India withdraws data protection and privacy bill

India’s government has withdrawn a data protection and privacy bill which was first proposed in 2019 and had alarmed big technology companies such as Facebook and Google, announcing it was working on a new comprehensive law.

The 2019 law had proposed stringent regulations on cross-border data flows and proposed giving the Indian government powers to seek user data from companies, seen as part of Prime Minister Narendra Modi’s stricter regulation of tech giants.

A government notice on Wednesday said the decision came as a parliamentary panel’s review of the 2019 bill suggested many amendments, leading to the need for a new “comprehensive legal framework”. The government will now “present a new bill”, the notice added.

IT minister Ashwini Vaishnaw told Reuters the government has started drafting the new bill, “which is in good advanced stages”, with a public release “very close”.

The government aims to get the new bill approved and made into law by early 2023 in the parliament’s budget session which typically runs January-February, he said.

The 2019 privacy bill was designed to protect Indian citizens and establish a so-called data protection authority, but it had raised concerns among Big Tech giants that it could increase their compliance burden and data storage requirements.

“It is good that there will be a redraft from scratch,” said Prasanto Roy, a New Delhi-based consultant who closely tracks India’s technology policy.

“However, India still has no privacy law in sight. That’s leaving data regulation open to a wide variety of sectoral regulations, something a common privacy law could have harmonised.”

Asked about consultation with stakeholders on the new bill, Vaishnaw said the process “won’t be that long” because the parliamentary panel that reviewed the old bill had already gathered industry feedback.

Data misuse concerns

India says such regulations are needed to safeguard the data and privacy of citizens. Politicians have said that concerns about the misuse of sensitive personal data have risen exponentially in India.

Companies including Facebook, Twitter and Google have for years been concerned with many other separate regulations India has proposed for the technology sector, often straining relations between New Delhi and Washington.

After India’s privacy law plan of 2019, it also floated new proposals to regulate “non-personal data”, a term for data viewed as a critical resource by companies that analyse it to build their businesses. The parliamentary panel had said such non-personal data should be included in the purview of the privacy bill.

The bill also exempted government agencies from the law “in the interest of sovereignty” of India, a provision privacy advocates at the time said would allow agencies to abuse access.

“There were multiple, large concerns earlier. One has to wait and watch whether the new bill is any better,” said Apar Gupta, the executive director at advocacy Internet Freedom Foundation.

Privacy, declared a fundamental right by India’s top court, is a thorny issue in the world’s biggest democracy, which has seen explosive digital growth, thanks to cheap smartphones and mobile data.