The Personal Data Protection (PDP) Bill is currently being scrutinised by the ministry of electronics and information technology (MeitY) and no further consultations are going to be held, minister of state for electronics and IT Rajeev Chandrasekhar said on Thursday.
“The PDP Bill is already consulted, it went to the parliamentary committee and after they went through it – it is back with us. The consultations on the Bill are over and it is being scrutinised by the ministry,” Chandrasekhar told FE on the sidelines of FinTech Festival India held by Temasek-backed Constellar.
Earlier, several industry associations representing the information and communications technology industry in India and enterprises globally have made recommendations to the ministry post the joint parliamentary committee’s (JPC) report on the Bill in December. Separating personal and non-personal data, removal of data localisation requirements on sensitive and critical personal data and establishing clear parameters for government access to data, among others are some of them.
Information Technology Industry Council (ITI) in a letter to Chandrasekhar said that the JPC will unintentionally limit the ease of doing business in India, hamper the country’s continued economic growth and constrain the ability of Indian and global companies to innovate in India.
One of the major concerns highlighted is regarding the incorporation of non-personal data (NPD) within single legislation. The council highlights that regulating non-personal data is fundamentally different from that of personal data protection. “The former is premised upon data sharing in the interest of transparency and openness while the latter is concerned with protecting user privacy,” it said.
Subjecting the non-personal and personal data under the same regulator — the Data Protection Authority (DPA), has also been termed “impractical” by the associations because both sets of data require different sets of expertise and are fundamentally different, which will lead to regulatory uncertainty.
Objecting to JPC’s recommendation to gradually move towards complete localisation of data, ITI has said that it will ultimately raise privacy and cybersecurity concerns over the large volumes of data to be held in India, likely hindering foreign direct investments in the country.
The JPC report also recommends extensive requirements for the transfer of data outside of India and that the DPA consult the central government for all cross-border transfers of sensitive personal data. The industry bodies say that this proposed requirement will not only undermine the independence of the new proposed DPA, but also create further business uncertainty, and slow down data innovation, compounding the risks and costs of doing business in India.
Kumar Deep, country manager (India), ITI Council said that the recommendations made by JPC had various novel concepts on which no public consultation had been done before. “Inclusion of non-personal data in the personal data framework, issues with regards to compulsory hardware and software certification, more stringent approach towards data localisation obligations were not part of the original Bill,” he said.
A separate letter signed by 12 global associations representing multi-national companies present in manufacturing, agriculture, automotive, life sciences, financial services, retail, logistics and technology sectors, among others also highlighted similar concerns. “The Report’s recommendations run counter to global standards for data protection and competition, and the absence of a formalised and robust public debate on these significant new provisions deviates from good regulatory practices,” the letter states.