After years without data protection regulations, India delivers two sentences • The Registry


The Indian government has released a barrage of announcements about data – where it should be stored, how it should be regulated and how it should be paid for.

The fun began late last week with the debut of the Personal Data Protection Act 2022 – a law replacing a 2019 law that proved so controversial that it was shelved before it came to a vote. This bill was prompted by a 2017 court ruling that found Indian citizens have a right to privacy.

The 2022 bill was largely well-received, if only because it is less obviously messy than the 2019 draft. However, the activist group Software Freedom Law Center of India (SFLC) criticized it for being “significantly less explicit in the harms it recognizes”. and therefore offer weak protection against surveillance.

The bill also leaves some important issues for the government to decide at a point of its choosing. For example, the bill mentions “data trustee” and “significant data trustee” without defining the two terms, but notes that each faces different penalties following a data or privacy breach. Politicians, it seems, will settle the differences if the bill becomes law.

The SFLC also notes that the explanatory memorandum includes the following seven privacy principles, but these are not included in the body of the law itself:

  1. Lawful, transparent and fair use of personal data by organizations.
  2. Purpose limitation – data is only used for the purpose for which it was originally collected.
  3. Data minimization – Only the data that is necessary is collected and no more.
  4. Accuracy of personal data – updated and accurate personal data is kept by organizations.
  5. Storage limitation – personal data is not stored beyond the period of time for which it is actually necessary.
  6. Security Precautions – Adequate security measures must be in place to prevent data breaches, unauthorized access, etc.
  7. Accountability measures – hold the data trustee accountable for the processing of the data.

The bill softens previous bans on cross-border data traffic and data sovereignty requirements – changes rumored to ensure Indian companies can fully participate in the global digital economy for the benefit of local people.

A Data Protection Board of India with the powers of a court will be created to enforce the bill, but this body is poorly defined. India’s IT Minister Rajeev Chandrasekhar has claimed it will be independent, but the bill says its members will be “public servants” and is silent on the qualifications needed for members.

To complicate matters further, the Indian Telecoms Regulatory Authority (TRAI) last week proposed the formation of a “Data Digitization and Monetization Council” that would define the ethical use of data by businesses and governments in India. The TRAI also wants India to create a framework for data sharing and consent management. The regulator has not explained how its proposed advice or framework would interact with the Personal Data Protection Act.

The suggestions of the TRAI resulted in a proposal [PDF] Encouraging the development of data centers, internet exchanges and content delivery networks in India. The proposal includes the idea of ​​subsidies to attract investment, as well as the creation of 33 “data center economic zones” where the availability of land and electricity make data center construction and operations worthwhile.

The proposal also suggests that India should define its own data center construction standards. Subsidies for the settlement of new submarine cable landing stations are also on the agenda.

It is unclear how TRAI intends to advance its proposals. The IT Department has solicited feedback on the bill but will not publish any comments it receives.

Delhi has also announced a framework to prevent the publication of fake product reviews. The framework is voluntary and strongly recommends that every online platform that publishes reviews implement a moderation system to stop counterfeiting. The Indian government has announced that the framework will become binding at a date to be determined.

All of this adds a lot of detail to three major technology policy announcements – a process that The registry not often observed in other jurisdictions. ®


Comments are closed.