Protection site

Indian government withdraws data protection bill

Unexpected revocation comes after years of tech industry criticism

Prajeet Nair (@prajeetspeaks) •
August 4, 2022

The Indian government unexpectedly scuttled its personal data protection bill after resisting criticism from the tech industry and privacy advocates concerned about the government’s proposed powers over personal data.

See also: On demand | Zero tolerance: control the landscape where you will meet your opponents

Indian Prime Minister Narendra Modi’s government has vowed to instead come up with a “comprehensive framework” for tech regulation that includes privacy.

Minister of State for Electronics and Information Technology Rajeev Chandrasekhar told reporters the proposal broadened its scope beyond data protection “and created levels of complexity and increased compliance burden for small businesses”.

As recently as early this year, Telecommunications Minister Ashwini Vaishnaw, who oversees a broad portfolio including communications and information technology, said there was “no plan to remove the draft data protection legislation”. Vaishnaw Told Reuters, the government intends to push through its new proposal early next year. The Indian government began discussing the now-withdrawn bill in 2018, a year after India’s Supreme Court ruled that privacy is a fundamental right under India’s Constitution.

by some measuresIndia ranks among the countries most affected by data breaches, and there has been a significant increase in cybercrime in the country.

The pivot to a seemingly even more ambitious agenda comes at a time of tension between Modi’s government and big tech companies, which includes ongoing litigation initiated by WhatsApp’s parent company Meta. SMS app seeks Delhi High Court ruling blocking rule that would actually make end-to-end encryption inconvenient messages.

Tech companies have objected to the provisions of the now-abandoned legislation, including language that would have imposed even stringent data localization requirements. India already requires payment processors store data in india. Tech companies also said restrictions on cross-border data flows would create friction.

Although privacy advocates criticized the proposal for its language granting government agencies the power to seek user data from companies, some also criticized the government’s decision to stifle the bill. “The failure to adopt a federal privacy and data protection framework illustrates the government’s approach of putting the horse before the cart – mandating increased collection and use of personal data without first ensuring that people’s information will be safe and secure”, said Namrata Maheshwari, Asia-Pacific Policy Advisor at Access Now.

Industry reaction

The core of the bill was changed when lawmakers decided it should cover non-personal data, says Prashant Mali, a cybersecurity and privacy lawyer at the Bombay High Court.

“When a bill changes so much that it loses its basic structure, it’s best to reformulate it,” Mali told Information Security Media Group.

He also says that the idea of ​​having a “Digital India Bill” which can combine the IT Act 2000 and the data privacy sections of the abandoned bill is a possibility for moving forward.

“Personally, I feel like combining would be catastrophic,” Mali said.

Amit Jaju, Senior Managing Director of Ankura Consulting Group, says this is good news as the existing project has become impractical and not in line with global benchmarks.

“It has also worked to address non-personal data issues, which distracts attention from personal data risk management. I hope the new project is more aligned with global regulations such as the GDPR and is implemented in a timely manner,” Jaju told ISMG.

Jaju says that Indian businesses in 2022 have been victims of large-scale data breaches and that in the absence of a data protection law, individuals have little or no protection.