Uncertain about their future and the ramifications for their businesses, the country’s e-commerce and technology industries want the Personal Data Protection Bill to take into account their fears and business models.
According to several industry insiders, there exists several ambiguities in the current draft of the Bill. Clarity is required on classification of data and consent requirements.
The first draft was released last year and underwent a rigorous consultation process, under which the ministry of electronics and information technology received over 600 responses. However, it did not make them public. The data protection law, once passed, will apply across industries, and not just Internet or technology firms. “We look forward to reviewing the full text of the Bill, and are hopeful that the Centre will support Indian businesses’ ability to collaborate with US partners and reduce e- barriers that would compound investment uncertainty,” said Kumar Deep, country manager, India Information Technology Industry Council.
The biggest fear many of the e-commerce firms have is the possible requirement to change business models overnight, which would drastically increase costs as well as disrupt businesses. E-commerce firms bore the brunt of overnight changes when the government changed the foreign direct investment rules earlier this year. “When the new FDI norms in e-commerce kicked in, we had to change a lot of our processes. We just hope the Centre understands our business models and gives us time to put our point across as well,” said a senior public policy advocate.
According to industry experts, the Bill creates a need for the data fiduciary to repeatedly obtain consent from the data principal for every step of the processing activity.
“The problem gets aggravated when data collection and processing are done by different agencies, in which case, each fiduciary will have to take consent at every step of the operation. Such ambiguities lead to unnecessary compliance burden on companies and hinders the ease of doing business,” said Salman Waris, managing partner at TechLegis Advocates & Solicitors, a law firm.
Another issue that the industry has sought clarity on is the Bill talking of consent and explicit content.
While adverse data localisation norms around storing and more importantly processing data could affect a host of ecommerce firms, some of them believe that strong data protection norms would help in increasing transparency.
Another contentious issue has been the role of the data protection authority. “The Bill also talks about establishment of the Data Protection Authority of India. Organisations would want to understand the clear roles of the authority and how it impacts them,” said Jaspreet Singh, Partner – Cyber Security, EY.