The Joint Committee of Parliament (JCP) in its report on the Personal Data Protection Bill (2019) has sought the establishment of a single regulatory authority to oversee both personal and non-personal data and recommended that the centre, in consultation with sectoral regulators, prepare an extensive policy on data localisation. It also allows for broad exemptions to the government from the provisions of the bill, as it paves the way for a landmark legislation that can change the way internet and technology firms do business in India.
The JCP has suggested an approximate period of 24 months for implementation of the provisions so that companies and government departments have enough time to make the necessary changes to their policies, infrastructure and processes.
The proposed bill, which began as a way to protect personal data of Indians on the internet, has over time expanded to regulate other aspects of the digital and data ecosystem.
“While the JCP has retained much of what was positive with the 2019 Bill, and accepted many more recommendations from the industry, certain areas will require further deliberation – particularly the expansion of the scope to cover non-personal data,” said Debjani Ghosh, president of industry lobby Nasscom.
The Bill’s application to non-personal data and having a single regulator for both personal and non-personal data needs careful analysis and deeper debate, the industry grouping said.
-
“ETtech is a sharply-focused lens that brings alive India’s tech businesses & dynamic world of startups”
Kunal Bahl, Co-Founder & CEO, Snapdeal
-
“I read ETtech for in-depth stories on technology companies”
Ritesh Agarwal, Founder & CEO, Oyo
-
“I read ETtech to understand trends & the larger India technology space, everyday”
Deepinder Goyal, Co-founder & CEO, Zomato
Experts studying the impact of the provisions expressed concern over the composition of the data protection authority (DPA) that is slated to have a majority of either government appointed members or government recommended-experts. The DPA will also have India’s Attorney General as a member.
Terming the JCP report as “ an important step ahead for the legislation of a data protection law in India,” Apar Gupta, Executive Director at Internet Freedom Foundation said there are “underlying concerns with respect to the independence of the regulator which is the Data Protection Authority (DPA), and large exemptions to the government departments which remain till date.”
Right to Privacy
The proposal for a comprehensive data protection regime came about after the Supreme Court of India declared that privacy is a fundamental right in 2017 and directed the government to come up with adequate regulations.
Nasscom said it expects the recommendations of the committee to be widely debated and discussed so that India continues to enable cross-border data flows without undue restrictions, provide an effective safe harbour regime for intermediaries and ensure a globally competitive market ecosystem for fintech and the financial sector in general. The JCP in its report has called for certification of all digital and IoT devices, which industry watchers estimate could increase compliance costs. “Considering that the data protection law will be one of the key legislations to drive the economy of the future, the government needs to tread carefully on the issues( such as) regulation of non-personal data under the same legislation,” said Rajat Prakash, Managing Partner, Athena Legal.
“Any over-regulation or any actions contrary to global norms could impact the future of the digital economy,” he added.
A spokesperson for e-commerce giant Amazon said that with the advent of the PDP Bill, India has an opportunity to shape a regulatory regime that creates a data secure environment without compromising job growth and creation.
Media regulation
The committee has also said there is a need for the establishment of a “statutory body for media regulation” while terming existing media regulators as “not appropriately equipped” to regulate those platforms that use modern methods of communication such as social media platforms or the internet at large.
Nikhil Narendran, a partner in law firm Trilegal was of the view that while “there are no surprises in the bill, giving the government an exception is the only serious issue in the bill.”
“ Due to this provision India may not get “adequacy” status from the European Union, which will in turn restrict data flows to India, and affect the competitiveness of the outsourcing industry in the long run,” he added.
An adequacy decision permits a cross-border data transfer outside the European Union or onward transfer from or to a party outside the EU without further authorisation from a national supervisory authority.
“On data flows, the committee has retained the provisions as they were in the 2019 Bill, which may make it difficult for the new Bill to achieve adequacy status, a critical component for India to enter into bilateral or multilateral treaties for data transfer,” said Kazim Rizvi, Founding Director, The Dialogue.
Legal experts are in agreement that it is a time for India to have a comprehensive data protection regime. Kirti Mahapatra, Partner at Shardul Amarchand Mangaldas & Co, said the firm looks forward to the “progression of the Parliamentary process of bringing about comprehensive data protection law for India.”