Employees at an Amazon order and collection point in Tumakuru, India, Dec. 4, 2018. A new law would give the country’s 1.3 billion people more power over data collected by companies but allow the government to exempt itself from the rules. (Rebecca Conway/The New York Times)
MUMBAI, India — India is poised to pass its first major data protection law, placing new restrictions on how corporations can collect and use information from the country’s 1.3 billion people.
The legislation, which is set to be introduced in Parliament this week after more than a year of discussion, builds on Europe’s recently enacted privacy protections that gave residents there the ability to request and better control their online data. But lawyers said the bill would also move India closer to China, where the internet is tightly overseen by the government.
“It gives a semblance of owning your data, and having the right to know how it is used, to the individual, but at the same time it provides carte blanche to the government,” said Salman Waris, head of the technology practice at TechLegis, a New Delhi law firm.
India’s likely legislation is set to contribute to a balkanization of the internet. From Singapore to California, more and more governments are adopting their own standards on privacy, security, free speech and protection for homegrown companies. That is making it more difficult for multinational internet companies, which had once expanded rapidly in different regions, to operate freely across the world.
“There is genuinely a danger that we are approaching an era of competing regimes,” Bhairav Acharya, a public policy manager for Facebook, said last week at a conference in Bangalore hosted by the Carnegie Endowment for International Peace. “That’s not good for users. That’s not good for industry.”
Like Europe's General Data Protection Regulation, India’s bill would force global internet companies like Facebook and Amazon to seek explicit permission for most uses of an individual’s personal data and make it easier for people to demand that their data be erased.
But the proposal would place fewer restrictions on the government’s own use of sensitive data on its residents, which include the fingerprint and iris scans that are part of the Aadhaar national ID system and its detailed surveys of who receives government benefits in every household.
On paper, the data protection rules would apply to government agencies. However, the law would grant the central government broad power to exempt any public entity from the requirements for reasons such as national security or public order.
“This is particularly concerning in India given that the government is the largest collector of data,” said Apar Gupta, executive director of the Internet Freedom Foundation, a digital rights group based in New Delhi.
India is also proposing a new entity, the Data Protection Authority, to write specific rules, monitor how corporations are applying them and settle disputes. That agency would have a great deal of power, including deciding whether a data breach must be disclosed to the people affected and setting policies on whether search engines like Google or credit agencies like TransUnion should be exempt from the consent requirements.
Rahul Matthan, a partner at Indian law firm Trilegal who specializes in tech issues, said that businesses had real concerns as to whether the new data authority would have the capacity to manage all of its responsibilities, especially with little legal precedent to guide it.
“We are expecting this Data Protection Authority to be at the standard of a GDPR without any experience,” Matthan said. “That’s a tall ask.”
Still, the data bill has been eagerly awaited by both privacy advocates and the tech industry. India’s Supreme Court established a constitutional right to privacy in 2017, and in its wake, a committee headed by a retired justice of that court, B.N. Srikrishna, wrote a first draft of the bill and made it public more than a year ago.
Srikrishna supported tight restrictions on the government’s ability to exempt itself from the law, saying at the Carnegie conference last week that the bill he wrote “is as much applicable to the government as to private citizens.”
The administration of Prime Minister Narendra Modi, which has made no secret of its plans to increase surveillance and adopt technologies such as facial recognition, appears to have rejected his advice when it rewrote the bill.
The judge declined to comment Tuesday, saying that he was waiting until the bill is formally introduced in Parliament.
Although the Modi government has chosen to whisk many important bills through Parliament in just a few days, legal experts said they expected the data protection bill would move more slowly and may even be open to amendment.
“I’m just glad to have a law that is likely to be tabled — good, bad or ugly,” Matthan said. “We really need a law of some sort.”
©2019 New York Times News Service