The fourth and latest version of India’s proposed data protection bill appears to go much easier on global technology companies.
The much-awaited digital personal data protection bill (DPDP bill) 2022 introduced last week is now open to public comments.
It has relaxed the rules for cross-border data flow and toned down other clauses—mainly around data mirroring and localization—that had sparked an industry pushback against the bill’s previous version. The new draft also includes easier compliance rules.
“The new data privacy bill is going to help global tech firms in more than one way and will now provide them with an easy way of doing business in India,” said Nakul Vashishth, Chief Technology Officer at career-success platform LaunchMyCareer.
“The bill limits the territorial scope and makes the processing of personal data by businesses somewhat easy,” he told Quartz.
How the new draft DPDP bill will help tech firms
The earlier draft, which prime minister Narendra Modi’s government withdrew from parliament in August this year, prescribed partial and total data localization obligations with respect to “sensitive personal data” and “critical personal data.” There were none on “ordinary personal data.”
Companies such as Google, Twitter, and Amazon had raised objections to these provisions.
The new draft eases the free movement of data to trusted geographies. It also narrows down the law’s scope to only personal data protection, leaving out non-personal data or anonymized data. This provides huge relief to foreign businesses operating in India, making data processing a much easier affair for them.
Overall, the new draft proposes simplified and business-friendly procedures. This is in contrast to the data protection laws of China and the European Union which are deemed too stringent.
Possible red flags in India’s data protection bill draft Some experts, however, feel that the new draft has “watered down the objective of a data privacy and protection framework.”
The scope and applicability of the bill have been curtailed, suggested Abhishek Malhotra, managing partner at New-Delhi based-TMT Law Practice.
In many ways, according to him, the new provisions seem to focus less on entities dealing with personal data and what they actually do with it.
“The qualified title adding ‘Digital’ to the bill, does not add any value to the nature of the legislation but just seems to be one shot amongst a slew of ‘Digital India’ policies and legislations that the government intends to roll out,” Malhotra said.
The fact that India was the world’s fifth most data-breached country works against the new draft, too. Only yesterday (Nov. 23), a ransomware attack disrupted several patient care services at New Delhi’s All India Institute of Medical Sciences.
The new draft doesn’t provide for any criminal liabilities or penalties directly linked to the turnover or revenue of the erring entity that decides the “purpose and means of the processing of an individual’s personal data.”
Advocates of internet freedom in India, therefore, believe the country “deserves a better data protection law.”