Home / News / India /  Relief for Big Tech as data law okays storage abroad

NEW DELHI : India has unveiled a new draft data privacy law that allows multinational companies to store user data overseas, diluting proposals to restrict cross-border data transfer in a previous draft that alarmed companies such as Meta Inc. and Google.

Under the revised draft law, the government retained its powers to exempt state agencies from the privacy law in the interest of national security.

The latest version, released for public consultations on Friday, replaces a 2019 draft withdrawn by the government three months ago following opposition from big tech and startups who feared compliance costs would soar if the law was implemented.

“The bill proves that the Indian government is pro-industry, trade and investments. This also comes at a strategic time where it will positively impact India’s ability to enter into best-in-class digital agreements in its free-trade agreements (FTAs)," said Rohan Gupta, Asia-Pacific manager of government relations and regulatory affairs at the London Stock Exchange Group.

The new bill also proposes transparent usage of the personal data collected, limited use of the data, and ensuring that it is not retained perpetually. It also proposes to impose penalties of as much as 500 crore on organizations, depending on the severity, duration and user impact of a data breach.

Non-personal data and criminal penalties have been dropped from the new bill, even as cross-border data flows have been made easier. India also proposed to notify foreign countries to which the transfer of personal data would be permitted. Legal experts said this provision could aid India in its ongoing FTA negotiations.

“This is likely to make it relatively easier for global enterprises to operate and process data with their current set-up rather than mandatorily developing large infrastructure in India for storing and processing personal data," said Manish Sehgal, a partner at Deloitte India.

The bill outlines that companies and organizations should ensure that no unauthorized collection or processing of user data takes place and make reasonable efforts to keep accurate and updated data of users.

“We’ve made sure small businesses and the startup ecosystem are not burdened by compliance. We’ve tried to create a digital-by-design compliance framework, so it becomes an easily accessible way for implementing the bill," said communications and information technology minister Ashwini Vaishnaw.

The draft bill states that entities that fail to prevent a personal data breach will be penalized up to 250 crore, and an additional 200 crore fine will be levied if they do not inform users affected and the proposed Data Protection Board.

To safeguard children, the bill has proposed a penalty of 200 crore on an entity that does not take parental consent for processing data of a child, processes data that may harm a child, tracks or enables behaviour monitoring of children or undertakes targeted advertising directed at children.

A penalty of 150 crore will be levied if a significant data fiduciary, which has been notified by the government, does not appoint a data protection officer and independent data auditor and fails to undertake data protection impact assessments and periodic audits.

The significant data fiduciary will be determined based on the volume and sensitivity of the personal data processed, risk of harm to users or electoral democracy, and potential impact on India’s sovereignty, security and public order.

Minister of state for electronics and IT Rajeev Chandrasekhar said that the bill was part of a comprehensive framework of laws and rules that include IT rules, the Digital Personal Data Protection Bill, the National Data Governance Framework Policy and a new Digital India Act.

The latest bill also proposes penalties on users—or data principals—up to 10,000 for registering a false or frivolous grievance, impersonating or furnishing fake identification, and for any non-compliance with provisions of the Act.

“Removal of criminal penalties from the purview of the bill is certainly one of the most laudatory moves as this would propel innovations by many startups without the fear of imprisonment for unintended consequences," said Kazim Rizvi, founding director of policy advocacy body, The Dialogue.

Vaishnaw added that the government would examine all suggestions and feedback with an open mind and take the bill to the Parliament after proper consultations. Views can be submitted by 17 December.

“The focus is on protecting the users from all kinds of online harm and creating a safe, transparent and trusted digital ecosystem because India is a major digital economy powerhouse," he added.

The bill states that user consent should not be perpetual for individuals to exercise meaningful control over their personal data, and users can withdraw consent.

Consent will be deemed to have been given when users voluntarily provide personal data to the data fiduciary.

While some experts applauded the simple way the bill has been drafted and the removal of certain rules and regulations, others said that it is a shadow of the original draft.

“From close to a hundred provisions in the earlier versions, we’re down to 30. A lot is then left to rules that the government will lay down. But, in a positive move, the draft focuses only on personal data and doesn’t venture into non-personal data territory," said Sreenidhi Srinivasan, a partner at Ikigai Law.

N.S. Nappinai, a Supreme Court lawyer, said the exemptions in the bill “read with deemed consent provisions" will essentially “take away any protections that Indians have" while giving the government a “free pass".

Abhishek Malhotra, managing partner at TMT Law Practice, said that the bill has “watered down" the objective of a data privacy and protection framework. “The scope and applicability provisions have also been curtailed and limited to where the collection is online or digitized and where Indians are targeted for profiling. This is a departure from where the focus was on the entities, their activities and presence," he said.

Shouvik Das contributed to the story.


Gulveen Aulakh

Gulveen Aulakh is Senior Assistant Editor at Mint, serving dual roles covering the disinvestment landscape out of New Delhi, and the telecom & IT sectors as part of the corporate bureau. She had been tracking several government ministries for the last ten years in her previous stint at The Economic Times. An IIM Calcutta alumnus, Gulveen is fluent in French, a keen learner of new languages and avid foodie.
Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.
More Less

Recommended For You

Trending Stocks

Get alerts on WhatsApp
Set Preferences My ReadsWatchlistFeedbackRedeem a Gift CardLogout