The Joint Committee on Personal Data Protection Bill, 2019, headed by BJP MP PP Chaudhary, tabled its report in Parliament on Thursday.
The committee has recommended widening the scope of the proposed data protection legislation to include both personal and non-personal data and sought greater accountability for social media platforms by treating them as publishers.
New Delhi:
IT industry body Nasscom on Thursday said a parliamentary panel’s recommendations to expand the scope of the data protection bill to cover non-personal data needs careful analysis and deeper debate.
The Joint Committee on Personal Data Protection Bill, 2019, headed by BJP MP PP Chaudhary, tabled its report in Parliament on Thursday.
The committee has recommended widening the scope of the proposed data protection legislation to include both personal and non-personal data and sought greater accountability for social media platforms by treating them as publishers.
Nasscom President Debjani Ghosh said a robust data protection law is critical to safeguard the privacy of Indian citizens, while driving the country’s success in the digital economy.
”While the JPC has retained much of what was positive with the 2019 Bill, and accepted many more recommendations from the industry, certain areas will require further deliberation — particularly the expansion of the scope to cover non-personal data,” she added.
Ghosh stated that Nasscom will continue to work with the government towards passing a law that ”brings regulatory certainty and delivers on our collective duty to protect India’s personal data”.
The key highlights of the report include widening the scope of the draft legislation to also cover non-personal data, tighter regulation for social media platforms and the establishment of a statutory media regulatory authority, according to a release by the Lok Sabha Secretariat.
The panel has also favoured a framework to regulate hardware manufacturers, who also collect data along with the software. It has favoured a mechanism for certification of all digital and Internet of Things (IoT) devices.
The suggestions made by the panel are not binding. The parliamentary committee has further recommended that an approximate period of 24 months be given for the implementation of provisions of the legislation.
Nasscom-Data Security Council of India (DSCI) said they expect these recommendations to be widely debated and discussed so that India continues to enable cross-border data flows without undue restrictions, provides an effective safe harbour regime for intermediaries and ensures a globally competitive market ecosystem for fintech and the financial sector in general.
”The proposal in the report to have the Bill apply to ‘non-personal data’ and having a ‘single regulator’ for both personal and non-personal data needs careful analysis and deeper debate. ”This is required as the imperatives for a policy on non-personal data are to enable data driven innovation and unlock economic value,” Nasscom said.
It added that these imperatives arguably require a different regulatory approach than that are needed for regulating personal data processing, where the focus is primarily on protecting privacy and preventing harms arising from the abuse of personal data.
Nasscom stated that given the enormity of these imperatives, it is important to first operationalise the Bill’s original mandate well, that is the processing and protection of personal data. The government has another committee specifically to examine non-personal data, and any legislative decision should ideally follow the policy discussions, Nasscom noted.
The apex industry body said the positives in the report are the highlighting of the imperatives to ensure the independence and accountability of government bodies and the authority, recommending implementation of the law in a phased manner, and to suggest innovation-friendly measures, such as the inclusion of start-ups in the regulatory sandbox.
Nasscom highlighted that India’s IT and Business Process Management (BPM) industry’s annual exports to over 100 countries stand at USD 150 billion, and emphasised that providing strong privacy safeguards and establishing grounds for the country is important to engage with the world on data adequacy from a robust position.
”The need to exempt the processing of foreign data in India from certain conditions, the retention of broad powers to exempt stage agencies without sufficient checks and balances, and an emphasis on treating processing by the State and the private sector equally should be viewed in this context,” it added.
Nasscom said it is hopeful that the discussions in Parliament will further strengthen the Bill, and the legislative process will provide the nation with a law that the rest of the world can look towards as a leading example. Kirti Mahapatra, partner at Shardul Amarchand Mangaldas & Co, said the detailed report is indicative of the significant effort the committee has put in to conclude and finalise its findings and recommendations.
”…we look forward to studying the report in more detail. We also look forward to the progression of the Parliamentary process of bringing about comprehensive data protection law for India. ”To this end, we will also look forward to the modifications the Government may make to the Bill based on the recommendations in the Report,”Mahapatra added.
Gaurav Shukla, partner at Deloitte India, said the committee has recommended a phased approach to implement the provisions of the legislation that give both data fiduciaries and processors the time to lay out a strong strategy and implement it.
The timing is also appropriate as organisations are ready to enter the new calendar year,
Shukla said. Internet Freedom Foundation (IFF), in a series of tweets, said the report ”further undermines the objectives of the Bill by placing economic & state security interests on the same footing as informational privacy”.
The Personal Data Protection Bill, 2019 had been intensely critiqued for providing large exemptions to the government from compliance under the law.