The Indian government released a draft version of a much-awaited data protection regulation earlier this month. It is the fourth draft of the bill since it was first proposed in July 2018.

Regulations in the draft aim to form a comprehensive legal framework to regulate the online space, including legislation on data privacy, cybersecurity, telecom regulations and harnessing non-personal data to boost innovation.

Companies like Amazon and Meta will also be required to appoint data protection officers who will be required to be based in India.

The proposed legislation is called the Digital Personal Data Protection Bill (DPDP). It aims to secure personal data, while also guaranteeing user consent. The long-delayed bill needs the approval of parliament before becoming law.

However, it also gives the government broad powers to exempt any of its agencies from compliance. Various stakeholders have expressed concerns that unhindered government access to data can be abused. For example, when law enforcement uses data to crack down on protests.

"There is power to exempt all government institutions from any or all provisions of the law. That is a clear invitation to the executive to act arbitrarily," former judge B. N. Srikrishna told DW.

Srikrishna, a former Indian Supreme Court justice who also spearheaded a committee that drafted the first 2018 version of the data protection bill, said the current draft was loaded in favor of the government.

"The so-called regulator will be a puppet of the government and will have no independence," Srikrishna said.

Independent oversight in question

India's Data Protection Board (DPB) will be tasked with ensuring compliance with the law and oversee compliance.

Vrinda Bhandari, a lawyer working on digital rights and privacy issues, said the independence of the board could be a problem, as the government will set the rules and the composition of the DPB.

"The government handles vast amounts of our sensitive personal data daily. There must be an independent board," she told DW.

Government officials have said the new draft is aligned with the Indian Supreme Court's ruling on privacy as a fundamental right but within reasonable restrictions.

"There will be deliberations and the government welcomes stakeholders' views on the subject before it finalizes a bill that will be tabled in parliament. The government expects to complete the process over the next few months," a senior official told DW under condition of anonymity.

Protecting personal data

The current DPDP draft requires consent before collecting personal data. It also calls for stiff penalties on persons and companies that fail to prevent data breaches, including accidentally disclosing, sharing, altering or destroying personal data.

Anuskha Jain, policy counsel of the Internet Freedom Foundation, told DW that the bill has "several provisions that raise concerns about its ability to satisfactorily protect user data."

"This includes reduced obligations under notice requirements, wide exemptions to state and private actors, questions about the independence of the DPB and duties and penalties being imposed on data principals," she said.

On cross-border transfer of data, the draft DPDP permits the storage and transfer of data in "trusted" jurisdictions, which are to be defined by the government.

It does, however, remove mandatory data localization rules, which would have forced storage of "critical" personal data solely in India.

"There are some positives that have emerged from the bill. The provisions requiring data localization have been done away with. Non-personal data is clearly outside the ambit of the law," added Bhandari.

India looks to global standards

The EU's landmark General Data Protection Regulation (GDPR) has substantially influenced legislation in nearly 160 countries. It is clearly focused on privacy and requires individuals to give explicit consent before their data can be processed.

The GDPR focuses on a comprehensive data protection law for processing of personal data. It has been criticized for being excessively stringent, and imposing many obligations on organizations processing data, but it is the template for other data legislation drafted around the world.

"While we have not conducted an in-depth comparison of the bill with other global standards, one obvious difference is that it fails to comply with the principle of purpose limitation," said activist Jain, referring to a rule specifying that data collected for a specific purpose should not be used for another, incompatible purpose.

"It also fails to provide relevant information about sharing of the data with third parties," Jain added.

Edited by: Wesley Rahn