The Government of India on Wednesday passed a data protection law that will dictate how tech companies process users’ data amid criticism that it will likely lead to increased surveillance by the government.
The law will allow companies to transfer some users’ data abroad while giving the government power to seek information from firms and issue directions to block content on the advice of a data protection board appointed by the federal government.
The Bill provides for following obligations on the data fiduciary
- To have security safeguards to prevent personal data breach;
- To intimate personal data breaches to the affected Data Principal and the Data Protection Board;
- To erase personal data when it is no longer needed for the specified purpose;
- To erase personal data upon withdrawal of consent;
- To have in place grievance redressal system and an officer to respond to queries from Data Principals; and
- To fulfill certain additional obligations in respect of Data Fiduciaries notified as Significant Data Fiduciaries, such as appointing a data auditor and conducting periodic Data Protection Impact Assessment to ensure higher degree of data protection.
The Digital Personal Data Protection Bill, 2023 gives the government powers to exempt state agencies from the law and gives users the right to correct or erase their personal data.
The new legislation comes after India withdrew a 2019 privacy bill that had alarmed tech companies like Facebook and Google with its proposals for stringent restrictions on cross-border data flows.
The law proposes penalties of up to 2.5 billion rupees ($30 million) for violations and non-compliance.
However, it has drawn criticism from opposition lawmakers and rights groups over the scope of exemptions.
The Internet Freedom Foundation, a digital rights group, has also said that the law does not contain any meaningful safeguards against “over-broad surveillance”, while the Editors Guild of India has said it affects press freedom and dilutes the Right to Information law.
Deputy minister for information technology Rajeev Chandrasekhar has said that the law will protect the rights of all citizens, allow the innovation economy to expand, and permit the government legitimate access in the case of national security and emergencies like pandemics and earthquakes.