In a landmark decision, the Indian parliament approved its first-ever privacy law on August 9, 2023. However, many haven't welcomed the event as a real victory.
The government was accused of rushing a new version of the law through Parliament despite fierce opposition. Privacy experts also fear the new provisions will lead to increased government surveillance instead while favoring Big Tech operations along the way.
Social societies and tech companies have long been calling out what's deemed as India's digital authoritarianism. Last year, for example, another legislation provoked an exodus of VPN service providers refusing to comply with its invasive user data retention rules. So, how does India's Digital Personal Data Protection (DPDP) Act intend to protect citizens' privacy?
What is India's Digital Personal Data Protection Act?
India's Digital Personal Data Protection (DPDP) Act is the first law of this kind for the country. Echoing the efforts of other nations worldwide, it aims to regulate citizens' rights and business obligations when it comes to dealing with people's digital data privacy.
Six years in the making and three versions of the bill later, the DPDB now grants citizens the right to correct or erase their personal data. It allows companies to transfer users' data beyond the country's border unless explicitly restricted by the government. Most importantly, it prohibits organizations from processing children's information without parental consent.
DPDP Bill becomes an Act. Received Hon'ble President's assent. pic.twitter.com/tl0s9OtakhAugust 12, 2023
The government gets a new set of powers, too, for requesting firms to disclose information as well as issuing content-blocking orders. Penalties for violations or non-compliance are set to up to 2.5 billion rupees ($30 million).
Opposition members were still very critical of the last version of the bill, though. They raised privacy concerns, called for further scrutiny, and even staged a walkout from parliament on voting day to protest the 100 days of internet shutdown currently keeping people across the Manipur region in the dark—Outlook India reported.
The government decided to push the vote nonetheless through parliament, which finally passed the bill in both chambers. It then received the final approval from President Narendra Modi, officially becoming the Act on August 11.
The good
India's DPDP Act means that for the first time personal data privacy isn't just a recognized human right, but it's also protected by a legal framework.
Similarly to the GDPR, the new legislation obliges data collectors to inform users of the purpose for collecting and processing their personal data upon their consent and requires businesses to delete the information once it no longer fulfills its original purpose. It also establishes a Data Protection Board (DPB) to investigate data breaches and complaints against companies.
Harry Maugans, Founder and CEO of external data privacy provider Privacy Bee, sees the law as a win for data privacy rights. He told TechRadar: "The bill is a big step in the right direction for India and continues the positive trend of more countries adopting guidelines similar to the industry-leading GDPR and US-based regulations."
Yet, "there's still more work to be done and consumers must take control of their own data protection in the meantime," he added. The onus to find, review, and request the removal of personal data from websites and company databases is still on the individual, in fact.
Maugans and other experts also praise how the Act seeks to protect the most vulnerable users, including children and people with disabilities. Companies must get parental or lawful guardian consent prior to collecting or processing any of their data.
Despite the importance of these additional obligations, some commentators are worried that the vagueness of provisions may make its implementation difficult eventually.
"How are you even going to identify somebody who is disabled on a digital platform? And also, you haven’t defined what disability means within the bill," commented Kamesh Shekar, a tech policy expert at Delhi-based think tank The Dialogue, to the Tech Policy Press.
The bad
"This bill is very pro-citizen and pro-privacy," were the words IT Minister Ashwini Vaishnaw used to comment on the new law—TechCrunch reported.
Yet, according to Asia Pacific Policy Director at Access Now Raman Jit Singh Chima, it rather represents a "win-win, but only for government and big tech."
Looking at the preamble of the Act (see image below), it looks clear the direction the DPDP has taken. Where the GDPR takes a more data protection approach, "my assessment of this is that it takes a more data processing approach," explained Prateek Waghre, Policy Director at the digital rights advocacy group the Internet Freedom Foundation, at Tech Policy Press.
Commentators are also worried about the new sweeping powers that the DPDP grants to New Dehli. They especially lament a lack of safeguards to prevent over-board surveillance, greater powers to exempt state agencies from following its provisions, and scarce independence of the Data Protection Board.
These concerns add to greater censorship powers with little public oversight in a country like India, infamous for blocking content critical against political rulers across social media platforms and beyond. Even worse, India ranked second, only after Iran, as the biggest perpetrator of internet shutdowns in 2023 so far—a practice that violates citizens human rights and cripples economies.
"The passage of India's Data Protection Bill in its current form is a missed opportunity. It’s a bad law," said Namrata Maheshwari, Asia Pacific Policy Counsel at Access Now.
EGI is deeply concerned about Digital Personal Data Protection Bill, 2023, as it carries provisions that can have adverse impact on press freedom. Urges @loksabhaspeaker to refer bill to Parliamentary Committee. @narendramodi @GoI_MeitY @AshwiniVaishnaw pic.twitter.com/2wwxuVbaBIAugust 6, 2023
Privacy experts aren't the only ones who fear that the new law could limit citizens' freedoms. A set of provisions are actually thought to endanger India's independent and free press.
Specifically, Clause 36 grants the government the power to call for personal information about citizens, including journalists. Clause 37(1)(b) allows New Delhi to block public access to content shared by a journalist or news organization previously found guilty of violating any provisions as a "data fiduciary." This term describes any entity processing personal data.
Even more worryingly, the Act undermines the Right to Information Act—a tool that the press has been widely using for pursuing important investigations over recent years. Access to all personal information can now be denied under the new law, in fact, without any exemptions for journalists or media outlets.
"We are deeply concerned about the lack of exemptions for journalists from certain obligations of the law, where the reporting on certain entities in the public interest may conflict with their right to personal data protection," wrote the non-profit group Editors Guild of India in an official statement, warning that all this "will lead to a chilling effect on journalistic activity in the country."
What's next?
As digital economies keep shaping business operations and citizens' privacy, India's DPDP Act is a welcomed attempt to put a legal framework around issues regarding data protection and processing practices.
Yet, it looks as if the government not only missed an opportunity to fix problems with existing privacy laws, but it also enforced a law that risks being misused at the detriment of people's rights. Now, it just remains to see how these provisions will eventually be implemented.
On this point, experts at Access Now said: "To preserve the rights of people across India, and in countries that share their data with India, the government must ensure that all rules made under the Bill are passed after meaningful stakeholder consultation, and debated in both houses of parliament."