India’s data protection law is a step closer to being enacted after Union IT Minister Ravi Shankar Prasad introduced the Personal Data Protection Bill, 2019, in Parliament on December 11. The Bill provides a framework for protecting individuals’ privacy, the ways in which their data can be processed with consent, and the obligations of the processing individuals and organisations. The Bill articulates exemptions such as national security, under which even sensitive data of individuals can be processed without their express permission; it also sets the guidelines about which data needs to strictly remain, and be processed, within India, and what can be processed overseas. A Data Protection Authority will be set up to oversee the implementation of the law.
“This is a ground-breaking step for the nation towards building the significant base of ‘trusted’ digital India,” says Jaspreet Singh, a partner for cyber security at consultancy EY. “The Bill is like a double-sided sword: On one hand it protects the personal data of Indians by empowering them with data principal rights, and on the other hand it bestows the central government with exemptions that are against principles of processing.”
There are concerns that the Bill gives the government blanket powers to access citizens’ data. This “has dangerous implications” and could “turn India into an Orwellian state,” said Justice BN Srikrishna in a media report; he had led the committee that submitted the report based on which the original Bill was drafted in 2018.
The Bill would “represent new, significant threats to Indians’ privacy,” Udbhav Tiwari, a public policy advisor at Mozilla, told TechCrunch. “If Indians are to be truly protected, it is urgent that the Parliament reviews and addresses these dangerous provisions before they become law.”
The Bill intends to make individuals the owners of their data, giving them the right to access and correct it, the right to data portability, and the right to be forgotten. The Bill will largely impact how consumer data is protected and kept private. User awareness about privacy is growing, and people will be seen making more informed choices, “associating certain brands that provide greater privacy controls as better options,” says Singh.
India’s smartphone revolution has made it a market with over 500 million active internet users, making it second only to China. India has also seen a surge in internet-based start-ups offering various products and services. These startups are keenly following the progress of the Bill. “There is an increasing need to have proper guidelines in place to secure confidential data… we hope the Bill will have a proper balance of data privacy and protection, which will lead to increased transparency,” says Bhavin Turakhia, founder of Flock, the maker of a team collaboration software.
“Effective data privacy and personal information protection are critical pillars for driving consumer trust in the rapidly growing digital economy” says Venkatesh Krishnamoorthy, country manager at BSA, a tech industry lobby. “We look forward to reviewing the revised Personal Data Protection Bill and contributing to the consultative process to ensure the legislation empowers Indian consumers, is interoperable with international practices, and drives continued growth for India’s digital economy.”
“We are aligned with the Government of India’s objectives towards creating a robust and secure digital economy for Indian customers. We are following the progress of the bill and we cannot specifically comment on any provision till it is opened to public comment,” said an Amazon spokesperson