The Indian government on Wednesday unexpectedly withdrew a proposed bill on data protection that a panel of lawmakers had been laboring over for more than two years, saying it was working on a new law.
The abandoned legislation, Personal Data Protection Bill, 2019, would have required internet companies like Meta and Google to obtain specific permission for most uses of a person’s data, and would have eased the process of asking for such personal data to be erased. Countries worldwide have been adopting such steps, including in Europe with the General Data Protection Regulation.
But privacy advocates and some lawmakers complained that the bill would have given the government excessively broad powers over personal data, while exempting law enforcement agencies and public entities from the law’s provisions, ostensibly for national security reasons.
Salman Waris, a lawyer at TechLegis in New Delhi who specializes in international technology law, said the bill was “a bad draft from the inception,” because it gave the government broad powers to store, use and control the large amounts of data it gathers on its citizens, including fingerprints and iris scans.
In a note to the parliamentary panel last year, Manish Tewari, an opposition politician from the Indian National Congress party, said the bill created “two parallel universes — one for the private sector where it would apply with full rigor and one for the government where it is riddled with exemptions.”
Tech companies were also wary, concerned that the proposed legislation was going to increase their compliance burden and data storage requirements.
The law, which included a rule that tech firms store certain sensitive data about users in India only within the country, would have presented new challenges for global tech giants looking to expand their services in India, the world’s second-largest internet market after China, with more than half a billion Indians online.
In recent years, Prime Minister Narendra Modi of India and his governing Bharatiya Janata Party have taken a series of steps to rein in tech companies — including by extending the government’s powers of censorship over social media. Such rules allow the authorities to demand that posts or critical accounts of them be hidden from users in India, as with a recent case involving Twitter. WhatsApp has been told that it would be required to make some private messages “traceable” to government agencies if the government believed they involved issues of national security.
Yet a number of lawyers and experts say that rules to safeguard the privacy of citizens online and hold companies responsible for misusing or leaking users’ personal data are badly needed. The abrupt withdrawal of the bill, by a government that seldom bends to political opposition, came as a surprise to many Indians.
“It’s not about getting a perfect law, but a law at this point,” said Apar Gupta, the executive director of the Internet Freedom Foundation, a digital rights group based in New Delhi. “Each day lost causes more injury and harm.”
The government’s explanation for withdrawing the bill was that it had grown too complicated in the time that a panel of lawmakers had been working on it. The committee set by the government “recommended 81 amendments in a bill of 99 sections,” Ashwini Vaishnaw, a minister for information technology, wrote on Twitter. “The bill has been withdrawn and a new bill will be presented for public consultation.”
India, the world’s fastest-growing market for new internet users, has seen an explosion of personal data as millions of new users came online and started using hundreds of free and paid apps that store the data.
The country’s push to better protect its data extends beyond the scope of the data protection bill. For instance, India has required credit card issuers and payment processors to store data on local transactions inside the country.
India has resisted the arguments of financial companies that say that setting up local data processing increased costs significantly and could set a precedent for other countries to do the same, as well as potentially affect their fraud monitoring.
In addition to its demand to store data locally, the country’s central bank last year ordered all companies to purge debit and credit card details beginning in 2022 to protect customers from being charged against their will.
That move caused frustration for businesses and customers alike, many of whom either had their transactions declined or had to key in their details once again.