The Digital Personal Data Protection Bill, which was tabled by the government in the Lok Sabha on Thursday, has dropped four clauses from the earlier version drafted by the Justice BN Srikrishna Committee. Both the Big Tech firms as well as startups had expressed serious reservations about the clauses concerned on the grounds of disrupting businesses.
Accordingly, regulation of hardware and devices, localisation of data with retrospective effect, the need to seek regulatory nod every time cross-border flow of data is required and penalty on global turnover for any violation, do not figure in the new Bill.
The older version of the Bill, which was withdrawn in August 2022, had a provision for regulation of hardware devices. This was not in the draft originally submitted by the Srikrishna Committee but was later inserted by the joint committee of the Parliament. The industry had flagged it as one of their biggest concern.
The reason behind dropping hardware regulation from the ambit of the Bill was that its scope was too large and was prone to misuse, allegation and counter-allegations and legal disputes.
The older Bill mandated monitoring, testing and certification of hardware devices by the Data Protection Authority (DPA). This would have required the DPA to be armed with specific technical expertise. Further, it would have created an additional layer of compliance that had the potential to delay commercial access of hardware in the Indian market and create unreasonable responsibility on data fiduciaries for security of data on a consumer’s device.
If regulation of hardware would have become a law, it would have meant that consumers after buying any hardware device – laptop, mobile phone, TV, any IoT machine – need to take it to a certified lab to get it checked and tested for a spyware installed in it which steals and transfers data.
Apart from the huge scope of such a regulation, considering the fact that around 600-700 million such devices would be there in the market, if a spyware was detected it would have led to a legal wrangle between the manufacturer and government agencies.
Second, on localisation of data, the earlier version of the Bill had a clause which mandated storage of sensitive personal data (SPD) and processing of critical personal data (CPD) only in India. The problem area, as highlighted by the industry was that it stated that copies of SPD and CPD, already in the possession of foreign entities, need to be brought back to India, with retrospective application.
Legal and industry experts had said that such a provision would have led to problems in segregating SPD and CPD from a retrospective basis and would have even led to cybersecurity issues.
The third provision which has been dropped is with regard to cross-border data flows. Here the withdrawn Bill had the provision that explicit consent would be needed for transfer of SPD, from the DPA, which in turn, would need to consult the government. In practical terms, this would have meant that transfer of such data would not have remained free from executive or political interference, which may have acted as barriers for startups.
The withdrawn Bill had the provision for levying penalties of 2-4% of total worldwide turnover of data fiduciaries. This was objected by the industry as revenue generated by a data fiduciaries outside India may not have a link with processing activities in the country.
