Regulation of hardware and devices, localisation with retrospective effect, and need for regulatory approval every time there’s a need for cross-border flow of data, are three areas which may be impacted as the government is reviewing the draft Data Protection Bill to facilitate ease of doing business and regulatory simplicity.
Hardware devices which were not in the ambit of regulation in the draft Bill originally prepared by Justice BN Srikrishna committee, were later inserted by the Joint Committee of Parliament (JCP), and this has emerged as the biggest concern for both the government as well as the industry.
Hence there’s a possibility of regulation of hardware being dropped altogether from the Bill’s ambit. The reason being that its scope is too large and is prone to misuse, allegation and counter-allegations, and legal disputes.
The provisions of the Bill as approved by the JCP mandates monitoring, testing and certification of hardware devices by the Data Protection Authority (DPA). This would require the DPA to be armed with specific technical expertise. Further, it creates an additional layer of compliance that will potentially delay commercial access of hardware in the Indian market and create unreasonable responsibility on a data fiduciary for security of data on a consumer’s device.
Currently, no security standardisation efforts globally propose an in-country lab-based certification requirement for commercial devices.
Practically, what this entails is that a consumer after buying a hardware device – laptop, mobile phone, TV, any IoT machine – can take it to a certified lab, say after six months, to get it tested whether there’s a spyware installed in it which steals and transfers data. Apart from the huge scope of such a regulation considering the fact that around 600-700 million such devices would be there in the market, if a spyware is detected it could lead to a legal wrangle between the manufacturer and government agencies.
The second area, where the government may look at diluting the provisions prescribed in the Bill relates to localisation of data. Here the Bill mandates storage of sensitive personal data (SPD) and processing of critical personal data (CPD) only in India. The problem area is the clause which states that mirror copies of SPD and CPD already in the possession of foreign entities be mandatorily brought back to India, with retrospective application.
Legal and industry experts have pointed out that the problems which would arise in segregating SPD and CPD from a retrospective basis and may also lead to cybersecurity concerns. It is unlikely that this provision would be dropped altogether but the clause relating to retrospective effect may be removed.
The third area is connected to the second which restricts cross-border data flows. Here the provision is that explicit consent is required for transfer of SPD, from the DPA which in turn needs to consult with the government. This means transfer of such data would not remain free from executive or political interference, which may act as barriers for start-ups. It is likely that this clause also gets revisited.
The Data Protection Bill was originally introduced in Lok Sabha in December 2019, after which it was referred to the JCP, chaired by BJP MP P P Chaudhary. The draft Bill was prepared on the recommendations of Justice B N Srikrishna-led committee in 2018.