The Personal Data Protection Bill, 2019 (PDP) was introduced to safeguard personal digital data of users. However, it faced criticism regarding certain provisions in its text. The updated 2021 version presented by the Joint Parliamentary Commission (JPC) changed the bill significantly, also prompting debate and criticism. This is an outline with references to some of the key concerns.
According to the bill, Personal Data is defined as data about or relating to a:
Natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such a natural person.
Whether online or offline.
Any combination of such features with any other information.
Shall include any inference drawn from such data for the purpose of profiling.
The text of the updated draft continues to have some specific areas which are of concern. A short list is provided below for reference:
- Age of consent for digital services is 18 years. This restriction limits the amount of services available for those under 18 years of age. There is also a concern of privacy, since users have to be age verified. This locks children out of essential services and can result in parents preventing children from accessing the internet.
- The Central Government can exempt itself from the rules. The exceptions are incredibly broad and vague, undermining the purpose of the bill and the civil rights that the bill espouses.
- Companies should be required to provide details of algorithms and methods of processing used.*
- Cross border data transfers need to be approved by the Data Protection Authority (DPA). The Committee suggests that the government should also require entities to bring back a mirror copy of sensitive personal data and critical personal data that is already stored abroad, to India. This amounts to retrospective application of the law, which is extremely onerous and difficult for foreign entities to comply with. It also greatly increases the localization burden on foreign companies and will increase compliance costs manifold.
- Social Media Platforms are considered as content publishers, making them responsible for uploaded user content. This encourages proactive censorship, where user content has to be granted permission before being allowed.
- The USTR (United States Trade Representative) claims that the bill is problematic for IP laws and IP protection and claims that it doesn’t do enough to protect them.
- Certification for hardware and software products is required to ensure they comply with new domestic standards of data privacy. This puts an additional cost on businesses to ensure compliance.
Given these issues in the current draft, how do you think the data protection bill will impact innovation, investment and the costs of doing business? Will the data protection bill become another item in the compliance checklist? Engaging with this draft and sharing feedback with policymakers can help with future iterations of the bill.
PDP Bill: IAMAI Opposes 18 As The Age Of Consent; Calls For A Risk-Based Approach: Inc 42, Apr 20 2022
Personal Data Protection Bill: Overbroad Exemptions on Data Processing Dilute Govt’s Own Cause: News 18, Dec 16 2021
Data Protection Bill: Financial Data, Non-Personal Data And Algorithmic Transparency Should Be Regulated Separately #NAMA: Medianama Jan 24 2022
Cross-border transfers and data localisation under the Data Protection Bill, 2021
: Mint Mar 23 2022
Deep Dive: How India’s Data Protection Bill Impacts Social Media Platforms: Medianama Mar 5 2022
USTR: India’s Data Protection Bill Can Threaten Innovation & Economic Growth: Inc 42 Apr 29 2022
Regulatory Simplicity: Data Protection Bill may see key changes: Financial Express Feb 21 2022
{{ gettext('Login to leave a comment') }}
{{ gettext('Post a comment…') }}{{ errorMsg }}
{{ gettext('No comments posted yet') }}