“Prima facie it appears that the draft, which was presented in 2019 after extensive consultations, has fundamentally changed, including the title of the draft law from the law on the protection of personal data to the law on data protection. Certain other deviations, such as the recommendations that social media intermediaries might become publishers in certain circumstances, and some aspects of data localization norms, change the original structure of the bill significantly, ”the Internet and Mobile Association of India (IAMAI) he said in his statement on the report of the Joint Parliamentary Committee on the Personal Data Protection Act, 2019.
Read MediaNama’s guide to the Data Protection Act 2021
What concerns does IAMAI have about the new bill?
- Obtaining permissions for cross-border data flows will be incredibly tedious: “Requiring the DPA to consult the central government before approving or making decisions on cross-border data flows would create an incredibly slow and cumbersome decision-making process and reduce the autonomy and efficiency of a specialized body like the DPA,” IAMAI said. The bill requires that sensitive and critical personal data be stored in India, but allows sensitive personal data to be transferred outside of India under certain conditions. However, these terms need to be approved by the central government and not just the Data Protection Authority as required in the previous bill.
- Algorithmic transparency and data portability affect intellectual property rights: “As part of the new requirements for data portability and algorithmic transparency, the draft law will interfere with the IP rights of companies. These goals can be achieved without compromising trade secrets, ”said IAMAI. The draft law requires companies to maintain transparency in the processing of personal data by including information about the fairness of the algorithm. Independently of this, the draft law also requires that companies ensure data portability for personal data. IAMAI contradicts both of these provisions.
- Due to the high age of consent, young people are excluded from the digital ecosystem: The bill defines a “child” as someone under the age of 18, and data trustees who process children’s data have other responsibilities, including obtaining consent from a parent or guardian, before processing the child’s data . IAMAI expressed concerns that this will “exclude an important population group from the digital ecosystem and contradict most data systems that create conducive regulations for 13-18 years”.
- The definition of damage creates immense leeway for imprecise interpretations: Under the definition of “harm”, the draft law lists “psychological manipulations that impair the autonomy of the individual”. This inclusion, “without a sufficient understanding of what that would mean” […] creates immense leeway for imprecise interpretations of the law, ”noted IAMAI.
- Hardware test clause appears superfluous: Regarding the new clause requiring testing of the integrity and trustworthiness of hardware and software on computing devices to prevent data breaches, IAMAI stated that “this needs to be discussed with the industry as the results of such a mechanism are not clear are because data “Trustee is already legally responsible for compliance with the law.”
- Higher burden on startups: IAMAI found that the recommendations “can create a much higher compliance burden for startups” and suggested setting up a group of experts to examine the impact of these recommendations on startups.
- Inclusion of non-personal data: The new bill covers Non-Personally Identifiable Information (NPD) and says that NPD should be covered by the Data Protection Act and by a single data protection authority. This contradicts the recommendations of the expert committee set up by the IT ministry to develop a framework for the management of non-personal data, stated IAMAI.
“IAMAI is confident that the government will continue the transparent and consultative ethos under which the previous bill was developed,” the association said.
Subscribe to MediaNama for access to our ongoing billing coverage. Here’s everything we planned around the report: