Changes to India’s privacy bill could cause trouble for Facebook, Google and others as proposals include government powers to request user data to help forge policies.
The Personal Data Protection Bill, circulated to parliament members on Tuesday and reviewed by Reuters, was keenly awaited by top technology companies as it could affect the way they process, store and transfer Indian consumers’ data.
The bill’s latest version introduces a provision empowering the government to ask a company to provide anonymized personal data, as well as other non-personal data, to help target the delivery of government services or formulate policies.
The bill defines “personal data” as information that can help identify a person and has characteristics, traits and any other features of a person’s identity. Any other data is non-personal, the bill said, without elaborating.
“For companies, even non-personal data is wealth and such a legal provision is likely to cause panic at big technology companies,” said Supratim Chakraborty, a partner specializing in data privacy at Khaitan & Co.
Defending the move, a senior Indian government official said such data was “also wealth for the society”, citing an example that data from a company like ride-hailing business Uber could help the government understand public transport constraints and further develop the local train network.
“The bill doesn’t say this data will need to be given free ... subsequent rules will offer clarity on payment for such data,” the official added.
The bill will be presented in parliament soon, but won’t be passed in the current session that concludes on Dec. 13 as a panel will likely review it further, Reuters reported last week.
The bill also said large social media platforms should be required to offer a mechanism for users to prove their identities and display a verification sign publicly, a move that would raise a host of technical issues for companies including Facebook, WhatsApp, and the Chinese app TikTok.
“Sensitive personal data”, which includes financial and biometric data, could be transferred outside India for processing, but must be stored locally, the bill said.
The privacy bill is part of India’s broader efforts to tightly control the flow of data and is seen helping government agencies for investigations. U.S. firms have lobbied against such data rules around the world, fearing increased compliance costs.
On Tuesday, Internet company Mozilla said the bill’s exceptions for government to use data and proposed verification of social media users represented “new, significant threats to Indians’ privacy”.
“If Indians are to be truly protected, it is urgent that the parliament reviews and addresses these dangerous provisions before they become law.”