The new draft Data Protection Bill has dropped four clauses from the earlier version regarding which the Big Tech firms as well as startups had expressed serious reservations and said that if government went ahead with them, businesses would face major disruption.
Accordingly, regulation of hardware and devices, localisation of data with retrospective effect, the need to seek regulatory nod everytime cross-border flow of data is required and penalty on global turnover for any violation, do not figure in the new draft.
The older version of the Bill, which was withdrawn in August had a provision for regulation of hardware devices. This was not in the draft originally submitted by Justice BN Srikrishna committee but was later inserted by the joint committee of Parliament. The industry had flagged it as one of their biggest concern.
The reason behind dropping hardware regulation from the ambit of the Bill was that its scope was too large and was prone to misuse, allegation and counter-allegations, and legal disputes, sources in the government said.
Also Read: Govt proposes penalty of up to Rs 500 crore for each data breach under Data Protection Bill
The older Bill mandated monitoring, testing and certification of hardware devices by the Data Protection Authority (DPA). This would have required the DPA to be armed with specific technical expertise. Further, it would have created an additional layer of compliance that had the potential to delay commercial access of hardware in the Indian market and create unreasonable responsibility on data fiduciaries for security of data on a consumer’s device.
If regulation of hardware would have become a law, it would have meant that consumers after buying any hardware device – laptop, mobile phone, TV, any IoT machine – need to take it to a certified lab to get it tested whether there’s a spyware installed in it which steals and transfers data.
Apart from the huge scope of such a regulation considering the fact that around 600-700 million such devices would be there in the market, if a spyware was detected, it would have led to a legal wrangle between the manufacturer and government agencies.
Second, on localisation of data, the earlier version of the Bill had a clause which mandated storage of sensitive personal data (SPD) and processing of critical personal data (CPD) only in India. The problem area, as highlighted by the industry was that it stated that mirror copies of SPD and CPD, already in the possession of foreign entities, need to be brought back to India, with retrospective application.
Legal and industry experts had said that such a provision would have led to problems in segregating SPD and CPD from a retrospective basis and would have even led to cybersecurity issues.
The third provision which has been dropped is with regard to cross-border data flows. Here the withdrawn Bill had the provision that explicit consent would be needed for transfer of SPD, from the DPA, which in turn, would need to consult the government. In practical terms, this would have meant that transfer of such data would not have remained free from executive or political interference, which may have acted as barriers for start-ups.
The withdrawn Bill had the provision for levying penalties of 2-4% of total worldwide turnover of data fiduciaries. This was objected by the industry as revenue generated by a data fiduciaries outside India may not have a link with processing activities in the country.