India Might Scrap Data Protection Bill and Introduce Fresh Legislation: Report

India may scrap the current version of the Personal Data Protection Bill 2019 and introduce a fresh privacy bill to comprehensively address the requirements of the country's changing technology landscape, sources told The Economic Times.

The Personal Data Protection Bill, 2019, was referred to a Joint Parliamentary Committee (JPC) which submitted its report in December 2021 with a new draft bill to Parliament. This bill is seen by some as potentially detrimental to the India's technology and startup ecosystem.

"Since it's a JCP draft Bill, the government can only tweak the clauses to some extent but the provisions cannot be changed completely… A better option is to bring a new Bill altogether which is aligned with the current times," an official told the publication.

The latest version of the data protection bill and the JPC recommendations could pose significant challenges to foreign companies and Indian startups alike. Among other things, It proposes strict rules around cross-border transfer and storage of data, and allows for the establishment of a Data Protection Authority (DPA).

"The envisaged structure of the DPA is very bureaucratic. The compliance requirements from the industry as per this draft Bill will completely cripple it," an official told ET.

The JCP has also recommended that the government play a consultative role with the DPA in approving the cross-border transfer of certain data.

Kazim Rizvi, director of The Dialogue, thinks that this will be "barrier for entering bilateral or multilateral arrangements for cross-border data flow" and will "hamper ease of doing business."

He quoted a study that showed that strict cross-border data flow restrictions might limit the ability of Indian startups to access cost-effective technology and storage solutions, like cloud services provided by foreign players.

"Some countries, such as India, are considering or have passed legislation implementing data protection requirements or requiring local storage and processing of data or similar requirements that could increase the cost and complexity of delivering our services," it said.

There are also concerns about the protection of data since the government has sought exemptions for itself when it comes to privacy.

"It is also likely that our laws would prove to be held inadequate by the EU while evaluating India as a jurisdiction for free flow of data," says Rizvi.

"While a much-needed law, India's data protection bill needs radical improvements when it comes to independence of the data protection authority, enabling the free flow of data, and protections against government surveillance," says Udhbhav Tiwary, who handles tech policy at Mozilla.

Here are the points of note:

• The new bill allows for conditional cross-border transfer of 'sensitive personal data', while 'critical personal data' (yet to be defined) cannot leave the country except in very limited circumstances.

• It also allows for broad exemptions for the government from the provisions of the bill.

• The JPC recommended that the central government formulate a comprehensive data localisation policy and ensure that a mirror copy of the sensitive and critical personal data stored abroad is brought back to India.

• It also asked the government to play a consultative role with the proposed Data Protection Authority (DPA) in approving the cross-border transfer of sensitive personal data through a contract or an intra-group scheme.

• The JPC recommended stringent measures for limiting data collection from people below 18. Companies might be barred from profiling, tracking, behaviourally monitoring children and their data.

• According to the committee, social media platforms should be accountable for the content they host from unverified accounts.

• It has also recommended that non-personal data be within the scope of the new bill. However, there are a lot of unanswered questions here, since such a move is unprecedented.

(With inputs from The Economic Times.)