India passed a data protection bill on Wednesday aimed at how technology companies handle user data. This move comes amidst mounting concerns over surveillance and data privacy, introducing a framework to balance individual privacy rights with national security imperatives.

The new law allows companies to transfer user data internationally, but also grants the government authority to request information and issue directives based on guidance from a federal data protection board. However, concerns and criticism have arisen, with some fearing increased government surveillance.

The legislation represents a significant departure from a 2019 privacy bill, which garnered attention due to its stringent cross-border data flow restrictions, sparking concerns among tech giants like Facebook and Google. The bill introduces substantial penalties for non-compliance, underscoring the seriousness with which the government views data protection violations. Violators could face penalties of up to 2.5 billion rupees (approximately S$40.6 million).

What you need to know 

The bill aims to replace existing data protection laws, largely enforced via Section 43A of the Information Technology Act, of 2000. The Data Protection Bill encompasses a shield for digital personal data, safeguarding information that can identify individuals. 

This encompasses the responsibilities of Data fiduciaries—individuals, companies, and government bodies processing data—spanning data collection, storage, and related operations. It also outlines the rights and obligations of Data Principals, who are the individuals to whom the data pertains.

The Bill seeks to achieve data protection law with minimum disruption while ensuring necessary change in the way Data Fiduciaries process data; enhance the Ease of Living and the Ease of Doing Business; and Enable India’s digital economy and its innovation ecosystem, a government release stated.

Principles of the Bill

The Bill's foundation rests on key principles: requiring consent for data use, limiting data to its intended purpose, collecting only necessary information, ensuring data accuracy, storing data for as long as needed, prioritizing security, and enforcing accountability through penalties for breaches. 

The Bill grants individuals rights including access to processed personal data, correction and erasure of data, grievance redressal, and the ability to nominate a representative to exercise rights in case of death or incapacity. 

Obligations on the data fiduciary

Data fiduciaries must safeguard personal data, notify affected individuals and the Data Protection Board of breaches, delete data when no longer needed or upon consent withdrawal, establish a grievance system, and fulfill extra duties for Significant Data Fiduciaries, such as appointing a data auditor and conducting regular Data Protection Impact Assessments.

The Bill outlines exemptions, including those for security, research, startups, legal rights enforcement, judicial or regulatory tasks, preventing, detecting, or prosecuting offenses, processing non-resident data under foreign contracts, approved mergers or demergers, and locating defaulters and their financial assets.