The move comes amid concerns that the law could potentially lead to increased government surveillance. 

Indian lawmakers have passed a significant data protection law aimed at regulating tech companies’ processing of user data.

The move comes amid concerns that the law could potentially lead to increased government surveillance. 

The Digital Personal Data Protection Bill, 2023, allows companies to transfer certain user data abroad, but it also empowers the Indian government to obtain information from firms and issue content blocking directives through a data protection board appointed by federal authorities.

Privacy concerns are addressed through a number of new provisions: users are given the right to correct or erase their personal data, granting them more control over their information. However, critics point to the power given to state agencies to be exempt from these elements. The law has also sparked controversy due to potential implications on press freedom and dilution of the Right to Information law.

The bill comes in the wake of India’s decision to withdraw a 2019 privacy bill, which had raised alarm among tech giants like Facebook and Google due to its stringent cross-border data flow restrictions. The new legislation seeks to strike a balance between protecting user data and facilitating innovation in the digital economy.

The legislation carries significant penalties for violations and non-compliance, with fines potentially reaching up to 2.5 billion rupees ($30 million). The government argues that these measures are necessary to ensure data security and accountability.

Deputy Minister for Information Technology, Rajeev Chandrasekhar, has asserted how the law is designed to safeguard citizens’ rights, promote innovation, and allow legitimate access by the government in cases of national security or emergencies, such as pandemics and earthquakes.

India’s progression to this point has been long-awaited and contentious. The process began following a 2017 Supreme Court ruling that recognised the fundamental right to privacy for Indians. The bill underwent multiple revisions to embrace concerns from various stakeholders, including business groups and civil society advocates.

While the law aims to tackle data protection concerns and create a framework for responsible data handling, opponents remain wary. The law’s provisions allowing the government to bypass certain aspects for reasons related to national security and public order have raised alarm among civil society activists.

As India takes this crucial step toward data protection legislation, the global tech community and human rights organisations closely monitor its implications for user privacy, government surveillance, and the balance between innovation and regulation.

As international data protection regulatory frameworks evolve, it’s never been more important for organisations to stay on top of new laws, rights and responsibilities as they develop across global geographies. 

On September 27 and 28, 2023, #RISK Amsterdam is the premier event for risk professionals in Europe, getting to the heart of international data laws, transfer rules and cybersecurity regulations.

Not to be missed:

Session: EU-US Data Transfers: Time to Relax?

Date: Wednesday 27 September

Location: Privacy and Security Hub

Time: 10:00 - 11:00 CET

Replacing Privacy Shield has been a long and complicated process, apparently accelerated by the war in Ukraine and several concessions from the negotiators. But with Max Schrems already declaring his intention to challenge the new agreement, will EU and US data controllers ever truly be out of limbo?

This session will examine the new data transfer framework’s strengths and weaknesses, and explore what action businesses can take to prepare if the framework fails.


Session: Shaping Europe’s digital future: Cybersecurity Law and Regulation

Date: Thursday 28 September 2023

Time: 15:00-1600 (CET)

The legal and regulatory landscape of cybersecurity is constantly evolving, with new laws and regulations being introduced regularly, such as the EU Cybersecurity Act, the NIS2 directive, and more.

In this session, panellists explore the emerging trends and challenges in cybersecurity law and regulation and discuss the ways in which organisations can navigate this complex landscape.

With over 50 exhibitors, keynote presentations from over 100 experts and thought leaders, panel discussions, and breakout sessions, #Risk Amsterdam 2023 is the perfect place to learn about the present and future risk landscape.

Click here for the full #RISK Amsterdam agenda

Click here to register for #RISK Amsterdam



Do you know what data is being used to ‘train’ the AI in your organisation? 

Do you have a process for managing ‘risk’ in the use of AI? 

Are employees being trained in the use of AI? 

Attend #RISK to learn & knowledge share:

Learn more about #RISK Amsterdam – 27th & 28th September 2023

LEARN MORE ABOUT #RISK LONDON  – 18th & 19th October 2023