Indian lawmakers passed a data protection law on Wednesday that will regulate how tech companies handle user data, amid criticism of increased government oversight.

The law would allow companies to transfer certain user data overseas while giving the government the power to request information from companies and issue guidelines for blocking content on the advice of a federally appointed data privacy board.

The 2023 Digital Personal Data Protection Bill gives governments the power to exempt state agencies from laws and gives users the right to correct or delete their personal data.

The new law comes after India withdrew a 2019 privacy bill that alarmed tech companies like Facebook and Google with proposed tougher restrictions on cross-border data flows.

The law stipulates penalties of up to 2.5 billion rupees ($30 million) for violations or non-compliance with the law.

However, it drew criticism from opposition lawmakers and advocacy groups over the scope of the exemption.

The Internet Freedom Foundation, a digital rights group, also said the law contained no meaningful safeguards against “over-surveillance”, while the Editors’ Union of India said it undermined press freedom and watered down rights to information laws.

Deputy Information Technology Minister Rajeev Chandrasekhar said the law would protect the rights of all citizens, allow the innovation economy to grow and allow the government to have lawful access in the event of national security and emergencies such as pandemics and earthquakes. ($1 = 82.8100 Indian rupees) (Reporting by Blassy Boben; Additional reporting by Shivam Patel; Writing by Kirsten Donovan)