The Indian government has withdrawn a hotly anticipated data protection bill, just weeks after postponing other tech-related legislation that saw VPN providers leave the country in droves.
The law, which has been debated and amended significantly since its introduction into India's parliamentary system in 2019, was billed as a way to give Indians more control over their data.
Along with the widely-criticized anti-VPN laws and the 2021 IT rules that irked social media firms, the withdrawal paints a picture of a government struggling to assert itself confidently on tech issues.
India’s Divisive Data Protection Law
The proposed 2019 Personal Data Protection Bill was purportedly designed to give Indian citizens – who comprise the world’s second-largest internet market – more control over their personal data.
The law would have established a so-called data protection authority and increased compliance obligations for Big Tech companies such as Meta, Amazon, and other companies that deal in personal information.
The bill would have granted Narendra Modi’s government sweeping new powers, including the ability to demand user data from tech companies.
Government agencies were due to be exempt from the law “in the interest of the sovereignty” of the country, a stipulation that led privacy advocates to raise the alarm back in 2019.
The law was revised in 2021 and renamed the “Data Protection Bill”, as the parliamentary committee also wanted it to cover non-personal data, which doesn’t contain information that can be used to identify a person but is critical for businesses.
In a letter to India's technology minister, The Asian Internet Coalition – which represents Spotify, Meta, Amazon, Google, Twitter, and Apple – says there are “fundamental and conceptual differences” between these two classes of data, and that they shouldn’t be covered by the same regulatory framework.
The organization also argued that “Central Governmental involvement in all SPD [Sensitive Personal Data] related cross-border transfer decisions”, would “erode and undermine the regulator’s independence” and increase the costs of doing business in India.
Law Withdrawn…for Now
After months of deliberation, The Data Protection Bill garnered 81 amendments and 12 recommendations from India’s parliamentary committee responsible for scrutinizing the report, meaning the only option was to go back to the drawing board.
“Considering the report of the JPC [Joint Parliamentary Committee], a comprehensive legal framework is being worked upon. Hence, in the circumstances, it is proposed to withdraw the Personal Data Protection Bill, 2019, and present a new bill that fits into the comprehensive legal framework” Union Minister for Electronics and Information Technology (MeitY), Aishwani Vaishnaw, said in a statement quoted by New Delhi-based news website The Print.
According to Reuters, the government plans to get a new, revised law approved by early 2023.
This means India still doesn’t have a data privacy law comparable to GDPR in Europe, for instance, despite being a bigger data market. Depending on what powers the government grants itself with the law, it could mean Indians are even less in control of their personal data.
New Delhi Makes Another Tech Fumble
Regulating the flow of Indians' personal information, as well as the tech companies processing it, would be a good thing if done properly. However, the intentions behind the law are evidently more about power than they are about privacy.
Modi’s BJP has adopted an increasingly authoritarian stance on internet freedom over the past few years – including orchestrating internet blackouts during protests – as well as a bullish approach to regulating social media sites.
Most recently, India tried to instate a now-postponed data retention directive that would have placed a legal obligation on companies that process the personal data of Indians to hold onto that data for specified amounts of time.
The law, which was scheduled to come into force in late June but has been postponed until September, drove VPN companies like NordVPN and Surfshark out of the country, as they keep no logs of user activity and thus could not comply with the legislation.
India has also been drafting legislation over the last year or so – known as the “IT Rules” bill – that would theoretically give appointed government officials the power to veto and subsequently reverse content moderation decisions made by Big Tech companies like Meta and Twitter. The Asian Internet Coalition urged the government to replace the system with a self-regulating redressal mechanism.
In reality, the only real victims in all of this are India's citizens, who are further than ever from having their privacy respected and their data protected.