India has proposed a new comprehensive data privacy law that will mandate how companies handle their citizens’ data, including allowing cross-border transfers of information with certain countries, three months after abruptly withdrawing the previous proposal following scrutiny and concerns from privacy advocates and tech giants.
The country’s IT ministry published a draft of the proposed rules (PDF), called the 2022 Digital Personal Data Protection Act, on Friday for public consultation. It will hear the opinion of the public until December 17.
“The purpose of this Act is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters relating thereto or related. says the design.
The design allows cross-border interactions of data with “certain opted-in countries and territories,” in a move seen as a win for technology companies.
“The Central Government may, after reviewing such factors as it deems necessary, notify the countries or territories outside India to which a data controller may transfer personal data, in accordance with such conditions as may be specified,” the draft said. says, without mentioning the countries.
Asia Internet Coalition, a lobby group representing Meta, Google, Amazon and many other technology companies, had requested that New Delhi allow cross-border data transfers. “Cross-border transfer decisions should be free from administrative or political interference and ideally should be minimally regulated,” they wrote in a letter to the Department of IT earlier this year.
“Restricting cross-border data flows is likely to lead to higher bankruptcy rates, create barriers for start-ups and lead to more expensive product offerings from existing market players. Ultimately, the above mandates will affect digital inclusion and the ability of Indian consumers to access a truly global internet and quality of services,” the group said.
The draft also suggests that companies only use the data they’ve collected about users for the purpose for which they originally obtained it. It also asks the companies to ensure that they process the personal data for the users for the exact purpose for which they collected it.
It also calls for companies not to keep the data perpetual by default. “Storage should be limited to the duration necessary for the stated purpose for which personal data was collected,” a note from the ministry said.
The draft proposes a fine of up to $30.6 million if a company fails to provide “reasonable security measures to prevent personal data breaches”. Another $24.5 million fine if the company fails to notify local government and users for failing to disclose the personal data breach.
The previously proposed rules were touted to help protect citizens’ personal data by dividing it into different segments based on their nature, such as sensitive or critical. However, the new version does not separate data as such, according to the draft.
Like the European GDPR and the CCPA (California Consumer Privacy Act) in the US, the Digital Personal Data Protection Bill 2022 proposed by India will apply to companies operating in the country and to all entities that process the data of Indian citizens. process.
The proposed rules, which are expected to be debated in parliament after public consultation, would not change selected controversial laws in the country that were drafted more than a decade ago. However, New Delhi is working to update its two-decade-old IT law that would debut as the Digital India Act. It will separate middlemen and come as the end game, India’s IT Minister Rajeev Chandrasekhar told TechCrunch in a recent interview.
In August, the Indian government withdrew its previous Personal Data Protection Act unveiled in 2019 after much anticipation and judicial pressure. At the time, Indian IT Minister Ashwini Vaishnaw said the repeal was considered “a new bill that fits into the comprehensive legal framework”.
Meta, Google, and Amazon were some of the companies that did concerns expressed about some recommendations of the joint parliamentary committee on the bill.
The move to introduce a data protection law came to be declared a constitutional right by the Supreme Court of India in 2017. However, the country faced strong criticism of its previous data protection laws due to their intrinsic nature of empowering government agencies to access citizens’ data.
Prime Minister Narendra Modi spoke at one of the sessions during the G-20 summit in Bali earlier this week spoke about the principle of “Data for development” and said the country would work with G-20 partners to bring “digital transformation to every person’s life” during next year’s presidency for the 19-nation intergovernmental forum.