India Government Withdraws Data Protection Bill

Unexpected Revocation Comes After Years of Tech Industry Criticism Prajeet Nair (@prajeetspeaks) • August 4, 2022

The Indian government unexpectedly scuttled its personal data protection bill after weathering criticism from the tech industry and privacy advocates concerned over proposed governmental powers over personal data.

The government of Indian Prime Minister Narendra Modi vowed to instead propose a "comprehensive framework" for tech regulation that includes privacy.

Minister of State for Electronics and Information Technology Rajeev Chandrasekhar told reporters the proposal grew in scope beyond data protection "and was creating degrees of complexity and increasing the burden of compliance on the small businesses."

As recently as earlier this year, Telecom Minister Ashwini Vaishnaw, who oversees a broad portfolio including communications and information technology, said there was "no plan to scrap the draft data protection legislation." Vaishnaw told Reuters the government intends to get its new proposal passed into law by early next year. India's government first began discussing the now-withdrawn bill in 2018, a year after the Supreme Court of India declared that privacy is a fundamental right under India's Constitution.

By some measures, India ranks among the countries most affected by data breaches, and there has been a significant increase in cybercrime in the country.

The pivot to an apparently even more ambitious agenda comes at a moment of tension between Modi's government and large tech firms that includes ongoing litigation initiated by WhatsApp parent Meta. The texting app seeks a ruling from the Delhi High Court blocking a rule that would in effect make end-to-end encryption of messages impractical.

Tech firms have objected to provisions in the now-shelved legislation, including language that would have imposed even strict data localization requirements. India already requires payment processors to store data in India. Tech firms also said restrictions on cross-border data flows would create friction.

Although privacy advocates criticized the proposal for its language granting government agencies powers to seek user data from companies, some also criticized the government's decision to squelch the bill. "The failure to pass a federal privacy and data protection framework exemplifies the government's approach of putting the horse before the cart - mandating increased collection and utilization of personal data without first ensuring people's information will be safe and secure," says Namrata Maheshwari, Asia Pacific Policy Counsel at Access Now.

Industry Reaction

The heart of the bill was changed when legislators decided it should cover nonpersonal data, says Prashant Mali, cyber and privacy lawyer at the Bombay High Court.

"When a bill so changes that it loses its basic structure, it is better to redraft the same," Mali tells Information Security Media Group.

He also says that the idea of having a "Digital India Bill" that may combine the IT Act 2000 and the data privacy-related sections of the abandoned bill is one possibility for moving forward.

"Personally, I feel combining would be havoc," says Mali.

Amit Jaju, senior managing director at Ankura Consulting Group, says that it is welcome news as the existing draft became impractical and not in line with global benchmarks.

"It also strived to address issues related to nonpersonal data which takes away the focus from addressing risks to personal data. I hope the new draft is more aligned with global regulations such as GDPR and is implemented in a timely fashion," Jaju tells ISMG.

Jaju says Indian companies in 2022 have been the victim of large-scale data breaches and in absence of a data protection law, individuals have little to no protection.