India passes landmark data protection bill

Receive free Indian politics & policy updates

We’ll send you a myFT Daily Digest email rounding up the latest Indian politics & policy news every morning.

India is poised to enact a controversial and long-delayed personal data protection bill, legislation demanded by business and civil society groups that is set to regulate the internet and the sharing of online data in the world’s most populous country.

Parliament’s upper house on Wednesday evening passed the bill, which will take effect after being signed by President Droupadi Murmu “in coming days”, a senior government official told the Financial Times on Thursday.

Ashwini Vaishnaw, India’s minister of railways, electronics and information technology, said the bill would balance protecting user data with keeping the internet open. “It basically strikes that fine balance,” he said.

With almost 1bn people connected to the internet, India has pioneered one of the world’s largest digitisation drives, capturing citizens’ personal information through its Aadhaar ID system and building out an extensive network of digital infrastructure known as the India Stack.

However, it has lacked a law governing the sharing of data by companies, government agencies and others. Human rights groups said this left information open to misuse and businesses complained it made their position vulnerable.

Vaishnaw said the new law differed from the EU’s General Data Protection Regulation “because it is not prescriptive”.

The law encompasses the “well-established principles” of data protection, Vaishnaw said, including limits on the purpose for which data can be collected and how long it can be stored while taking a more “flexible” approach than in the EU, he said.

India has suffered a number of high-profile breaches in recent years, most recently in June when researchers said sensitive data was leaked from government-linked vaccination databases. The government denied there had been a breach.

The data protection law has been years in the making, gathering momentum after the Supreme Court ruled in 2017 that Indians had a fundamental right to privacy. Multiple versions of the bill were floated and subsequently revised after backlash from business groups, civil society advocates and opposition politicians.

The latest draft was ultimately adopted with minimal resistance, passing the upper house by a voice vote after opposition politicians — who wanted the bill sent to committee for further review — walked out of the chamber.

The latest version addressed some business concerns, including loosening restrictions on companies’ ability to transfer data overseas.

“It’s much more business-friendly and, I feel, much more practical,” said Arun Prabhu, a Bengaluru-based partner and head of technology and telecom with law firm Cyril Amarchand Mangaldas. 

The law also mandates the creation of a government-controlled data protection board responsible for tracking compliance.

However, the law remains a source of concern to civil society activists, who say exemptions for the government from data protections amount to a greenlight for state surveillance.

One provision allows the government to bypass aspects of the bill on broad grounds relating to the “sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order”.

“The government is one of the largest collectors of personal information in the world. They’re now through this legislation giving themselves carte blanche,” said Salman Waris, managing partner at Delhi-based law firm TechLegis. “It’s saying this act is only going to be applicable to private companies and individuals, which defeats the purpose of the act itself.”

Vaishnaw, the IT minister, defended the bill. “All the experts are very clear that there is no exception given which is outside the constitution,” he said, adding that the law had only four exemptions, compared with 16 under the EU’s GDPR.