India proposes permitting cross-border data transfers with certain countries in new privacy bill

India has proposed a new comprehensive data privacy law that will mandate how companies handle data of its citizens, including permitting cross-border transfer of information with certain nations, three months after it abruptly withdrew the previous proposal following scrutiny and concerns from privacy advocates and tech giants.

The nation's IT ministry published a draft of the proposed rules (PDF), called the Digital Personal Data Protection Bill 2022, on Friday for public consultation. It will hear views from the public until December 17.

"The purpose of this Act is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto," the draft says.

The draft permits cross-border interactions of data with "certain notified countries and territories," in a move that is seen as a win for tech companies.

"The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified," the draft says, without naming the countries.

Asia Internet Coalition, a lobby group that represents Meta, Google, Amazon and many other tech firms, had requested New Delhi to permit cross-border transfer of data. "Cross-border transfer decisions should be free from executive or political interference, and should ideally be minimally regulated," they wrote in a letter to the IT ministry earlier this year.

"Placing restrictions on cross-border data flows is likely to result in higher business failure rates, introduce barriers for start-ups, and lead to more expensive product offerings from existing market players. Ultimately, the above mandates will affect digital inclusion and the ability of Indian consumers to access a truly global internet and quality of services," the group had said.

The proposal also seeks to give New Delhi (the federal government) the powers to exempt state governments from the law in the interest of national security.

The draft also proposes that companies only use the data they have collected on users for the purpose they obtained them originally. It also seeks accountability from the firms that they ensure that they are processing the personal data for the users for the precise purpose they collected it.

It also asks that companies do not store the data perpetually by default. "The storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected," a note from the ministry said.

The draft proposes a penalty of up to $30.6 million in the event a firm fails to provide "reasonable security safeguards to prevent personal data breach." There's another $24.5 million fine if the firm fails to notify the local authority and users for failure to disclose personal data breach.

The earlier proposed rules were touted to help protect the citizens' personal data by categorizing it into different segments based on their nature, such as sensitive or critical. However, the new version does not segregate data as such, according to the draft.

Similar to Europe's GDPR and the CCPA (California Consumer Privacy Act) in the U.S., India's proposed Digital Personal Data Protection Bill 2022 will apply to businesses operating in the country and to any entities processing the data of Indian citizens.

Public policy experts have lauded the government's move to shrink the proposal from its previous versions — from over 90 clauses to 30. However, they believe that cutting down its text would bring some ambiguity.

Kazim Rizvi, a digital policy advocate and founding director of New Delhi-based tech-policy think-tank The Dialogue, told TechCrunch that removing provisions related to striking a memorandum of understanding across regulators for establishing inter-regulatory coordination and omitting the sandbox mechanism to test innovation are some concerning areas.

"Given that the bill will prevail over other existing and proposed laws in case of inconsistency, this jurisdictional precedence is easier said than implemented in the Indian regulatory landscape. Therefore, there is a need for a more structured approach toward harmonizing the existing and proposed allied laws, like a cross-reference system where sectoral or domain-specific regulators could work with the Digital Protection Act to create regulations," he said.

The proposed rules, which are expected to be discussed in the parliament after receiving public consultation, would not bring any changes to select controversial laws in the country that were drafted more than a decade ago. New Delhi is, though, working on updating its two-decade-old IT law that would debut as the Digital India Act. It will segregate intermediaries and come as the endgame, India's minister of state for IT Rajeev Chandrasekhar told TechCrunch in a recent interview.

In August, the Indian government withdrew its earlier Personal Data Protection Bill that was unveiled in 2019 after much anticipation and judicial pressure. At the time, India's IT Minister Ashwini Vaishnaw said that the withdrawal was considered to "present a new bill that fits into the comprehensive legal framework."

Meta, Google and Amazon were some of the companies that had expressed concerns about some of the recommendations by the joint parliamentary committee on the proposed bill.

The move to bring a data protection law came privacy was declared as a fundamental right by the Supreme Court of India in 2017. However, the country faced strong criticism over its earlier data protection bills due to their intrinsic nature of granting government agencies the power to access citizens' data.

At one of the sessions during the G-20 Summit in Bali earlier this week, Prime Minister Narendra Modi talked about the principle of "Data for development" and said that the country would work with G-20 partners to bring "digital transformation in the life of every human being" during its next year's presidency for the 19 countries comprising intergovernmental forum.