“Prima facie it seems that the draft that was put out in 2019 after widest possible consultations has changed fundamentally, including the title of the bill from Personal Data Protection Bill to Data Protection Bill. Certain other deviations such as the recommendations that social media intermediaries could become publishers in certain circumstances and a few aspects of data localisation norms change the original structure of the Bill substantially,” the Internet and Mobile Association of India (IAMAI) said in its statement on the Joint Parliamentary Committee’s Report on the Personal Data Protection Bill, 2019.
Read MediaNama’s guide to the Data Protection Bill, 2021
What are IAMAI’s concerns with the new Bill?
- Getting permissions for cross-border data flows will be incredibly cumbersome: “The requirement on DPA to consult the Central Government before issuing any approvals or decisions on cross-border data flows would create an incredibly slow and cumbersome process for decisions and would mitigate the autonomy and efficiency of a specialised body such as the DPA,” IAMAI said. The Bill requires sensitive and critical personal data to be stored in India but allows the transfer of sensitive personal data outside India under certain conditions. However, these conditions have to be approved by the Central Government and not just the Data Protection Authority as required in the earlier Bill.
- Algorithmic transparency and data portability impinge upon IP rights: “The Bill will impinge upon the IP rights of the companies as part of the new requirements on data portability and algorithmic transparency. These objectives can be achieved without compromising on trade secrets,” IAMAI said. The Bill requires companies to maintain transparency in processing personal data by including information on the fairness of the algorithm. Separately, the Bill also requires companies to ensure data portability for personal data. IAMAI is objecting to both these provisions.
- Teenagers will be excluded from the digital ecosystem because of the high age of consent: The Bill defines a “child” as a person who has not completed eighteen years of age and data fiduciaries processing children’s data have a different set of obligations to follow including getting consent from a parent or guardian before processing the child’s data. IAMAI raised concerns that this “will exclude an important demographic from the digital ecosystem, and will contradict most data regimes that create enabling provisions for 13-18 years.”
- Definition of harm creates immense room for inaccurate interpretations: Under the definition for “harm,” the Bill lists “psychological manipulation which impairs the autonomy of the individual.” This inclusion, “without sufficient understanding of what this would entail […] creates immense room for inaccurate interpretations of the law,” IAMAI noted.
- Hardware testing clause appears redundant: Referring to the new clause that requires testing of the integrity and trustworthiness of hardware and software on computing devices to prevent data breaches, IAMAI noted that “this needs to be discussed with the industry as the outcomes of such a mechanism are not clear given that data fiduciary is already legally accountable for complying with the law.”
- Higher burden on startups: IAMAI noted that the recommendations “may bring a much higher compliance burden on start-ups” and suggested that an expert group be set up to study the impact of these recommendations on start-ups.
- Inclusion of non-personal data: The new Bill encompasses non-personal data (NPD) and says that NPD should be covered by the Data Protection Act and by a single Data Protection Authority. This is contrary to the recommendations of the expert committee appointed by the IT Ministry to develop a framework for non-personal data governance, IAMAI noted.
“IAMAI is confident that the government will continue the transparent and consultative ethos under which the earlier draft bill was developed,” the association said.
Get our white paper on the Data Protection Bill 2021 in your inbox
We may also reach out occasionally with our coverage of the Data Protection Bill and more.Subscribe to MediaNama to get access to our ongoing coverage of the bill. Here is everything we have planned around the report: