India introduces new data protection laws

Indian lawmakers have passed a significant data protection law aimed at regulating tech companies’ processing of user data.

The move comes amid concerns that the law could potentially lead to increased government surveillance. 

The Digital Personal Data Protection Bill, 2023, allows companies to transfer certain user data abroad, but it also empowers the Indian government to obtain information from firms and issue content blocking directives through a data protection board appointed by federal authorities.

Privacy concerns are addressed through a number of new provisions: users are given the right to correct or erase their personal data, granting them more control over their information. However, critics point to the power given to state agencies to be exempt from these elements. The law has also sparked controversy due to potential implications on press freedom and dilution of the Right to Information law.

The bill comes in the wake of India’s decision to withdraw a 2019 privacy bill, which had raised alarm among tech giants like Facebook and Google due to its stringent cross-border data flow restrictions. The new legislation seeks to strike a balance between protecting user data and facilitating innovation in the digital economy.

The legislation carries significant penalties for violations and non-compliance, with fines potentially reaching up to 2.5 billion rupees ($30 million). The government argues that these measures are necessary to ensure data security and accountability.

Deputy Minister for Information Technology, Rajeev Chandrasekhar, has asserted how the law is designed to safeguard citizens’ rights, promote innovation, and allow legitimate access by the government in cases of national security or emergencies, such as pandemics and earthquakes.

India’s progression to this point has been long-awaited and contentious. The process began following a 2017 Supreme Court ruling that recognised the fundamental right to privacy for Indians. The bill underwent multiple revisions to embrace concerns from various stakeholders, including business groups and civil society advocates.

While the law aims to tackle data protection concerns and create a framework for responsible data handling, opponents remain wary. The law’s provisions allowing the government to bypass certain aspects for reasons related to national security and public order have raised alarm among civil society activists.

As India takes this crucial step toward data protection legislation, the global tech community and human rights organisations closely monitor its implications for user privacy, government surveillance, and the balance between innovation and regulation.