Data protection: Four key clauses may go in new bill

This was objected to by the industry as revenue generated by data fiduciaries outside India may not have a link with processing activities in the country.

Data protection: Four key clauses may go in new bill
The industry, which includes Big Tech as well as startups, had voiced concerns about these clauses.

The government has identified four key clauses in the now-withdrawn Personal Data Protection Bill that are likely to be either dropped or fine-tuned in the new one to facilitate ease of doing business and achieve regulatory simplicity. The industry, which includes Big Tech as well as startups, had voiced concerns about these clauses.

Regulation of hardware and devices, localisation of data with retrospective effect, the need to seek regulatory nod every time cross-border flow of data is required, and penalty on global turnover for any violation, are the four areas which figure on the government’s list, sources told FE. It is likely that consultations will be held once again with the industry on these issues.

For instance, regulation of hardware devices was not in the draft originally submitted by the Justice BN Srikrishna committee but was later inserted by the Joint Committee of Parliament (JCP). The industry had flagged it as one of their biggest concerns, and in all probability, this may not figure in the new Bill, which the government plans to introduce in Monsoon session of Parliament.

Also Read | Govt withdraws Personal Data Protection Bill

The reason behind dropping hardware regulation from the ambit of the Bill is that its scope is too large and so it is prone to misuse, allegation and counter-allegations, and legal disputes.

The withdrawn Bill mandated monitoring, testing and certification of hardware devices by the Data Protection Authority (DPA). This would have required the DPA to be armed with specific technical expertise. Further, it would have created an additional layer of compliance that had the potential to delay commercial access of hardware in the Indian market and create unreasonable responsibility on data fiduciaries for security of data on a consumer’s device.

Also Read | IT industry seeks participation in consultation process for fresh personal data protection bill

Further, currently, no security standardisation efforts globally have any proposal for an in-country lab-based certification requirement for commercial devices.

If regulation of hardware becomes a reality, it would require consumers after buying any hardware device – laptop, mobile phone, TV, any IoT machine – to take it to a certified lab, say after six months, to get it tested whether there’s a spyware installed in it which steals and transfers data. Apart from the huge scope of such a regulation, considering the fact that around 600-700 million such devices would be there in the market, if a spyware is detected it may lead to a legal wrangle between the manufacturer and government agencies.

The second area, where the provisions are likely to be diluted in the new Bill, relates to localisation of data. Here, the withdrawn Bill had a clause which mandated storage of sensitive personal data (SPD) and processing of critical personal data (CPD) only in India. The problem area, as highlighted by the industry, was that it stated that mirror copies of SPD and CPD already in the possession of foreign entities need to be brought back to India, with retrospective application.

Legal and industry experts told FE that such a provision would have led to problems in segregating SPD and CPD from a retrospective basis and would have even led to cybersecurity issues.

Sources said it is unlikely that this provision would be dropped altogether but the clause relating to retrospective effect may be removed.

The third relates to cross-border data flows. Here, the withdrawn Bill had the provision that explicit consent would be needed for transfer of SPD, from the DPA, which in turn would need to consult the government. In practical terms, this would have meant that transfer of such data would not have remained free from executive or political interference, which may have acted as barriers for startups.

The withdrawn Bill had the provision for levying penalties of 2-4% of total worldwide turnover of data fiduciaries. This was objected to by the industry as revenue generated by data fiduciaries outside India may not have a link with processing activities in the country. It is likely that the worldwide turnover may be dropped in the new Bill.

The Data Protection Bill, which the government withdrew on Wednesday, was introduced in the Lok Sabha in December 2019, after which it was referred to the JCP, chaired by BJP MP PP Chaudhary. The draft Bill was prepared on the recommendations of the Justice BN Srikrishna-led committee in 2018.

Get live Share Market updates and latest India News and business news on Financial Express. Download Financial Express App for latest business news.

Photos