Significant controls and exemptions to the government under the proposed Digital Personal Data Protection bill 2022 are likely to make it harder for companies to invest in data centres and data processing activities in India, according to global technology industry body ITI.
The Ministry of Electronics and IT has floated draft Digital Personal Data Protection (DPDP) Bill 2022 and has invited comments on the same till January 2. “The Bill grants significant controls to the executive arm of GOI (Government of India) and delegates much of the detailed rulemaking authority to separate, as yet undefined processes. GOI is also afforded a broad exemption from the Bill’s application, which could make it harder for companies to invest in data centers and data processing activities in India,” ITI said in its submission.
ITI represents global technology majors such Google, Microsoft, Meta, Twitter, Apple etc. The draft DPDP has exempted government-notified data fiduciaries from several compliance burdens such as provisions dealing with informing an individual about the purpose for data collection, collection of children’s data, risk assessment around public order, appointment of data auditor, etc. The bill proposes to exempt government notified data fiduciaries from sharing details of data processing with the data owners under the “Right to Information about personal data”.
The minister of state for electronics and IT Rajeev Chandrasekhar has said that the exemptions for the government will be only in special circumstances like maintaining public order, emergency, pandemic, national security etc. The industry body, however, has supported the bill on various points such as permission to store data outside India, delineation of roles and responsibilities of entities that determine the purposes and means of the processing of personal data (Data Fiduciary), and entities that process personal data solely under direction and contract (Data Processor) etc.
“The Digital Personal Data Protection Bill represents the cornerstone of India’s broader digital ecosystem. ITI considers this an important moment for India to demonstrate global leadership in developing robust and consistent data protection standards that enable innovation and facilitate cross-border trade,” ITI India Country Director Kumar Deep said on Monday evening. ITI has suggested the government to remove the concept of a “consent manager” or “consent manager platform” as it is unclear the way in which Data Fiduciaries, consent managers, and Data Principals, should interact with each other.
The industry body said that data breach notification rules are currently too broad, requiring each and every data breach to be notified to both the data protection board (DPB) and each affected Data Principal. It has recommended that only those breaches that are likely to have a material impact on the rights of the affected citizen should be reported to the board. The DPB is proposed to work and execute provisions of the bill. It will also have power to penalise Data Fiduciaries, Data Principals etc.
In case of protection of children’s data, ITI wants the government to reconsider imposing blanket prohibitions on tracking, behavioral monitoring and targeted advertising, and confine restrictions only to instances of data processing of children that can manifestly cause significant harm.
“Even where well-intentioned, such blanket restrictions can potentially deprive children and young persons from reaching useful content and prevent companies that provide services to children from blocking inappropriate advertising or harmful content. For instance, such prohibition can impede the availability of content related to mental health support services to young persons in need,” ITI said.