Pointing out that the Bill is very different from the first Draft under Justice B N Srikrishna committee, experts called the exemptions to government departments “overarching”. The first Draft, that was submitted to the government earlier, had disallowed processing of personal data in the interest of state security “unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved”.
Apar Gupta, executive director at Internet Freedom Foundation, argued that the current Bill doesn’t deal with any kind of surveillance reform, which could include CCTV monitoring, social media monitoring, etc.
“It is not at all contemplated considering consent is a precondition to personal data collection," Gupta said.
Digital commerce firms fear a major impact on business if the draft Data Protection
Bill is passed in the current form. They fear plenty of hurdles in not only their day to day operations but also vis-à-vis their business models.
This could even hit the investment cycles for the coming year, according to industry representatives. “This is going to impact the way we work and our business models. This is a myopic way of looking at data protection. … Changing the way we work almost on a yearly basis is next to impossible. Spends on processing and handling data would sky-rocket. Many companies including ours would have to rethink investment plans,” said a senior vice president of a multinational digital commerce firm.
Analysts believe the Bill, in this form, can be a major hindrance to the idea of ease of doing business. “The bill creates a need for the data fiduciary (firm/individual) to obtain certification of the privacy by design policy from the Data Protection Authority. Such provisions lead to unnecessary compliance burden on companies and hinders the ease of doing business, which is much needed to boost the IT sector in the present economic climate,” said Salman Waris, managing partner at TechLegis Advocates & Solicitors, a law firm.
According to Waris, the provisions relating to processing data outside the country require multiple consents and approvals both from individual data principals and the government. It cannot be undertaken unless prior approval of the central government is obtained in advance, making the process cumbersome.
An executive at a large US-based technology firm, who did not wish to be named, also pointed out that the requirement for businesses to share non-personal data with the government when asked for would be a thorny issue.
The Bill says that the Central Government can, in consultation with the Data Protection Authority, direct any "data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed".
Legal expert Amber Sinha said more clarity would be required on the issue of non-personal data. In the current form, it is possible it could clash or be complicated by intellectual property laws, trade secrets, and database rights. “Essentially what we see in the Bill is that the Indian State sees data essential to its national and geopolitical ambitions and it wants to leverage the data that is available in the country for various purposes,’’ Sinha added.
While there has been some relaxation on the kind of personal data that can be processed outside the country, the provision got a mixed response from industry and experts.
"Depending on the nature of the data being collected, The Bill sets out rules as to where the data can be processed and stored and requires sensitive data to be stored in India while permitting such data to be processed outside India with the explicit consent of the user,’’ Atul Pandey, Partner at Khaitan & Co, has observed. The push for data localisation stems from the recent privacy concerns surrounding WhatsApp, and the desire of the government to suitably monetise the vast amounts of data being collected in India, according to Pandey. However, such data localisation measures will act as a substantial financial constraint for companies considering that fresh infrastructure will be required to be set up in India, he said. ‘’Additionally, the government will also be wary of possible reciprocal actions being undertaken by other countries, considering that companies based out of such countries will have to abide by data localisation laws in India."
An expert on the Indian information technology services industry said the Bill's provisions were adequate for IT services firms like Infosys, Wipro and so on.
The fine print
The draft Bill bars storing and processing of personal data by entities without the explicit consent of an individual
Exemptions for "reasonable purposes" such as prevention and detection of any unlawful activity including fraud, whistle-blowing, mergers and acquisitions, credit scoring, and recovery of debt
Bans processing of certain forms of biometric data unless permitted by law
Central government can frame policy for the digital economy with respect to non-personal data
Bill entails setting up of an authority for protecting personal data and prescribes stiff penalties for violations
Social media burden
Exceptions made for government use of data, verification of social media users, and the forced transfer of non-personal data represent significant threats to privacy, analysts have said. ‘’If Indians are to be truly protected, Parliament must review and address these dangerous provisions before they become law," said Udbhav Tiwari, public policy advisor at Mozilla.
The Bill has defined social media intermediaries as entities primarily or solely enabling online interaction between two or more users, while allowing them to create, upload, share, disseminate, modify or access information using its services.
The Bill places an obligation on social media companies to enable the users who register their service from India, or use their services in India, to voluntarily verify their accounts in such manner as may be prescribed. Also, any user who voluntarily verifies his account shall be provided with a "demonstrable and visible mark of verification, which shall be visible to all users of the service".
An executive with a large social media firm, who did not wish to be named, said, "in addition to the large number of consent requirements for processing personal data, we will be burdened with additional user profiling requirements as well."
Business Standard has always strived hard to provide up-to-date information and commentary on developments that are of interest to you and have wider political and economic implications for the country and the world. Your encouragement and constant feedback on how to improve our offering have only made our resolve and commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed and updated with credible news, authoritative views and incisive commentary on topical issues of relevance.
We, however, have a request.
As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.
Support quality journalism and subscribe to Business Standard.