India proposes easier cross-border data transfers under new privacy law

By Munsif Vengattil and Aditya Kalra

11:33 JST, November 19, 2022

NEW DELHI (Reuters) – India on Friday proposed a new data privacy law that will allow companies to transfer some users’ data abroad, while giving the federal government powers to exempt state agencies from the law in the interests of national security.

The proposed law would be the latest regulation that could impact how tech giants such as Facebook and Google process and transfer data in India’s fast-growing digital market. It comes after India in August withdrew a 2019 privacy bill that had alarmed companies by proposing stringent restrictions on cross-border data flows.

Prime Minister Narendra Modi’s government has been tightening regulation for the sector, which executives say has increased the compliance burden for companies, and soured trade ties with the United States.

India has defended stricter regulations citing the need to safeguard users’ interests in a country that has more than 760 million internet users.

The latest privacy bill, however, relaxed certain stringent norms on cross-border transfers proposed earlier, with the government saying it could specify countries to which entities managing data can transfer personal data of users.

Supratim Chakraborty, a partner specializing in data privacy at law firm Khaitan & Co, said the proposal would bring relief for big technology companies that need to transfer user data abroad where they maintain their servers.

“It will be a relief as there will be a certain list of whitelisted countries. So if United States is one of them, it will ease a lot of stress for big companies as they could transfer user data there,” Chakraborty said.

The new bill also proposes financial penalties of up to 2.5 billion rupees ($30 million) if someone is found breaching the provisions of the law.

The federal government would have powers to exempt state agencies from provisions of the bill “in the interests of sovereignty and integrity of India” and to maintain public order, said the draft proposal, which is open for public consultation until Dec. 17.

Indian privacy advocates had said such provisions could allow the government to abuse access. In its statement on Friday, the government said it acknowledged that “national and public interest is at times greater than the interest of an individual”.

India considered global best practices and reviewed data legislation in Singapore, Australia, and European Union, while making the new proposal, it said.

A version of the previous bill had also introduced a provision empowering the government to ask a company to provide anonymised personal data and non-personal data to help target the delivery of government services or formulate policies.

That provision does not exist in the new bill, which Salman Waris, a managing partner at law firm TechLegis said “will be a relief to companies and the wider technology industry that had pushed back against the provision”.