Commenting on the Personal Data Protection Bill, industry bodies National Association of Software and Services Companies (Nasscom) and Internet and Mobile Association of India (IAMAI) said non-personal data and lack of clarity around deciding significant data fiduciaries were among the main concerns of member companies.
Nasscom is the industry body representing the $180-billion information technology and business process management (IT-BPM) industry, while the IAMAI represents a host of digital and online businesses, including the India arms of Google, Facebook, Apple, and also e-commerce firms like Flipkart, Amazon, Uber and so on.
The Bill, referred to a Joint Special Committee on Wednesday, says that the central government, in consultation with the Data Protection Authority, can direct any data fiduciary or data processor to provide non-personal data to enable better targeting of delivery of services. The government can also ask data processors to provide data for formulation of evidence-based policies for its own use.
“This (asking for non-personal data as prescribed), along with the fact that insights derived from personal data is also considered as personal data, raises issues of undermining Intellectual Property Rights of businesses engaged in data services. Many data firms offer their services for free, with the data as the only intellectual asset for their businesses. Claiming this data would rob many such businesses of their critical asset,” said IAMAI.
It said that the government also offers many services in competition to private service providers, and this provision of the Bill risks creating a non-level playing field for private businesses.
Nasscom, which held a consultation with its members on Thursday, said the non-personal data provision had no safeguards for protecting IP rights, or other business-sensitive non-personal data.
On Thursday, responding to a question in the Rajya Sabha on what data sets constitute non-personal data, and whether the government would respect the protection to proprietorial data and commercial data as protected by the WTO and the Intellectual Property Rights, the minister of state for electronics and IT, Sanjay Dhotre, said these topics were being deliberated upon by a committee of experts set up under the chairmanship of Infosys co-founder Kris Gopalakrishnan.
IAMAI also said that the Bill mandates all businesses collecting personal data to have a ‘privacy by design’ policy in line with the requirements set out by the Data Protection Authority (DPA) and get a certification from the DPA in order to do business in India. The industry body said this could create a certification and licensing regime for businesses to operate in India, which may be impractical given that many online services may originate in other countries outside India.
“Such a provision risks isolating India, as service providers who do not get certification from DPA cannot offer their services here,” it said.
The Bill further says the DPA can classify a data fiduciary (a person, company, or entity who determines the purpose and means of processing of personal data) as a significant data fiduciary based on certain parameters.
“It needs to be made abundantly clear that these factors will be assessed cumulatively, instead of individually, by the DPA,” said Nasscom, while IAMAI pointed out that for service providers recognised as significant data fiduciary, any new technology or processing to be adopted has to be permitted by the DPA.
This, it said, would have a freezing effect on offering and adoption of new technologies in India.
Together, the provisions of certification and notifying significant data fiduciary could “create considerable restrictions for the tech start-up sector in India... Indian tech start-ups currently are in a race with the rest of the world in innovation, and a certification and licensing regime risks delaying service provision and may prove to be a major handicap,” said IAMAI.
Nasscom further asked for greater clarity on how much time the industry would be given to make the transition to the new data regime. “Upon enactment, the industry would need sufficient time to implement changes in their business models,” it said.
On the issue of consent manager, defined in the Bill as a data fiduciary that enables a data principal to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform, IAMAI said, “It is not clear whether the Bill suggests a centralised consent manager via which all service providers have to route their consent mechanism, or businesses are meant to offer individual consent managers of their own. Either way, the new provision involves considerable changes in functionality for businesses, and maybe another operational bottleneck for offering services in India.”
Both pointed out the over broad exceptions made for the central government, including the power to exclude any data processors or government agencies from the purview of the Bill. “While this was included in the earlier draft of the Bill as a miscellaneous provision, this has now been included under the Chapter on exemptions under the Bill. However, no material changes have been made to the text. The industry, in particular the IT-BPM and GCC (global contact centre) industries will need greater certainty on the scope and issuance of the exemption,” Nasscom said.