India’s government on Wednesday unexpectedly withdrew a data protection bill that a panel of lawmakers had been working on for more than two years, saying it was working on a new law.
The scrapped legislation, Personal Data Protection Bill, 2019, would have required internet companies like Meta and Google to obtain specific permission for most uses of a person’s data, and would have made the process of requesting erasure of that data easier. personal. Countries around the world have adopted such measures, including in Europe with the General Data Protection Regulation.
But privacy advocates and some lawmakers have complained that the bill would have given the government overly broad powers over personal data, while exempting law enforcement and public entities from the law’s provisions, apparently for national security reasons.
Salman Waris, a lawyer at TechLegis in New Delhi who specializes in international technology law, said the bill was “a bad bill from the start” because it gave the government sweeping powers to store, use and control the large amounts of data it collects. on its citizens, including fingerprints and iris scans.
In a memo to the parliamentary panel last year, Manish Tewari, an opposition politician from the Indian National Congress party, said the bill created “two parallel universes – one for the private sector where it would apply with all the rigor and one for the government where it is full of exemptions.
Tech companies were also wary, fearing the proposed legislation would increase their compliance burden and data storage requirements.
The law, which included a rule that tech companies store certain sensitive data about users in India only in the country, would have presented new challenges for global tech giants looking to expand their services in India, the second largest internet market. world after China, with more than half a billion Indians online.
In recent years, Indian Prime Minister Narendra Modi and his ruling Bharatiya Janata party have taken a series of measures to curb tech companies, including expanding the government’s powers of censorship over social media. Such rules allow authorities to require posts or accounts that criticize them to be hidden from users in India, as in a recent case involving Twitter. WhatsApp has been told it will need to make certain private messages “traceable” to government agencies if the government believes they relate to national security issues.
Still, a number of lawyers and experts say rules to protect citizens’ privacy online and hold companies accountable for misusing or leaking users’ personal data are badly needed. The abrupt withdrawal of the bill, by a government that rarely bows to political opposition, surprised many Indians.
“It’s not about getting a perfect law, but a law at this point,” said Apar Gupta, executive director of the Internet Freedom Foundation, a New Delhi-based digital rights group. “Each lost day causes more injury and damage.”
The government’s explanation for withdrawing the bill was that it had become too complicated since a panel of lawmakers had been working on it. The government-appointed committee “recommended 81 amendments to a 99-section bill,” wrote Ashwini Vaishnaw, the information technology minister. on Twitter. “The bill has been withdrawn and a new bill will be presented for public consultation.”
India, the world’s fastest growing market for new internet users, has seen an explosion of personal data as millions of new users logged on and started using hundreds of free and paid apps that store the data.
The country’s efforts to better protect its data go beyond the scope of the proposed data protection law. For example, India has required credit card issuers and payment processors to store local transaction data inside the country.
India has resisted arguments from financial firms that setting up local data processing drastically increases costs and could set a precedent for other countries to do the same, while potentially affecting their surveillance of the fraud.
In addition to its demand for local data storage, the country’s central bank last year ordered all businesses to purge debit and credit card details from 2022 to prevent customers from being charged against their will.
The move has caused frustration for businesses and customers, many of whom have had their transactions declined or had to re-enter their details.