NASSCOM and DSCI welcome the advancement of deliberations on a holistic Data Protection Framework for India with the release of a report on the Personal Data Protection Bill, 2019 by the joint parliamentary committee (JPC). We appreciate the effort by the JPC to also release a reworked version of the 2019 Bill, which the JPC has now called the “Data Protection Act of 2021” (2021 Bill).
Commenting on the revised Bill proposed by the JPC, Debjani Ghosh, President, NASSCOM stated, “A robust data protection law is critical to safeguard the privacy of Indian citizens while driving India’s success in the digital economy. While the JPC has retained much of what was positive with the 2019 Bill, and accepted many more recommendations from the industry, certain areas will require further deliberation – particularly the expansion of the scope to cover non-personal data. NASSCOM will continue to work with the Government towards passing a law that brings regulatory certainty and delivers on our collective duty to protect India’s personal data”.
The JPC has made certain significant recommendations that apparently go beyond the scope of the proposed data protection law, including those around stringent data localisation policies, social media intermediaries and financial systems. NASSCOM-DSCI expects these to be widely debated and discussed so that India continues to enable cross-border data flows without undue restrictions, provide an effective safe Harbour regime for intermediaries and ensure a globally competitive market ecosystem for FinTech and the financial sector in general.
The proposal in the report to have the Bill apply to “non-personal data” and having a “single regulator” for both personal and non-personal data needs careful analysis and deeper debate. This is required as the imperatives for a policy on non-personal data are to enable data driven innovation and unlock economic value. These imperatives arguably require a different regulatory approach than that needed for regulating personal data processing, where the focus is primarily on protecting privacy and preventing harms arising from the abuse of personal data. Given the enormity of these imperatives it is important to first operationalise the Bill’s original mandate well, that is, the processing and protection of personal data. The Government has another committee specifically to examine non-personal data, and any legislative decision should ideally follow the policy discussions.
Amongst the positives in the report are the highlighting of the imperatives to ensure the independence and accountability of government bodies and the Authority, to recommend the implementation of the law in a phased manner, and to suggest innovation-friendly measures, such as the inclusion of start-ups in the regulatory sandbox. We welcome these as key steps forward.
India’s Information Technology (IT) and Business Process Management (BPM) industry’s annual exports to over 100 countries stand at $150 billion. Given this, NASSCOM-DSCI reiterates the importance of providing strong privacy safeguards and establishing grounds for India to engage with the world on data adequacy from a robust position. The need to exempt the processing of foreign data in India from certain conditions, the retention of broad powers to exempt stage agencies without sufficient checks and balances, and an emphasis on treating processing by the State and the private sector equally should be viewed in this context.
It is hoped that the discussions in Parliament will further strengthen the Bill, and the legislative process will provide the nation with a law that the rest of the world can look towards as a leading example.