



India has proposed a new comprehensive data privacy law that mandates how companies treat their citizens’ data, including allowing cross-border transfers of information with certain countries.

The country’s IT ministry released a draft regulation (PDF) on Friday, called the Digital Personal Data Protection Bill 2022, for public consultation. Public comments will be heard until December 17th.

“The purpose of this Act is to regulate the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, It is to provide for matters related to or incidental to it, ”said the draft.

The draft allows cross-border data exchange with “certain notified countries and territories” and is seen as a win for tech companies.

“The central government, after assessing the factors it deems necessary, may, subject to specified conditions, notify the countries or territories outside India to which the data trustee may transfer personal data,” without naming the countries. says.

The Asia Internet Coalition, a lobby group representing Meta, Google, Amazon and many other technology companies, had called on New Delhi to allow cross-border transfers of data. “Cross-border transfer decisions should be free from administrative or political interference and should ideally be minimally regulated,” they wrote in a letter to the IT ministry earlier this year. increase.

“Imposing restrictions on cross-border data flows could increase business failure rates, create barriers for start-ups, and lead to more expensive offerings from incumbent market players. In addition, the above obligations will affect digital inclusion and the ability of Indian consumers to access a truly global internet and quality of service,” said the group.

The proposal also seeks to give New Delhi (the federal government) the power to exempt state governments from the law for national security.

The draft also proposes that companies use the data they collect about their users only for the purposes for which it was originally obtained. We also hold companies accountable for ensuring that they are processing users’ personal data for the precise purposes for which they were collected.

We also ask companies not to store data persistently by default. “Storage should be limited to the period necessary for the purpose for which the personal data was collected,” the ministry’s memo said.

The draft proposes fines of up to $30.6 million for businesses that fail to provide “reasonable security safeguards to prevent personal data breaches.” He will also be fined $24.5 million if the company fails to notify local authorities and users of the failure to disclose a personal data breach.

The previously proposed rule was touted as helping to protect citizens’ personal data by classifying it into various segments based on its nature, such as confidential or sensitive. However, according to the draft, the new version doesn’t separate the data itself.

Similar to Europe’s GDPR and US’s CCPA (California Consumer Privacy Act), India’s proposed Digital Personal Data Protection Bill of 2022 would require businesses operating in the country to protect the data of Indian citizens. Applies to all entities you process.

The proposed rule, which is expected to be debated in parliament after undergoing public consultation, would not bring changes to select a domestically controversial law drafted more than a decade ago. Will. However, New Delhi is working to update its 20-year-old IT law and is set to debut as the Digital India Act. India’s IT Minister Rajeev Chandrasekhar told TechCrunch in a recent interview:

In August, the Indian government withdrew the previous Personal Data Protection Bill announced in 2019 after much expectation and judicial pressure. At the time, India’s IT Minister Ashwini Vaishnaw said the repeal was considered “to introduce a new bill that fits the comprehensive legal framework”.

Meta, Google and Amazon are among the companies that have expressed concerns about some of the Joint Congressional Committee’s recommendations on the proposed legislation.

The move to introduce data protection laws was sparked by the 2017 declaration by the Supreme Court of India that privacy is a fundamental right. Access citizen data.

During one of the sessions during the G-20 summit in Bali earlier this week, Prime Minister Narendra Modi spoke about the principles of “data for development” and suggested that the country should work with G-20 partners to achieve “digital transformation.” to the world,” he said. It will chair next year’s intergovernmental forum, which consists of 19 countries.

