Indian Government Publishes Draft of Digital Personal Data Protection Bill 2022
The Indian government on Friday released a draft version of the much-awaited data protection regulation, making it the fourth such effort since it was first proposed in July 2018.
The Digital Personal Data Protection Bill, 2022, aims to secure personal data, while also seeking users’ consent in what the draft claims is “clear and plain language” describing the exact kinds of information that will be collected and for what purpose.
The draft is open for public consultation until December 17, 2022.
India has over 760 million active internet users, pointing out to the fact that data generated and used by online platforms are subject to privacy rules to prevent abuse and increase accountability and trust.
“The Bill will establish the comprehensive legal framework governing digital personal data protection in India,” the government said. “The Bill provides for the processing of digital personal data in a manner that recognizes the right of individuals to protect their personal data, societal rights and the need to process personal data for lawful purposes.”
The legislation, in its current form, requires companies to follow sufficient security safeguards to protect user information, alert users in the event of a data breach, and stop retaining users’ data should individuals opt to delete their accounts.
“The storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected,” an explanatory note released by India’s Ministry of Electronics and Information Technology (MeitY) reads.
Furthermore, the draft imposes data minimization requirements as well as additional guardrails companies have to adopt in order to prevent unauthorized collection or processing of personal data.
What’s also notable is that the legislation no longer mandates data localization, allowing tech giants to transfer personal data outside of Indian geographical borders to specific countries and territories.
Lastly, the new measure seeks to establish a Data Protection Board, a government-appointed body that will oversee the core of compliance efforts.
That said, the central (aka federal) government is exempted from the provisions of the act “in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offense relating to any of these.”
These sweeping clauses, in the absence of any data protection mechanism, could grant the government broad powers and effectively facilitate mass surveillance.
“This would give the notified government instrumentalities immunity from the application of the law, which could result in immense violations of citizen privacy,” the Internet Freedom Foundation (IFF) said. “This is because these standards are excessively vague and broad, therefore open to misinterpretation and misuse.”
The latest development comes after a previous version of the law, introduced in December 2021, was rescinded in August 2022 following dozens of amendments and recommendations.