Recently, India, home to more than 1.3 billion people, withdrew its data protection bill—signaling yet another setback in global efforts to protect people’s data privacy.
After at least five years of privacy debates, intense Silicon Valley lobbying, and infighting within the Indian policymaking apparatus, the world’s second most populous country is now back to a blank slate on broad privacy legislation. Discarding the bill is a mixed outcome for everyone—Indian citizens, for example, will not have the protections from company surveillance in the bill, though they also avoid the carveouts for state surveillance—and only signals more turmoil in Indian privacy tech policy in the years to come. And because India is an influential tech player trying to stake its flag on a “fourth way” of data governance, that means more confusion globally, too.
India’s Personal Data Protection Bill was introduced into parliament in 2019 for a variety of reasons. Privacy was deemed a fundamental right under India’s constitution in 2018, and numerous policymakers wanted a major privacy law for the nation’s billion-plus people. Indian law enforcement had long taken issue with the mechanism for getting crime-related information from U.S. tech companies; because Indian requests to the U.S. were so backlogged, many Indian law enforcement agencies saw local data storage requirements as a way to ensure they could get information on crimes. The Modi government, in some places, cynically saw the privacy bill as a tool to lay pressure on foreign tech companies that did not comply with state demands. And others yet wanted to push back against so-called digital colonialism, wherein Silicon Valley and other Western tech firms enter India, surveil citizens, and extract their information and most (or virtually all) of the economic value back to their home countries. That the legislation specially designated a category for “social media intermediaries” demonstrates a desire to specially rein in companies like Facebook and Google—a desire held by many governments around the world, albeit in different ways.
Owing to India’s unique position on the geopolitical stage—the second most populated country on the planet, the site of a burgeoning and multihundred-billion-dollar tech sector, a nation celebrating 75 years of independence from British rule—the privacy bill was also a way for New Delhi to plant its flag on data protection. India’s Ministry of Electronics and Information Technology, in a 2018 report, described this kind of move as a “fourth way” of data governance, for Global South countries, in contrast from approaches taken in the U.S. (where corporate surveillance runs rampant), the European Union (a relatively broad data privacy regime), and China (with some corporate data controls but widespread state surveillance). But it’s not clear exactly what this “fourth way” would mean and how India plans to differentiate its approach.
Now, the Modi government—claiming the proposal had become too cumbersome—has torn up the bill entirely and vowed to produce a fresh piece of legislation. Indian citizens lose out, at least in the immediate term, in having a law focused on protecting individual privacy. For all that Indian officials hope to table a new bill in a few months, the process of revising the bill may drag out longer. Simultaneously, though, it’s possible the new legislation will be stronger; after all, telling companies they must have people click “accept” on a long, boring terms-of-service form before collecting and using their information—and then calling that “consent” and pretending no harm can or does occur after that point—is hardly the best way to protect individuals and their information by default. Even if improbable, stronger privacy controls are still on the table for Indian citizens.
The world’s largest democracy (albeit a backsliding one with an ethnonationalist government in power) still has no strong data privacy regime. Some Global South countries have enacted privacy legislation, as with Brazil passing its General Personal Data Protection Law in 2020, but the Indian government has not yet legally stepped toward its vision of a “fourth way” of data governance. In some ways, this cedes influence to countries with clear visions for data protection; governments in Japan and Beijing, regulators in Brussels, and others are implementing new rules and may have greater perceived leadership if countries believe the Indian parliament is far off from putting a data bill into law. Yet every company and government wishing to engage India on data issues must watch whatever happens next. Solidifying this fact is India’s imminent rise to the G20 presidency, from December 2022 to November 2023.
All the while, the Modi government has been imposing regulations targeting social media companies, internet news services, and other firms—including new legislation that requires VPNs to store user data and IP addresses for five years—seeking to increase its control over and surveillance of the online space. It now says it plans to introduce the so-called Digital India Act sometime this fall, focused on everything from children’s and women’s safety to digital crime to content spread via over-the-top media services like Amazon Prime and Netflix. Home to more internet shutdowns than any other country on earth, however—including a longstanding internet shutdown meshed with other human rights abuses in Kashmir—India’s credibility on digital democratic regulation is limited under the current government. Policymakers in the U.S., among others, should not continue to sweep these issues under the rug when engaging on the next iteration of a privacy bill. The more Indian officials work to enhance the country’s digital infrastructure, looking to provide citizens with state-run systems in everything from e-payments to health care, the more important a privacy bill covering all actors will become.
The United States is not a passive observer on the privacy debate, either. American companies, particularly the likes of Amazon, Facebook, and Google, lobbied aggressively against the Indian bill’s data localization requirements—. Trump White House officials entered the fray, too, with Donald Trump himself stating at the 2019 G20 summit in Osaka that “the United States opposes data localization and policies, which have been used to restrict digital trade flows and violate privacy and intellectual property protections.” Looking ahead, Silicon Valley firms will undoubtedly try to lessen the new law’s blows to their bottom lines. But whatever India ends up doing will influence the global privacy landscape as well.