Under the draft law, companies dealing with users’ personal data are required to store a copy of that data in India, and the export of undefined “critical” personal data is prohibited. Personal data includes information – online or offline – that could be used to identify an individual and thus create a profile of that person.

“We’ve had hundreds of letters from startups raising concerns…we don’t want a law that has the potential to stifle innovation,” the official said. “Start-ups have indicated that they do not want a hard localization mandate as mandated in the current draft and we are re-examining the provisions for start-ups.”

Noting the need to balance privacy and innovation, the official said the European Union’s General Data Protection Regulation (GDPR) was seen as overly restrictive. “The general consensus is that GDPR requires strict compliance and as a result has hampered innovation in the region. Unlike the EU, India has one of the most vibrant startup ecosystems in the world and the government doesn’t want to put unnecessary hurdles in their way,” the official said.

For one, startups use many third-party services from companies that may not have a physical presence in India, and a strict localization mandate hampers cross-border deals. “As a start-up, you end up using online tools and software – from analytics to entire cloud-based servers – that may not be based in India. These services often need access to your core database. Also, many startups have clients outside of India, and a localization mandate could make it difficult for them to do business with international clients,” said one founder on condition of anonymity.

And this despite the fact that Indian start-ups are in a sharp decline in funding. According to a July report by PwC India, funding for Indian startups collapsed 40 percent to $6.8 billion in the April-June quarter amid geopolitical tensions fueled by the Russian invasion of Ukraine, the decline in technology stock valuations and inflation.

Aside from compliance issues, civil society stakeholders have also raised privacy concerns. “…Giving central government the power to determine what data constitutes critical personal data will certainly lead to abuses of power by the state through excessive and excessive intrusions into privacy in the name of national security,” according to the Delhi-based Internet Freedom Foundation has said.

The data protection law is currently under scrutiny after a joint parliamentary body issued a version last year. The first draft was prepared in 2018 by a committee led by former judge BN Srikrishna.

A key issue, one official said, is that when the first draft privacy bill was ready in 2018, the Information Technology Act, 2000, was the only piece of legislation regulating the online space. “But today we have the IT Rules of 2021 and we also released a draft National Data Governance Framework that will handle non-personal data. Eventually, there will also be a comprehensive cybersecurity policy. These developments have allowed the government to deal only with the protection of personal data under the Data Protection Act.”

Not only local startups, but also big tech like Google and Meta have raised concerns about the proposed data localization regulations. In May, Meta’s vice president and assistant privacy chief Rob Sherman said India’s data localization standards could make it “difficult” for the company to offer its services in the country. Last month, Keith Enright, Google’s chief privacy officer, said data localization standards should be as “narrow as possible.”