India has relaxed its planned restrictions on cross-border data flows, with a revision to its planned data protection laws.
The new Digital Personal Data Protection Bill 2022 will allow the transfer of personal data to certain other nations and proposes GDPR-style restrictions on the ways in which companies use that data.
There are penalties of up to around $31 million for failing to prevent a data breach, with another $24.5 million where organizations fail to notify the authorities and users.
The bill has been a long time in the making, with a first version proposed in 2018. Years of revisions led to a new version last year, which was withdrawn by the government this summer after concerns from big tech firms and others over cross-border data flows.
But while the new version doesn’t specify the countries concerned, it allows for the possibility.
“The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified,” it reads.
If, as seems likely, the list of exemptions includes the US, the provision will be welcomed by the big technology companies such as Google, Amazon and Facebook. Earlier this year, the Asia Internet Coalition, of which they are members, called for cross-border data transfers to be allowed.
“Placing restrictions on cross-border data flows is likely to result in higher business failure rates, introduce barriers for start-ups, and lead to more expensive product offerings from existing market players,” they said in a letter to the IT ministry.
“Ultimately, the above mandates will affect digital inclusion and the ability of Indian consumers to access a truly global internet and quality of services.” However, there are still areas of serious concern in the new bill – most notably a provision exempting the government from full compliance by allowing it to retain personal data indefinitely in the interests of ‘sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these’.
This, says the Internet Freedom Foundation, could lead to major violations of privacy.
“This is because these standards are excessively vague and broad, therefore open to misinterpretation and misuse. If the law is not applied to government instrumentalities, data collection and processing in the absence of any data protection standards could result in mass surveillance,” it says.
“Any exemption sought by government agencies should be granted only if they fulfil the standards of legality, necessity, and proportionality. It is essential that government collection and processing of citizen data is regulated to prevent misuse of use.”
The foundation also has concerns over the Data Protection Board, saying the fact that key positions will be appointed by the government means that it lacks independence.