There isn’t much the Indian government and Meta Platforms see eye to eye on. And yet earlier this week, the US social-media giant’s president of global affairs called a reworked draft of the country’s data-protection bill a promising turn of events.
The fourth iteration of the long-pending privacy bill, released for public consultation in November, solves some big problems: Previously mooted versions had alarmed tech companies by proposing to treat social-media platforms as publishers, regulate the use of non-personal information such as traffic data, and bar companies from processing critical personal data outside India.
New Delhi understandably wants to encourage India’s burgeoning digital economy. Isolating itself with provisions that unduly restrict cross-border data flows and boost compliance costs would have been counterproductive.
The new version also weakens consent standards, removes a criminal liability clause and caps monetary fines. It bears little similarity to the European Union’s General Data Protection Regulation, or GDPR, which sets a high bar for the collection and use of personal information.
Nevertheless, tech companies should probably be more worried than they seem to be about the draft law. It explicitly gives the government the power to exempt its agencies from the law’s privacy provisions in the name of national security, for the maintenance of public order, and for other reasons. It also contains language on “deemed consent,” stipulating that individuals are presumed to have given consent to use their data “for the performance of any function under any law”—an eerie echo of China’s internet, where users routinely assume internet traffic isn’t t secure from state surveillance.
US tech companies are already under fire at home and abroad over data breaches, sometimes-intrusive data collection, and the spread of misinformation. India’s new law could turn into a public-relations headache if the government uses it, for example, to help justify suppressing or tracking political opponents or critical voices.
The original draft bill in 2018 had stronger guardrails around data processing in the service of national security. It explicitly stated, for example, that such processing should be necessary and proportionate to the interest being achieved: harking back to the Indian Supreme Court’s landmark privacy judgment in 2017.
It is understandable that New Delhi does not want to emulate the stringent rules of the GDPR given the nascent stage of India’s digital economy and big hopes for its further growth. And looser rules on data localization are a significant boost for US tech companies. But in the long run this new draft, if enacted, could create some serious reputational and ethical dilemmas for them, too.
Write to Megha Mandavia at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
.