USIBC welcomes introduction of Personal Data Protection Bill in Lok Sabha, urge govt to focus on data privacy

Nisha Biswal, president of US India Business Council (USIBC) on Wednesday (local time) welcomed the introduction of Personal Data Protection Bill in the Indian Parliament and urged the government to remain focused on essential data privacy issues.

"The USIBC welcomes the Government of India's introduction of the Personal Data Protection Bill (PDPB) in Parliament this week and commends the government for its consultative process," Biswal said in a statement.

"Over the past several years, USIBC has worked closely with both government and industry leaders to support the development of a transparent, light-touch, and risk-based approach to data protection in India," the statement read.

The bill is very much in focus in this parliament session.

The government has proposed to send the draft Personal Data Protection Bill to a proposed Joint Parliamentary Committee for review after its introduction by Electronics and Information Technology Minister Ravi Shankar Prasad.

"Introduced the Personal Data Protection Bill in Lok Sabha today. This is historic legislation, which seeks to protect personal data and privacy of Indian citizens in the digital age," said Ravi Shankar Prasad, the Minister of Electronics and Information Technology, in a tweet.

Biswal, in a statement further stressed it is clear that the government and Prasad "recognise the importance of establishing a sound data protection framework, and we are encouraged to see a number of industry perspectives reflected in the revised PDPB."

"We note the requirements for data localisation have been relaxed, enabling access to the global processing and data analytics that sustain India's nearly $200 billion digital economies. A balanced approach to penalties is also a significant, constructive step. We look forward to additional opportunities to share specific additional technical points that could further improve the bill," she added.

However, Biswal said that the bill also contains several new provisions outside the core issue of data privacy that raise serious concerns for the private sector, particularly the inclusion of requirements around non-personal data and social media intermediary liabilities. These two issues are distinct from personal data issues and are complex in their own right, she said.

"Given the need for additional discussion, we urge the government to remain focused on essential data privacy issues and to take up these matters in existing policy efforts that already being done in parallel to the PDPB," she noted.

The USIBC also recommended that the bill be revised to provide ample time to establish a new Data Protection Authority (DPA) and strengthen the DPA's independence and effectiveness, as well as allow companies to transform business operations, develop new technologies, and innovate digital solutions.

"We remain committed to working closely with the government as the bill moves through the parliamentary process and commend the clear process outlined for the bill's introduction and passage next year. Meanwhile, we will continue to seek opportunities for industry, and India's leading trading partners, to share their views as the new policy takes shape," Biswal said.

The Bill seeks to provide for the protection of the individual in relation to personal data and to establish a Data Protection Authority of India.

Earlier introducing the bill, Prasad had said that India's digital economy is rising and data is sought to be divided into three categories.

It also provides for the protection of privacy of individuals relating to their personal data, specifies the flow and usage of personal data, creates a relationship of trust between persons and entities processing the personal data and protect the rights of individuals whose personal data are processed.

It also seeks to create a framework for organisational and technical measures in the processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing.