The Indian government on Friday released a draft version of the much-awaited data protection regulation, making it the fourth such effort since it was first proposed in July 2018.
The Digital Personal Data Protection Bill, 2022, as it’s called, aims to secure personal data, while also seeking users’ consent in what the draft claims is “clear and plain language” describing the exact kinds of information that will be collected and for what purpose.
The draft is open for public consultation until December 17, 2022.
India has over 760 million active internet users, necessitating that data generated and used by online platforms are subject to privacy rules to prevent abuse and increase accountability and trust.
“The Bill will establish the comprehensive legal framework governing digital personal data protection in India,” the government said. “The Bill provides for the processing of digital personal data in a manner that recognizes the right of individuals to protect their personal data, societal rights and the need to process personal data for lawful purposes.”
The legislation, in its current form, requires companies (i.e., data processors) to follow sufficient security safeguards to protect user information, alert users in the event of a data breach, and stop retaining users’ data should individuals opt to delete their accounts.
“The storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected,” an explanatory note released by India’s Ministry of Electronics and Information Technology (MeitY) reads.
A failure to take steps to prevent data breaches can incur companies a financial penalty of up to ₹250 crores ($30.6 million). So does a failure on the part of entities to notify users of the breach, effectively taking the total fines to ₹500 crores ($61.3 million).
Users of internet services, for their part, can request companies to share the categories of personal data that have been given out to other third parties, not to mention ask for their data to be erased or updated in cases where such information is deemed “inaccurate or misleading.”
Furthermore, the draft imposes data minimization requirements as well as additional guardrails companies have to adopt in order to prevent unauthorized collection or processing of personal data.
What’s also notable is that the legislation no longer mandates data localization, allowing tech giants to transfer personal data outside of Indian geographical borders to specific countries and territories.
Lastly, the new measure seeks to establish a Data Protection Board, a government-appointed body that will oversee the core of compliance efforts.
That said, the central (aka federal) government is exempted from the provisions of the act “in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offense relating to any of these.”
These vague clauses, in the absence of any data protection mechanism, could grant the government broad powers and effectively facilitate mass surveillance.
“This would give the notified government instrumentalities immunity from the application of the law, which could result in immense violations of citizen privacy,” the Internet Freedom Foundation (IFF) said. “This is because these standards are excessively vague and broad, therefore open to misinterpretation and misuse.”
The latest development comes after a previous version of the law, introduced in December 2021, was rescinded in August 2022 following dozens of amendments and recommendations.
Data protection legislation has been in the works since 2017, when the Supreme Court unanimously reaffirmed the right to privacy as a fundamental right under the Constitution of India, a landmark verdict that was passed following a petition filed by retired High Court Judge K. S. Puttaswamy in 2012.