skeletal” in some of its details, and would have liked it to offer “greater transparency” on the uses to which companies can put data they collect.
But he added: “I would prefer some law rather than no law . . . Even if this law has some faults, I would rather iron out the creases than start over again.”
The Asia Internet Coalition, an industry group whose members include Amazon, Spotify, Google and Facebook, said it was in the process of reviewing the bill, and would be doing a formal submission in time for a December 17 deadline for public comments.
Alongside the proposed digital personal data protection bill, India also plans to regulate the internet with two other forthcoming pieces of legislation: a telecoms bill, currently in public consultations, and a Digital India Act that will replace its IT Act.