India seeks to relax data storage rules in boost for business
India plans to further relax its approach to data storage, processing and transfer beyond its borders, a boon for global companies such as Alphabet Inc.’s Google as well as Indian firms seeking growth abroad.
A draft version of a new privacy bill allows companies to export data to any country except those specifically named by New Delhi, people familiar with the matter said, asking not to be named as the bill isn’t yet public. A previous draft released publicly in November, conversely, restricted the export of data to all regions except those named by the government.
India, like governments around the world, is trying to balance the needs of business with individuals’ rights to data privacy. With its population of 1.4 billion, the country is an attractive growth market for global internet giants, but corporations are regularly clashing with authorities focused on protecting consumers’ interests and aiding home-grown enterprises.
The Digital Personal Data Protection Bill 2023 requires companies to get consent before collecting personal data and prevents them from using it for any purposes other than those mentioned in the contract between the parties, the people said. That means companies can’t anonymize personal data and use it for products such as artificial intelligence models, they said.
The bill grants sector-specific regulators, such as the central bank, a wider say over data rules for the industries they oversee. It lets companies doing mergers, acquisitions or spinoffs to export and store data where necessary.
India’s technology ministry didn’t respond to a request for comment. The amended bill was approved by Prime Minister Narendra Modi’s cabinet this month, and it is slated to be presented for parliament approval in a session that begins July 20.
The proposed legislation comes as digitization thrives in the world’s most-populous nation, thanks to a surge in the use of smartphones and mobile apps. India’s privacy push, which has been years in the making, aligns with similar actions by other countries.
Other key aspects of the bill — such as the setting up of a Data Protection Board of India to determine non-compliance and impose penalties for breaches, and the requirement for companies such as Amazon.com Inc. and Meta Platforms Inc. to appoint India-based data protection officers — remain unchanged from the previous drafts. An order of the Data Protection Board can be challenged in an appellate tribunal and then a high court.