By Ayushman Baruah
Tech companies and industry bodies are eyeing a more conducive Personal Data Protection (PDP) Bill after the government withdrew the proposed legislation on Wednesday. The Bill seeks to regulate the use of an individual’s data by companies and the government, but industry bodies feel hard data localisation norms will hinder the growth of the startup ecosystem.
Tech giants like Meta, Google, Amazon, and Twitter had earlier expressed concerns about some recommendations of the Joint Committee of Parliament (JCP) on the proposed Bill, which clashed with many of their data collection policies.
The Information Technology Industry Council (ITI), welcoming the decision to withdraw the PDP Bill, urged the government to implement a robust stakeholder consultation on it.
“Our concerns with regards to certain recommendations made by the JCP remain, and if they are part of the new draft, we will raise concerns at the appropriate forum. If the government harmonises these new rules to globally acceptable international regulations, many concerns would have been addressed, we will wait for the new draft to engage meaningfully,” said Kumar Deep, country manager (India), ITI Council.
One industry association head said, on the condition of anonymity, that hard data localisations and compliances in India will impact startups that not just process a lot of data from outside, but also have ambitions to go global. “If other countries also put similar kind of reciprocal measures, it will impact the growth of the startup ecosystem,” the person said.
After the JCP’s report on the Bill in December, several industry associations representing the information and communications technology industry had made recommendations to the ministry. Separating personal and non-personal data, removal of data localisation requirements on sensitive and critical personal data, and establishing clear parameters for government access to data are some of them.
Subjecting non-personal data and personal data under the same regulator, the Data Protection Authority (DPA), was also termed “impractical” by associations on the grounds that both sets of data require different expertise, which will lead to regulatory uncertainty.
The JCP report had recommended extensive requirements for the transfer of data outside of India and that the DPA should consult the central government for all cross-border transfers of sensitive personal data. Industry bodies think this proposed requirement will not only undermine the independence of the proposed DPA, but also create further business uncertainty and slow down data innovation.
“The Data Protection Bill as proposed by the JCP had become an omnibus, going much beyond the remit of the original Bill. Given the number of outstanding questions around issues like non-personal data, data localisation, cross-border data flows and exemptions to central government, the government’s intent to bring a fresh Bill that incorporates all the feedback could be a positive step,” said Aparajita Bharti, founding partner, TQH Consulting.
The revised Bill, expected to be passed in the next Budget session, is likely to have a comprehensive framework of global standard laws, including digital privacy laws, for contemporary and future challenges.
“We hope for a new Bill that will favour personal data protection and sovereign features such as data localisation, while not burdening the startup and insurtech ecosystem with compliance and allowing non-personal data being kept in free flow state,” said Piyush Ranjan, chief technology officer, Coverfox group, a B2C insurtech platform.
As the JCP report seems to suggest that the PDP Bill 2019, had a few fault-lines, experts believe the withdrawal presents an opportunity for more inclusive stakeholder engagement. “That said, time is of the essence, and we do hope a new legal framework, that balances the trade-off between growth, privacy, and implementation, is introduced soon,” said Mehak Khungar, principal at Auctus Advisors.
Data localisation norms can prove to be entry barriers for companies to go to global markets, according to Kamesh Shekar, programme manager, The Dialogue, a policy think tank. “Therefore, the new Bill should lay down the specifics of how data will be shared across borders. Moreover, it should be interoperable and harmonised with global data protection regimes.”
According to Nasscom, the idea is to ensure the new law is interoperable with global laws. “You don’t want to saddle the companies with too many different laws and obligations … we must also ensure it’s not a one-size-fits-all approach but a framework that helps startups without making them feel obligated,” said Ashish Aggarwal, vice president and head of Public Policy, Nasscom.
From startups’ perspective, there is a line the new Bill should draw, said Rameesh Kailasam, CEO, IndiaTech.org. “It should not become very compliance-heavy, but at the same time basic safeguards need to be put in place for customers. They should come out with thresholds, wherein if you are collecting data, you must adhere to some basic laws,” he said.