India withdraws a proposed law on data protection

The Indian government on Wednesday unexpectedly withdrew a proposed bill on data protection—the Personal Data Protection Bill, 2019, that a panel of lawmakers had been laboring over for more than two years, saying it was working on a new law

  • Published:
  • 05/08/2022 12:06 PM

A motorist rides along a road in front of the Google India office building in Hyderabad on January 28, 2022. The Indian government on Wednesday unexpectedly withdrew a proposed bill on data protection that a panel of lawmakers had been laboring over for more than two years, saying it was working on a new law. Image: Noah Seelam / AFP

The Indian government on Wednesday unexpectedly withdrew a proposed bill on data protection that a panel of lawmakers had been laboring over for more than two years, saying it was working on a new law.

The abandoned legislation, Personal Data Protection Bill, 2019, would have required internet companies such as Meta and Google to get specific permission for most uses of a person’s data and would have eased the process of asking for such personal data to be erased. Countries worldwide have been adopting such steps, including in Europe with the General Data Protection Regulation.

Related Stories

  • Does data anonymization really hide your identity?
  • China's surveillance state hits rare resistance from its own subjects
  • Seven commandments of privacy governance in information capitalist societies

But privacy advocates and some lawmakers complained that the bill would have given the government excessively broad powers over personal data, while exempting law enforcement agencies and public entities from the law’s provisions, ostensibly for national security reasons.

Salman Waris, a lawyer at TechLegis in New Delhi who specializes in international technology law, said the bill was “a bad draft from the inception,” because it would have given the government broad powers to store, use and control the large amounts of data it gathered on its citizens, including fingerprints and iris scans.

In a note to the parliamentary panel last year, Manish Tewari, an opposition politician from the Indian National Congress party, said the bill created “two parallel universes — one for the private sector, where it would apply with full rigor, and one for the government, where it is riddled with exemptions.”

Tech companies, too, were wary, concerned the proposed legislation was going to increase their compliance burden and data storage requirements.

Also read: Parliamentary panel's version of Personal Data Protection Bill endangers privacy: Justice Srikrishna

The bill, which included a rule that tech firms store certain sensitive data about users in India only within the country, would have presented new challenges for global tech giants looking to expand their services in India, the world’s second-largest internet market after China, with more than a half-billion Indians online.

In recent years, Prime Minister Narendra Modi and his governing Bharatiya Janata Party have taken a series of steps to rein in tech companies — including by extending the government’s powers of censorship over social media. Such rules allow the authorities to demand that posts or accounts critical of them be hidden from users in India, as with a recent case involving Twitter. WhatsApp has been told it would be required to make some private messages “traceable” to government agencies if the government believed they involved issues of national security.

Last Updated :

August 05, 22 12:47:44 PM IST