Indian lawmakers on Thursday introduced a long-delayed data protection bill in parliament that authorities say is needed to better regulate the activities of big tech firms in the world's most populous country.
The bill is meant to limit cross-border transfers of data, penalise companies for data breaches, and provide a framework for setting up a data protection authority to ensure compliance. A date for enactment has not been announced.
Also Read | Data Protection Bill should be considered as regular bill, says Congress leader Manish Tewari
Privacy experts say the proposed law fails to adequately safeguard the personal data of the nation's 1.4 billion citizens, and gives the government too much power.
What is the bill about, and why has it drawn so much criticism?
What does the data protection Bill do?
The Digital Personal Data Protection Bill, 2023 aims to "provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes," the ministry of information technology said.
Companies and institutions can be penalised for non-compliance, and for failing to take reasonable measures to prevent data breaches. They will also be required to stop retaining user data if it no longer serves the business purpose for which it was collected.
No company or organisation will be allowed to process personal data that is likely to cause "any detrimental effect" on the well-being of a child.
Government agencies may be exempted from the law on the grounds of national security.
Why was it delayed?
At least three different iterations of the bill were shelved, with privacy experts objecting to exemptions granted to government agencies, and dilution of the power of the data protection authority.
An earlier draft had also raised concerns among Big Tech firms that it would increase their compliance burden with stringent regulations on cross-border data flows, and that it gave the Indian government power to seek user data from tech companies.
The government withdrew the bill last year, and said it would draft a comprehensive law that would address the concerns.
What are the main concerns about the Bill?
Some of the most contentious issues include the wide-ranging exemptions to the government and its agencies, the dilution of powers of the data protection board, and amendment of the Right to Information Act, that rights groups say will significantly weaken the law.
"The bill grants the central government excessive discretionary power, does not create an independent regulator, creates uncertainties in cross-border data flows, and undermines people's rights," said Access Now, a digital rights group.
It enables the government to exempt itself and other entities "without any public or judicial oversight, creating risks of mass surveillance and serious privacy harms," it said in a statement.
The bill violates the right to privacy and is likely to create a "surveillance state", opposition party member Asaduddin Owaisi said in parliament on Thursday.
The bill "fails to address many data protection concerns and instead puts in place a regime to facilitate the data processing activities of state and private actors," the Internet Freedom Foundation, a digital rights group, said in a statement.
"The further widening of exemptions granted to government instrumentalities may facilitate increased state surveillance," it said.
How do other countries regulate data privacy?
About 70 per cent of countries worldwide have some form of legislation for data protection, according to the United Nations trade agency UNCTAD.
The EU's General Data Protection Regulation, which came into effect in 2018, is claimed to be the "toughest privacy and security law in the world," and seen as the global benchmark.
Several nations including China and Vietnam have recently tightened laws governing the transfer of personal data overseas, while Australia in 2018 passed a bill that gave police access to encrypted data.