Non-personal data within its ambit, social media platforms as ‘publishers’— what else ‘data protection bill’ could look like
The joint parliamentary committee (JPC) has released a reworked version of the much awaited data protection bill 2019, now called the “Data Protection Act of 2021” (2021 Bill).
The bill was tabled in both the houses of parliament on December 16th, after the widest possible consultations has changed fundamentally, including the title of the bill from Personal Data Protection Bill to Data Protection Bill. Certain other deviations such as the recommendations that social media intermediaries could become publishers in certain circumstances and a few aspects of data localisation norms change the original structure of the bill substantially.
The proposal for the Bill came after the Supreme Court declared in 2017 privacy a fundamental right and directed the government to come up with the data protection regime.
IT industry’s apex body Nasscom and the Data Security Council of India (DSCI) on Thursday welcomed the revised data protection bill 2019, saying a robust data protection law is critical to safeguard the privacy of Indian citizens while driving India’s success in the digital economy.
“While the JPC has retained much of what was positive with the 2019 Bill, and accepted many more recommendations from the industry, certain areas will require further deliberation – particularly the expansion of the scope to cover non-personal data,” Nasscom President Debjani Ghosh said.
NASSCOM-DSCI expects these to be widely debated and discussed so that India continues to enable cross-border data flows without undue restrictions, provide an effective ‘Safe Harbour’ regime for intermediaries and ensure a globally competitive market ecosystem for FinTech and the financial sector in general.
The proposal in the report to have the Bill apply to “non-personal data” and having a “single regulator” for both personal and non-personal data needs careful analysis and deeper debate, Nasscom said.
“This is required as the imperatives for a policy on non-personal data are to enable data driven innovation and unlock economic value. These imperatives arguably require a different regulatory approach than that needed for regulating personal data processing, where the focus is primarily on protecting privacy and preventing harms arising from the abuse of personal data,” it elaborated.
India’s Information Technology (IT) and Business Process Management (BPM) industry’s annual exports to over 100 countries stand at USD150 billion.
Further, The Internet and Mobile Association of India (IAMAI) also evaluated the bill and said that the requirement on DPA to consult the Central Government before issuing any approvals or decisions on cross-border data flows would create an incredibly slow and cumbersome process for decisions and would mitigate the autonomy and efficiency of a specialised body such as the DPA.
It also raised its concerns on imposing age restrictions of 18 years on certain services that will exclude an important demographic from the digital ecosystem and will contradict most data regimes that create enabling provisions for 13-18 years. In addition, recommendations may bring a much higher compliance burden on start-ups, and suggests that an expert group should be set up to study the impact of these recommendations on start-ups.
However, the body is confident that the government will continue the transparent and consultative ethos under which the earlier draft bill was developed and urge further deliberations on the report. Certain provisions in the report such as the new requirement for hardware/device testing need to be discussed with the industry as the outcomes of such a mechanism are not clear given that data fiduciary is already legally accountable for complying with the law.