Industry representatives have raised concerns on certain recommendations of the parliamentary committee on data protection bill, including those around inclusion of non-personal data and expanded data localisation mandates, and said these will harm people's rights and impact businesses.
(Sign up to our Technology newsletter, Today's Cache, for insights on emerging themes at the intersection of technology, business and policy. Click here to subscribe for free.)
A parliamentary panel on Thursday recommended tougher norms to regulate social media platforms by holding them accountable for the content they host, while asserting that it is imperative to store data in India and restrict access to it by categorising it as sensitive and critical personal data.
It has also recommended widening the scope of proposed data protection legislation to include both personal and non-personal data with "a single administration and regulatory body".
Internet and Mobile Association of India (IAMAI) said its members are currently evaluating the report and "prima facie, it seems that the draft that was put out in 2019 after the widest possible consultations has changed fundamentally, including the title of the bill from Personal Data Protection Bill to Data Protection Bill".
"Certain other deviations such as the recommendations that social media intermediaries could become publishers in certain circumstances and a few aspects of data localisation norms change the original structure of the bill substantially," it added.
IAMAI noted that inclusion of non-personal data within the personal data protection bill is contrary to the recommendations of the expert committee appointed by MEITY to develop a framework for non-personal data governance.
"The requirement on DPA to consult the central government before issuing any approvals or decisions on cross-border data flows would create an incredibly slow and cumbersome process for decisions and would mitigate the autonomy and efficiency of a specialised body such as the DPA (Data Protection Authority)," it said.
Mozilla Corporation Public Policy Advisor Udbhav Tiwari said JPC's latest report raises many concerns that "will harm people's rights and will be bad for an open internet".
"Some of these include covering non-personal data, treating certain social media networks as publishers and expanded data localisation mandates. There remain certain key steps before the suggestions in the report become binding law," he added.
BSA-The Software Alliance also stated that several of the report’s recommendations remain concerning.
"We are particularly concerned by the recommendation to expand the Bill to regulate non-personal data (NPD). The goal of a personal data protection bill, protecting individuals’ privacy, is often at odds with the objective of the proposed NPD Governance Framework, which is to generate more value from data," it said.
Keeping these two efforts separate, establishing clear and distinct rules for personal data protection and non-personal data, is the best way to ensure neither objective is diluted, BSA noted.
"We are also concerned by the mandatory data localisation requirements and undue restrictions on cross-border data transfers, which are rigid obligations that will not only weaken privacy protections but also impede interoperability with emerging international norms and practices impacting India’s economic opportunities," it said.
BSA-The Software Alliance Country Manager (India) Venkatesh Krishnamoorthy said removing provisions on NPD, avoiding mandatory data localization, and promoting cross-border data transfers in the final bill will support the bill’s objectives which is to safeguard personal data and enhance privacy protections.
"Conversely, failing to do so will be detrimental to India’s digital revolution which needs to be built on strong privacy foundations," he said adding that these concerns need to be addressed to better protect the privacy of its citizens, increase economic opportunities and jobs across sectors, and accelerate the development of India as an innovation hub for emerging technologies.
IAMAI also raised its concerns on imposing age restrictions of 18 years on certain services that will exclude an important demographic from the digital ecosystem and "will contradict most data regimes that create enabling provisions for 13-18 years".
"In addition, the inclusion of ‘psychological manipulations which impairs the autonomy of any individual (without sufficient understanding of what this would entail) under the meaning of ‘harm’ creates immense room for inaccurate interpretations of the law," it further said.
IAMAI highlighted that the recommendations may bring a much higher compliance burden on startups, and suggested that an expert group should be set up to study the impact of these recommendations on startups. Besides, the bill will impinge upon the IP rights of the companies as part of the new requirements on data portability and algorithmic transparency.
These objectives can be achieved without compromising on trade secrets, it said.
"IAMAI is confident that the government will continue the transparent and consultative ethos under which the earlier draft bill was developed and urge further deliberations on the report," it added.