IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

India’s new data protection bill continues to “facilitate state surveillance”

Although data localisation requirements have now been removed, it’s down to the Indian government to select which countries data is allowed to be sent to

Fresh accusations have been made against the latest draft of India’s data protection bill, alleging that it continues to facilitate state surveillance.

India’s Internet Freedom Foundation (IFF), an Indian digital liberties organisation, said that the new draft retains the wide and vague exemptions that were present in previous interactions of the Bill - key clauses that would provide the government powers that could violate the privacy of its citizens.

Related Resource

Hybrid cloud for video surveillance

What it is and why you'll want one

Wasabi_Hybrid_Cloud_Video_Surveillance_WP_coverFree download

“This is because these standards are excessively vague and broad, therefore open to misinterpretation and misuse,” said the IFF. “If the law is not applied to government instrumentalities, data collection and processing in the absence of any data protection standards could result in mass surveillance.”

The IFF said that it’s essential for government collection and processing of citizen data to be regulated as well, to avoid any misuse. 

Additionally, the data protection board (DPB), which is set to be formed through the Bill, will not have the independence needed to protect the data laws. This is because the government has the power to prescribe the composition of the board, the selection process, and remove its chair and other members.

The IFF said that this may result in the board reflecting the hierarchies of government, and since it’s meant to oversee the compliance of the legislation by the private sector as well as government agencies, it’s important for it to be fully independent.

The Indian government released the draft of its Digital Personal Data Protection Bill 2022 on 18 November and has made it available for public feedback until 17 December. This comes after it decided to withdraw the Bill’s predecessor in August 2022, the Personal Data Protection Bill that was first proposed in 2019, to develop a new law instead.

The IFF highlighted how the latest draft eliminated many of the clauses that were in the previous version of the Bill. It now contains around 30 clauses, reduced from more than 90 in previous versions.

The Indian government said this was to draft it in simple and plain language so that more people could understand its provisions. The IFF argued this has removed key information, adding that since the public consultation accompanying the Bill will not be disclosed it will also weaken public trust in the development of the Bill.

One of the biggest changes of the Bill is that it removes data localisation requirements, opening the path to cross-border data transfers. However, the IFF said that data fiduciaries, similar to data controllers under GDPR, are only able to transfer personal data to countries that the government selects, meaning that data transfer to any other country is not allowed. The clause also doesn’t define how the government should decide which countries can be chosen to allow data transfers to.

“This enables arbitrary exercise of power where countries may be selected or not selected based on considerations other than protection of personal data of Indians,” said the IFF. “This is in contrast with Articles 44 to 50 of the General Data Protection Regime which permits the transfer of personal data of Europeans only to such countries which provide a minimum level of protection to such data.”

The IFF also outlined some positive changes in the new Bill. Data fiduciaries are now forced to notify the DPB whenever they’ve suffered a breach, and then the DPB is able to tell the fiduciary to adopt urgent measures to remedy the personal data breach or mitigate any harm.

The digital liberties group said this was important as previous iterations of the Bill didn’t require fiduciaries to notify data principals in the event of a breach. Users wouldn’t have known that their data had been compromised because of this.

Additionally, more barriers have been introduced when it comes to processing children’s personal data. There are tighter restrictions around how entities carry out tracking or behavioural monitoring of children, including targeted advertising aimed directly at them.

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download

Recommended

Embattled Medibank faces 48-hour outage as cyber security upgrade begins
ransomware

Embattled Medibank faces 48-hour outage as cyber security upgrade begins

9 Dec 2022
Australia aims to be most cyber-secure country by 2030
Policy & legislation

Australia aims to be most cyber-secure country by 2030

8 Dec 2022
Google unearths Internet Explorer zero day exploited by North Korean hackers
zero-day exploit

Google unearths Internet Explorer zero day exploited by North Korean hackers

8 Dec 2022
UK and Japan strike digital partnership to collaborate on IoT security, semiconductors
Policy & legislation

UK and Japan strike digital partnership to collaborate on IoT security, semiconductors

7 Dec 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
Unpatched Exchange servers could be behind Rackspace's ransomware attack
zero-day exploit

Unpatched Exchange servers could be behind Rackspace's ransomware attack

7 Dec 2022
What we can learn from the supercomputer revolution
Sponsored

What we can learn from the supercomputer revolution

1 Dec 2022