“Indian Parliament pulled the draft Data Protection Bill from consideration,” as reported by Techcrunch, but what does this mean? Truyo President Dan Clarke breaks down his thoughts on what’s to come.
It’s generating lots of discussion on what this really means for privacy protection in India, and if and when we will have some clarity.
I think, in essence, like the first draft, this bill tried to do too much too fast with a scope that was well outside of even normal privacy legislation, and the resistance was just too great. It was pulled rather than try to amend or push it when they knew there was little chance for it to pass. I think this was the right move. This had “extraneous” elements well beyond normal scope and would have been burdensome on a business, as it was not well in sync with GDPR or CPRA in some areas.
Now what? Well, if you believe what was said, a new bill is ‘almost done’ again according to the responsible Minister, as reported by Techcrunch. But is that really the case? My sources say yes, and this one may not have the same opposition. This might be more backroom negotiations coming forward than anything. There was strong opposition from Google, Amazon and Meta, especially for anything that didn’t align with other existing data protection laws. Presumably the new bill will align more closely, but I still think this means the timeline is delayed.
Does this really change anything for a business? That depends on if you are new to privacy laws. In that case, then very much so, but for most US companies, there isn’t much of a change other than there is still very likely to be a requirement for data localization. Of course that is not new for most of us either, if you do business in the EU/UK or ANZ. However, for many US businesses that are not subject to regulations outside of CCPA today, but have operations in India, this will be the greatest challenge to any India privacy law.
Otherwise, all the bills and proposals in India keep with the basics found everywhere: consumer rights, restrictions on sharing, notification of breach, and restrictions on data minimization (beyond the likely need for localization).
In conclusion, I think this actually will be likely to move quickly now and I always view consistency as a plus. Companies probably have some time to worry about localization but it is likely coming.