India on Friday proposed a new data privacy law that will allow companies to transfer some users’ data abroad, while giving the federal government powers to exempt State agencies from the law in the interests of national security.

The proposed law would be the latest regulation that could impact how tech giants such as Facebook and Google process and transfer data in India’s fast-growing digital market. It comes after India in August withdrew a 2019 privacy Bill that had alarmed companies by proposing stringent restrictions on cross-border data flows, a Reuters report stated.

Prime Minister Narendra Modi’s government has been tightening regulation for the sector, which executives say has increased the compliance burden for companies.

India has defended stricter regulations citing the need to safeguard users’ interests in a country that has more than 760 million internet users.

The latest privacy Bill, however, relaxed certain stringent norms on cross-border transfers proposed earlier, with the government saying it could specify countries to which entities managing data can transfer personal data of users.

Supratim Chakraborty, a partner specializing in data privacy at law firm Khaitan & Co, said the proposal would bring relief for big technology companies that need to transfer user data abroad where they maintain their servers.

“It will be a relief as there will be a certain list of whitelisted countries. So if United States is one of them, it will ease a lot of stress for big companies as they could transfer user data there,” Chakraborty said.

The new bill also proposes financial penalties of up to Rs. 2.5 billion ($30 million) if someone is found breaching the provisions of the law.

The federal government would have powers to exempt state agencies from provisions of the bill “in the interests of sovereignty and integrity of India” and to maintain public order, said the draft proposal, which is open for public consultation until December 17.

Indian privacy advocates had said such provisions could allow the government to abuse access. In its statement on Friday, the government said it acknowledged that “national and public interest is at times greater than the interest of an individual”.

India considered global best practices and reviewed data legislation in Singapore, Australia, and European Union, while making the new proposal, it said.

Below are some of the key aspects of the proposed ‘Digital Personal Data Protection Bill’:

* The government will have the power to specify the countries to which companies can transfer personal data. This will allow companies to send user data to servers in countries on that list.

* The government has the power to exempt state agencies processing data from the proposed law in the interest of national security.

* The government will establish a “Data Protection Board” for ensuring compliance with the proposed law. The board will also hear user complaints.

* Companies of “significant” size – based on factors such as the volume of data they process – should appoint an independent data auditor to evaluate compliance with provisions of the law.

* The Data Protection Board can levy financial penalties for non-compliance. Failure of entities to take reasonable security safeguards to prevent data breaches could result in fines of up to Rs. 2.5 billion ($30.6 million), the draft proposal said.

* Companies will be required to stop retaining user data if it no longer serves the business purpose for which it was collected. Users shall have the right to correction and erasure of their personal data.

* No company or organisation will be allowed to process personal data that is “likely to cause harm” to children, and advertising cannot target children. Before processing any personal data of a child, parental consent will be required.

* The law will cover personal data collected online and digitised offline data. It will also apply to the processing of personal data abroad, if such data involves profiling Indian users or selling services to them.