India has proposed groundbreaking new rules that would require companies to garner consent from citizens in the country before collecting and processing their personal data. But at the same time, the new rules also state that companies would have to hand over “non-personal” data of their users to the government, and New Delhi would also hold the power to collect any data of its citizens without consent to serve sovereignty and larger public interest.
The new rules, proposed in “Personal Data Protection Bill 2019,” a copy of which leaked on Tuesday, would permit New Delhi to “exempt any agency of government from application of Act in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order.”
If the bill passes — and it is expected to be discussed in the parliament in the coming weeks — select controversial laws drafted more than a decade ago would remain unchanged.
Another proposed rule would grant New Delhi the power to ask any “data fiduciary or data processor” to hand over “anonymized” “non-personal data” for the purpose of better governance, inform its policies and deliver services to citizens.
New Delhi’s new bill — which was passed by the Union Cabinet last week, but has yet to be formally shared with the public — could create new challenges for Google, Facebook, Twitter, ByteDance’s TikTok and other companies that are already facing some regulatory heat in the nation.
India conceptualized this bill two years ago and in the years since, it has undergone significant changes. An earlier draft of the bill that was formally made public last year had stated that the Indian government must not have the ability to collect or process personal data of its citizens, unless a lawful procedure was followed.
Ambiguity over who the Indian government considers an “intermediary” or a “social media” platform, or a “social media intermediary” are yet to be fully resolved, however. In the latest version, the bill appears to not include payment services, internet service providers, search engines, online encyclopedias, email services and online storage services as “social media intermediaries.”
One of the proposed rules, that is directly aimed at Facebook, Twitter, and any other social media company that enables “interaction between two or more users,” requires them to give their users an option to verify their identity and then publicly have such status displayed on their profile — similar to the blue tick that Facebook and Twitter reserve for celebrities and other accounts of public interest.
Last week news outlet Reuters reported portions of the bill, citing unnamed sources. The report claimed that India was proposing the voluntary identity-verification requirement to curb the spread of false information.
As social media companies grapple with the spread of false information, that have resulted in at least 30 deaths in India, the Narendra Modi-led government, which itself is a big consumer of social media platforms, has sought to take measures to address several issues.
Over the last two years, the Indian government has asked WhatsApp, which has amassed more than 400 million users in India, to “bring traceability” to its platform in a move that would allow the authority to identify the people who are spreading the information.
WhatsApp has insisted that any such move would require breaking encryption, which would compromise the privacy and security of more than a billion people globally.
The bill has not specifically cited government’s desires to contain false information for this proposal, however. Instead the bill insists that this would bring more “transparency and accountability.”
Some critics have expressed concerns over the proposed rules. Udbhav Tiwari, a public policy advisor at Mozilla, said New Delhi’s bill would “represent new, significant threats to Indians’ privacy. If Indians are to be truly protected, it is urgent that parliament reviews and addresses these dangerous provisions before they become law.”