On Wednesday, the Indian government unexpectedly withdrew a data protection bill that a panel of lawmakers had been working on for more than two years, saying it was working on a new law.
The abandoned legislation, the Personal Data Protection Bill 2019, would have required Internet companies such as Meta and Google to obtain specific permission for most uses of an individual’s data, and would have made the process of request to erase such personal data. Countries around the world have been adopting such measures, including in Europe with the General Data Protection Regulation.
But privacy advocates and some lawmakers complained that the bill would have given the government overly broad powers over personal data, while exempting law enforcement agencies and public entities from the provisions of the law. law, apparently for reasons of national security.
Salman Waris, a lawyer at TechLegis in New Delhi who specializes in international tech law, said the bill was “a bad draft from the start” because it gave the government sweeping powers to store, use and control the vast amounts of data it collects. on its citizens, including fingerprints and iris scans.
In a note to the parliamentary panel last year, Manish Tewari, an opposition politician from the Indian National Congress party, said the bill created “two parallel universes: one for the private sector where it would be fully enforced and one for the government where it is riddled with exemptions.”
Technology companies were also cautious, concerned that the proposed legislation would increase their compliance burden and data storage requirements.
The law, which included a rule that tech companies store certain sensitive data about users in India only within the country, would have presented new challenges for global tech giants looking to expand their services in India, the second largest internet market. largest in the world after China. with over half a billion Indians online.
In recent years, India’s Prime Minister Narendra Modi and his ruling Bharatiya Janata party have taken a series of steps to rein in tech companies, including expanding the government’s censorship powers over social media. Such rules allow authorities to require that critical posts or accounts be hidden from users in India, as in a recent case involving Twitter. WhatsApp has been told it will be required to make some private messages “traceable” to government agencies if the government believes they involve national security issues.
However, a number of lawyers and experts say rules to safeguard citizens’ privacy online and hold companies accountable for misusing or leaking users’ personal data are badly needed. The bill’s abrupt withdrawal, by a government that rarely bows to political opposition, came as a surprise to many Indians.
“This is not about getting a perfect law, but a law right now,” said Apar Gupta, executive director of the Internet Freedom Foundation, a New Delhi-based digital rights group. “Each day lost causes more injuries and damage.”
The government’s explanation for withdrawing the bill was that it had become too complicated in the time a panel of lawmakers had been working on it. The government-established committee “recommended 81 amendments in a 99-section bill,” wrote Ashwini Vaishnaw, the information technology minister. On twitter. “The bill has been withdrawn and a new bill will be submitted for public consultation.”
India, the world’s fastest-growing market for new internet users, has seen an explosion of personal data as millions of new users went online and started using hundreds of free and paid apps that store the data.
The country’s push to better protect its data extends beyond the scope of the data protection bill. For example, India has required credit card issuers and payment processors to store data on local transactions within the country.
India has resisted arguments from financial companies that setting up local data processing has significantly increased costs and could set a precedent for other countries to do the same, as well as potentially hurting its fraud monitoring.
In addition to its demand to store data locally, the country’s central bank last year ordered all businesses to delete debit and credit card data from 2022 to protect customers from being charged against their will.
That move caused frustration for businesses and customers alike, many of whom had their transactions declined or had to enter their details all over again.