The Joint Committee of Parliament's (JCP) report on the Personal Data Protection Bill, 2019 is not aligned with India's technology objectives for the next decade, industry body Internet and Mobile Association of India (IAMAI) said in a statement on Thursday. The JCP report was presented to Parliament in December, and among its suggestions are stricter data localization standards, an expansion of the scope to non-personal data, and new frameworks for software and hardware testing.
According to the IAMAI, the JCP suggestions substantially altered the bill's composition, transforming it from a personal data protection measure to a general data protection bill. This necessitates additional stakeholder discussions and impacts assessment reports prior to these suggestions being enshrined in law.
IAMAI believes that the proposals will have a detrimental effect on a cross-section of the technology industry, including large technology enterprises, technology services companies, and digital start-ups, which constitute the backbone of India's aspirations for tech leadership.
Additionally, IAMAI stated that the JCP's planned onerous data localization rules will increase business failure rates, create impediments to start-up growth, increase compliance expenses for businesses, and impede the social benefits of the digital economy. “It would also inevitably have a detrimental effect on Indian customers' capacity to access a truly global internet,” IAMAI stated.
The JCP's proposed additional requirement that the Data Protection Authority (DPA) consult with the Government of India (GOI) on all cross-border sensitive personal data transfers not only contradicts established global practises and undercuts the DPA's role but also subjects data flows to a cumbersome and inefficient process, the statement said.
Also, the industry body said that the proposed retrospective need to bring back data collected overseas creates major organisational and technical hurdles, all the more so because relevant organisations would be subject to laws that were not in effect at the time data was collected.
It stated that while JCP broadens the bill's reach to encompass non-personal data, it fails to account for the two bills' distinct value propositions. “This advice is also premature, given the report of the Expert Committee on non-personal data has not yet been approved.”
Additionally, the JCP proposes that the DPA establish a system for monitoring, testing, and certifying computing device hardware and software. “IAMAI asks the government to avoid from developing new standards in light of the well-established regulation that applies to devices marketed in India. Additionally, such a mandate would jeopardise India's capacity to attract international enterprises and investment,” it stated.
It also stated that existing laws and regulations adequately handle the requirements for hardware and software certifications, which should not be imposed under the PDP Bill.
IAMAI argued that the Government should reconsider its advice that intermediaries be treated as publishers under some cases. Social media intermediaries continue to be protected by safe harbour laws and are not regulated as publishers, despite the fact that their “capacity” to control content is based on a legal requirement. Such a clause might have a significant impact on how social media platforms are used, on free expression, and on innovation. Additionally, it poses a risk to the digital ecosystem, especially given that it is unrelated to data protection.
IAMAI also expressed reservations about the proposed introduction of an 18-year-old age restriction on certain services. “Such a prohibition would remove a sizable demographic from the digital ecosystem and would contravene the majority of data regimes, which include enabling provisions for adolescents aged 13 to 18. The government should implement a risk-based strategy for children's consent age that is graded and commensurate to the type and nature of services offered,” the report stated.
Setting a blanket consent age of 18 years will violate the notion of ‘the kid's best interest' in a digital world, as it will create hurdles for a youngster to access educational and recreational opportunities available on the internet.
The group requested the government to reconsider the JCP's ‘transparency' mandate. “It is very broad and may encroach upon the data fiduciaries' intellectual property rights. It may be harmful to data fiduciaries if they are mandated to publicly disclose their algorithms and other proprietary information, without adequate safeguards.”