India on Friday proposed a new data privacy law that will allow companies to transfer certain users’ data overseas while allowing the federal government to exempt state agencies from the law in the interest of national security.
The proposed law would be the latest regulation that could impact how tech giants such as Facebook and Google process and transfer data in India’s growing digital market. It comes after India withdrew a 2019 privacy bill in August that alarmed companies by proposing harsh restrictions on cross-border data flows.
Prime Minister Narendra Modi’s government has tightened regulations in the sector, which executives say has increased the compliance burden on businesses and soured trade ties with the United States.
India has defended stricter regulations, citing the need to protect users’ interests in a country with more than 760 million internet users.
The latest privacy bill, however, has relaxed some tough standards on cross-border transfers proposed earlier, with the government saying it could specify the countries to which data-handling entities can transfer users’ data.
Supratim Chakraborty, a data privacy partner at law firm Khaitan & Co, said the proposal would relieve big tech companies that need to transfer user data overseas, where they maintain their servers.
“It will be a relief because there will be a certain list of countries on the whitelist. So if the United States is among them, it will relieve a lot of stress for large companies because they could transfer user data there”, Chakraborty said.
The new bill also proposes financial penalties of up to 2.5 billion rupees ($30 million) if someone is found guilty of violating the provisions of the law.
The federal government would have the power to exempt state agencies from the provisions of the bill ‘in the interests of the sovereignty and integrity of India’ and to maintain public order, the draft says. the proposal, which is open for public consultation until 17 December.
Indian privacy advocates had said such provisions could allow the government to abuse access. In its statement on Friday, the government said it recognized that “the national and public interest sometimes outweighs an individual’s interest”.
India considered global best practices and reviewed data legislation in Singapore, Australia and the European Union while drafting the new proposal.
A version of the previous bill also introduced a provision empowering the government to ask a company to provide anonymized personal data and non-personal data to help target the delivery of government services or formulate policies.
This provision does not exist in the new bill, which, according to Salman Waris, managing partner of law firm TechLegis, “will be a relief to businesses and the wider tech industry that had pushed back against the provision.”