But critics condemn sweeping government exemptions

A second draft of India's Personal Data Protection (PDPA) Act was approved in December 2019

India’s answer to GDPR, the EU’s data protection law, has achieved quite a feat: drawing the ire of both Big Tech and privacy advocates.

A second draft of the Personal Data Protection (PDPA) Act (PDF), approved by Narendra Modi’s government on December 4, has retained data localization provisions that critics feel over zealously protect personal data.

In its latest version, the PDPA, which will govern how personal information is handled by business and government bodies within India, highlights, in particular, how technology companies must manage the data of Indian citizens.

The bill, while requiring sensitive data to remain on servers within India’s territory, at the same time permits non-sensitive data to be stored outside of the country. The scope of sensitive, or critical data – that which is to be stored locally – is defined by the Indian government.

Trade groups, including the US-India Business Council (USIBC) and US-India Strategic Partnership Forum, have balked at such barriers to operating in a country of 200 million internet users and an IT sector with an annual growth rate of 7.2%.

They have argued that complying with such measures would be too costly, and expressed concerns about the potential impact on India’s burgeoning digital economy.

Ajaypal Banga, the president and CEO of Mastercard, another major operator in the South Asian nation, has been one to voice criticism to the data localization efforts of the Indian government in an investor call last November.

“When we talk about our lack of support for data localization, it’s not caused so much by expenses,” Bloomberg  reports Banga as saying.

“It’s caused by the inefficiency of what that does to the ability to provide safety, security, and analytics to India’s banks and merchants.”

But government officials in India have reportedly cited the Pegasus breach, in which hackers installed spyware on phones via a WhatsApp vulnerability, as exemplifying the need for its data localization rules in the name of consumer privacy.

Free rein for snooping

Electronic data protection in India is currently governed by the Indian Penal Code, the Information Technology Act 2000, and the Information Technology Rules (PDF), first introduced in 2011.

The PDPA emerged from a Supreme Court ruling in 2017 that found privacy to be a fundamental right, and the new changes replace an initial draft produced in 2018.

Justice Srikrishna, architect of the bill’s first draft, told Livemint.com that the Data Protection Authority (DPA), the regulator created by the PDPA, “is dominated by the government” – the bill allows government agencies to obtain access to user data from companies under national security grounds.

Read the latest GDPR and data breach news

Srikrishna also observed “an attempt” by the government in the PDPA’s second draft “to control social media by reserving a right of access without consent of non-personal data or anonymized data” – justified by the government on the basis of improving policymaking and public services.

According to Prashant Mali, president of Mumbai-based Cyber Law Consulting, India is starting from scratch culturally, as well as legislatively, when it comes to data protection, currently boasting one of the laxest data protection regimes among the world’s major economies.

The PDPA will be introduced into a society where privacy is less prized than Europe, he told The Daily Swig.

“The culture has to evolve, whereas in EU, they are attuned to privacy culturally,” he said.

Divergence from GDPR

Despite warnings of government mission creep, the PDPA aims to provide consumers with new privacy rights pertaining to data collection, which require a user to consent to their information being collected and shared.

The data protection legislation has taken on a similar framework to GDPR, the EU’s General Data Protection Regulation, with financial penalties issued to companies for non-compliance.

A minor violation of the law, or data breach offense, can result in a fine of 2% of a company’s global annual turnover. The penalty can reach 4% when a major violation occurs.

But Mali notes a key difference between the two pieces of legislation.

“I would say GDPR is a civil remedy to a civil harm,” he said, adding how the PDPA also entails criminal liabilities and potential jail time for company directors.

India is currently being convulsed by sometimes violent protests provoked by another controversial law.

Passed by Modi’s government in December, the Citizenship Amendment Act would make it easier for non-Muslim minorities from neighboring countries to secure Indian citizenship, but critics claim the law would lead to discrimination against Muslims living in India.

The PDPA is expected to pass when parliament reconvenes in February.

Additional reporting by Catherine Chapman.

RELATED To regulate content, India takes an axe to consumer privacy