India approves new privacy law, but is it really a win for citizens?

Critics deem it a “win-win, but only for government and big tech.”

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

In a landmark decision, the Indian parliament approved its first-ever privacy law on August 9, 2023. However, many haven’t welcomed the event as a real victory.

The government was accused of rushing a new version of the law through Parliament despite fierce opposition. Privacy experts also fear the new provisions will lead to increased government surveillance instead while favoring Big Tech operations along the way.

Social societies and tech companies have long been calling out what’s deemed as India’s digital authoritarianism. Last year, for example, another legislation provoked an exodus ofVPN serviceproviders refusing to comply with its invasive user data retention rules. So, how does India’s Digital Personal Data Protection (DPDP) Act intend to protect citizens' privacy?

What is India’s Digital Personal Data Protection Act?

India’sDigital Personal Data Protection (DPDP) Actis the first law of this kind for the country. Echoing the efforts of other nations worldwide, it aims to regulate citizens' rights and business obligations when it comes to dealing with people’s digitaldata privacy.

Six years in the making and three versions of the bill later, the DPDB now grants citizens the right to correct or erase their personal data. It allows companies to transfer users' data beyond the country’s border unless explicitly restricted by the government. Most importantly, it prohibits organizations from processing children’s information without parental consent.

DPDP Bill becomes an Act. Received Hon’ble President’s assent. pic.twitter.com/tl0s9OtakhAugust 12, 2023

The government gets a new set of powers, too, for requesting firms to disclose information as well as issuing content-blocking orders. Penalties for violations or non-compliance are set to up to 2.5 billion rupees ($30 million).

Opposition members were still very critical of the last version of the bill, though. They raised privacy concerns, called for further scrutiny, and even staged a walkout from parliament on voting day to protest the 100 days ofinternet shutdowncurrently keeping people across the Manipur region in the dark—Outlook India reported.

Get the best Black Friday deals direct to your inbox, plus news, reviews, and more.

Sign up to be the first to know about unmissable Black Friday deals on top tech, plus get all your favorite TechRadar content.

The government decided to push the vote nonetheless through parliament, which finally passed the bill in both chambers. It then received the final approval from President Narendra Modi, officially becoming the Act on August 11.

The good

India’s DPDP Act means that for the first timepersonal data privacyisn’t just a recognized human right, but it’s alsoprotected by a legal framework.

Similarly to theGDPR, the new legislation obliges data collectors toinform users of the purposefor collecting and processing their personal data upon their consent and requires businesses todelete the informationonce it no longer fulfills its original purpose. It also establishes a Data Protection Board (DPB) toinvestigate data breaches and complaintsagainst companies.

Harry Maugans, Founder and CEO of external data privacy providerPrivacy Bee, sees the law as a win for data privacy rights. He told TechRadar: “The bill is a big step in the right direction for India and continues the positive trend of more countries adopting guidelines similar to the industry-leading GDPR and US-based regulations.”

Yet, “there’s still more work to be done and consumers must take control of their own data protection in the meantime,” he added. The onus to find, review, and request the removal of personal data from websites and company databases is still on the individual, in fact.

Maugans and other experts also praise how the Act seeks toprotect the most vulnerable users, including children and people with disabilities. Companies must get parental or lawful guardian consent prior to collecting or processing any of their data.

Despite the importance of these additional obligations, some commentators are worried that the vagueness of provisions may make its implementation difficult eventually.

“How are you even going to identify somebody who is disabled on a digital platform? And also, you haven’t defined what disability means within the bill,” commented Kamesh Shekar, a tech policy expert at Delhi-based think tank The Dialogue, to theTech Policy Press.

The bad

“This bill is very pro-citizen and pro-privacy,” were the words IT Minister Ashwini Vaishnaw used to comment on the new law—TechCrunch reported.

Yet, according to Asia Pacific Policy Director at Access Now Raman Jit Singh Chima, itrather representsa “win-win, but only for government and big tech.”

Looking at the preamble of the Act (see image below), it looks clear the direction the DPDP has taken. Where the GDPR takes a more data protection approach, “my assessment of this is that it takes a moredata processing approach,” explained Prateek Waghre, Policy Director at the digital rights advocacy group the Internet Freedom Foundation, at Tech Policy Press.

Commentators are also worried about the new sweeping powers that the DPDP grants to New Dehli. They especially lament alack of safeguardsto prevent over-board surveillance, greaterpowers to exempt state agenciesfrom following its provisions, andscarce independence of the Data Protection Board.

These concerns add togreater censorship powerswith little public oversight in a country like India, infamous forblocking contentcritical against political rulers across social media platforms and beyond. Even worse, India ranked second, only after Iran, as thebiggest perpetrator of internet shutdownsin 2023 so far—a practice that violates citizens human rights and cripples economies.

“The passage of India’s Data Protection Bill in its current form is a missed opportunity. It’s a bad law,“said Namrata Maheshwari, Asia Pacific Policy Counsel at Access Now.

EGI is deeply concerned about Digital Personal Data Protection Bill, 2023, as it carries provisions that can have adverse impact on press freedom. Urges @loksabhaspeaker to refer bill to Parliamentary Committee. @narendramodi @GoI_MeitY @AshwiniVaishnaw pic.twitter.com/2wwxuVbaBIAugust 6, 2023

Privacy experts aren’t the only ones who fear that the new law could limit citizens' freedoms. A set of provisions are actually thought to endanger India’s independent and free press.

Specifically, Clause 36 grants the government thepower to call for personal information about citizens, including journalists. Clause 37(1)(b) allows New Delhi toblock public access to content shared by a journalist or news organizationpreviously found guilty of violating any provisions as a “data fiduciary.” This term describes any entity processing personal data.

Even more worryingly, the Actundermines the Right to Information Act—a tool that the press has been widely using for pursuing important investigations over recent years. Access to all personal information can now be denied under the new law, in fact, without any exemptions for journalists or media outlets.

“We are deeply concerned about the lack of exemptions for journalists from certain obligations of the law, where the reporting on certain entities in the public interest may conflict with their right to personal data protection,” wrote the non-profit group Editors Guild of India in anofficial statement, warning that all this “will lead to a chilling effect on journalistic activity in the country.”

What’s next?

As digital economies keep shaping business operations and citizens' privacy, India’s DPDP Act is a welcomed attempt to put a legal framework around issues regarding data protection and processing practices.

Yet, it looks as if the government not only missed an opportunity to fix problems with existing privacy laws, but it also enforced a law that risks being misused at the detriment of people’s rights. Now, it just remains to see how these provisions will eventually be implemented.

On this point, experts at Access Now said: “To preserve the rights of people across India, and in countries that share their data with India, the government must ensure that all rules made under the Bill are passed after meaningful stakeholder consultation, and debated in both houses of parliament.”

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up.She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com

Undermining your privacy? Session says no and leaves Australia

Are online dating and data privacy an incompatible match?

Quordle today – hints and answers for Saturday, November 9 (game #1020)