India electronic circuits map

India’s proposed privacy law aims to ease cross-border data transfers

Image credit: Blackboard373-Dreamstime

The Indian government has proposed a new data privacy law to regulate how companies handle user data, including permitting cross-border data transfers with certain countries.

Two months after withdrawing a draft data privacy law, the Indian government has published a new proposal that could impact how tech giants such as Facebook and Google process and transfer data in one of the world's most populated nations. 

If approved, the new law would allow companies to transfer some users' data abroad, while giving the federal government powers to exempt state agencies from the law in the interests of national security.

The government will “notify such countries or territories outside India to which a data fiduciary may transfer personal data”, according to the draft law. 

The proposed legislation stipulates that consent is necessary before collecting personal data and establishes harsher penalties for persons and companies that fail to prevent data breaches, including accidental disclosures, sharing, altering or destroying personal data.

The draft also gives powers to the central government to exempt state agencies from provisions of the Bill “in the interests of sovereignty and integrity of India” and to maintain public order.

“The purpose of this Act is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto,” the draft said.

The regulations will also apply to the processing of personal data abroad if such data involves profiling Indian users or selling services to them. It also asks that companies do not store the data perpetually by default.

“The storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected,” a note from the ministry said.

India has long defended the need for stricter regulations over the technology industry, citing the need to safeguard users' interests in a country that has more than 760 million internet users.

Last August, the country withdrew a 2019 privacy bill that had alarmed companies by proposing stringent restrictions on cross-border data flows. At the time, India’s IT Minister Ashwini Vaishnaw said that the withdrawal was considered to “present a new bill that fits into the comprehensive legal framework.”

Asia Internet Coalition, a lobby group that represents Meta, Google, Amazon and many other tech firms, had requested New Delhi to permit the cross-border transfer of data, according to TechCrunch. 

“Cross-border transfer decisions should be free from executive or political interference and should ideally be minimally regulated,” they wrote in a letter to the IT ministry earlier this year, the group said. 

“Placing restrictions on cross-border data flows is likely to result in higher business failure rates, introduce barriers for start-ups, and lead to more expensive product offerings from existing market players. Ultimately, the above mandates will affect digital inclusion and the ability of Indian consumers to access a truly global internet and quality of services."

The nation’s IT ministry has published a draft of the Digital Personal Data Protection Bill 2022, on Friday for public consultation. It will hear views from the public until December 17 2022.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles