Companies misusing user data will face “punitive and financial” consequences once the proposed data protection law comes into effect, Rajeev Chandrashekhar, minister of state for information technology, said in a tweet on Tuesday.
Citing a New York Times news report on tech major Google’s $391.5-million privacy settlement in the US for allegedly misleading users into believing that they had turned off location tracking, Chandrashekhar said: “India’s #DigitalDataProtection bill will put a stop to this, & ensure that any platform or intermediary that does this will face punitive & financial consequences.” The draft (data protection) bill is ready to be released, said two industry insiders in the know, requesting anonymity.
Two people, also seeking anonymity, confirmed the development and said the bill should be released in a matter of days, maybe as early as Wednesday. However, there was no official confirmation of the release date.
The government withdrew the Personal Data Protection Bill, 2021 in August. The bill was introduced in Lok Sabha in December 2019. Subsequently, a joint parliamentary committee in a 16 December 2021 report tabled in the parliament, said that the law should bring both personal and non-personal data under its purview. The proposal, however, was vehemently opposed by a section of the industry.
According to the two officials cited above, the updated version of the bill will deal with personal data and leave out non-personal data. Additionally, it will also deal with digital data, that is, data obtained through digital means, such as apps and websites, they added.
A senior government official said the data protection bill is expected within this week and may relax some data localization, data storage and data processing norms. Furthermore, the provisions for compliance will be reduced, which in turn will help India’s booming startup ecosystem.
The bill is not likely to regulate devices or include provisions for testing and certification of hardware, he said seeking anonymity. Intermediaries currently regulated under the IT intermediary guidelines are also not likely to figure in the draft bill to make sure there are no regulatory overlaps.
Besides, the proposed bill will make it easier for companies to comply with the new guidelines on data protection, which is good news for India’s startup ecosystem.
In August, Chandrashekhar emphasized during a press briefing that the compliance burden on startups was one of the reasons for withdrawing the bill.
“Big tech firms would have just hired more lawyers to comply if there was a complicated privacy law. The burden of such legislation would hurt startups,” he had reasoned. However, it is not clear how far it will affect data localization rules proposed in the original version of the bill, where the government mandated all companies dealing with sensitive data of Indian users to keep a copy within its borders. Tech firms, including industry leaders, have opposed the localization rules.
“Many compliance issues were highlighted in the 2021 bill. Data localization was a factor, but not as much for small and medium businesses. It was a major concern for larger organizations. For SMEs, the compliance burden was primarily in terms of reporting and data retention — the amount of time mandated to retain a certain amount of customer data or metadata,” said technology and policy analyst Prasanto K. Roy.
The bill would have forced SMEs to “look at compliance in a way they had never done before”, he added. “It would have forced them to scramble for tech solutions to comply with the data protection law. Data processing was also an issue for large organizations. Later, non-personal data was also brought in. The biggest issue was the focus had shifted from data privacy law to data law. Data protection law was supposed to be the privacy law, but it didn’t happen.”
A person said there is speculation that the data protection bill may be a barebone version of the original draft and may not be as detailed as it was, as the government seeks to reserve the overall regulation of the digital ecosystem within India’s jurisdiction for the Digital India Act, which is also expected to be released in the coming months. An email query to a ministry of electronics and information technology spokesperson did not elicit a response till press time.
Abhijit Ahaskar contributed to this story.
Download The Mint News App to get Daily Market Updates & Live Business News.
