Indian lawmakers approved a data protection law on Wednesday that outlines how technology companies handle user data amid criticisms that it may exacerbate government surveillance. The law will allow companies to transfer data of certain users abroad while granting the government the authority to request information from companies and issue directives to block content based on recommendations from a government-appointed data protection board.
The Digital Personal Data Protection Act of 2023 gives the government powers to exempt its agencies from the law and provides users the right to correct or delete their personal data. The law proposes fines of up to 2.5 billion rupees ($30 million) for violations and non-compliance.
Rajeev Chandrasekhar, the Deputy Minister of Information Technology, stated that the law will protect the rights of all citizens, allow the innovation economy to grow, and enable the government to access information legally in cases related to national security and emergencies like pandemics and earthquakes.
In contrast, the law has faced criticism from opposition lawmakers and rights groups concerning the scope of exemptions. The Internet Freedom Foundation noted that the law lacks any reliable guarantees against unrestricted surveillance. The Editors Guild of India stated that it impacts press freedom and undermines the right to information law.
