The Digital Personal Data Protection Bill was passed by India's lower house of parliament on 7 August. The move helped BigTech companies, as well as local companies looking to grow overseas, by easing norms on data storage, processing, and transfer. However, the Bill has been criticised, with many believing it grants the Narendra Modi-led government significant discretionary powers.
Under the Bill, it is mandatory for companies that collect user data to obtain the explicit consent of the user before processing. However, it includes an exemption for 'certain legitimate purposes'. It allows platforms to process personal user data without the consent of their users if the data is provided voluntarily in certain situations, such as sharing payment receipts with users or providing public services.
The Bill also allows the Indian government to waive the compliance requirements for specific data trustees, such as start-ups if needed. It also enables the government to set up a data protection authority and appoint all its members. In addition, the Bill protects the Government of India and the Data Protection Commission from legal action.
The Bill also gives the government the power to manage digital personal data overseas and to decide which countries may not receive users' data as long as it is related to providing goods or services to Indian individuals.
The passing of the Digital Personal Data Protection Bill in India has various ramifications, including its effects on businesses, concerns about government control and discretion, the balance between data consent and exemptions, and the impact on international data transfer. It highlights the importance of finding a balance between data protection and facilitating business growth while ensuring government accountability and safeguarding users' privacy rights. The Bill's provisions may undergo further scrutiny and debate as it progresses through the legislative process.