New Delhi: Internet and Mobile Association of India (IAMAI) in a statement released today has said that the recent Joint Parliamentary Committee’s (JPC) report on the Personal Data Protection Bill 2019 is out of sync with India taking the leadership position in the Techade. The JPC report was submitted to Parliament on 16 December 2021. The association is of the view that the Recommendations are likely to negatively impact a cross-section of tech industry segments such as large tech companies, tech services companies as well as digital start-ups who form the backbone of India’s tech leadership aspirations.
The association in its communication with the Government has raised the following critical concerns:
Hard data localization norms: The JPC has recommended stringent data localization requirements, which will lead to difficulties in compliance and will be harmful to global and domestic companies alike. Placing restrictions on cross-border flows may lead to higher business failure rates, create barriers to the growth of start-ups, increase costs of compliance for companies and slow down socioeconomic benefits reaped from the digital economy. It will also inevitably have a drastic negative impact on the ability of Indian consumers to access a truly global internet. The additional requirement, suggested by the JPC, tasking the Data Protection Authority (DPA) to consult the Government of India (GOI) on all cross border sensitive personal data transfers not only contradicts established global practices and undermines the role of the DPA, but also subjects data flows to a cumbersome and inefficient process.
Additionally, the suggested retrospectively applicable requirement to bring back data taken abroad poses significant operational and technical challenges, especially since relevant businesses would be subject to policies that were not enforced at the time of data collection.
Inclusion of Non-personal Data: Changes recommended by the JPC expand the scope of the bill to include non-personal data along with personal ones. However, the recommendation fails to account for the differing value propositions offered by the two. This recommendation is also premature as the Expert Committee report on non-personal data is yet to be finalized.
Hardware and Software Testing: The JPC recommends that the DPA should create a framework to monitor, test, and certify hardware and software for computing devices. IAMAI urges the government to refrain from developing new standards as there is a time-tested regime, to which devices sold in India are subjected to. Moreover, such a requirement will hamper India’s ability to attract global businesses and investments. The existing rules and regulations are sufficient to address the hardware and software certifications requirements, which should not be implemented under the PDP Bill.
Intermediaries as Publishers: IAMAI feels that the Government should also reconsider the recommendation to treat intermediaries as publishers under certain circumstances. Social media intermediaries continue to have safe harbor provisions and are not regulated as publishers, based on their “ability” to control the content, given that this ability stems from a legal obligation. Such a provision may have drastic impacts on the use of social platforms, free speech, and creativity. It also poses a risk to the digital ecosystem, particularly considering that it is not associated with data protection.
Age Restriction: IAMAI is concerned about the proposed imposition of age restrictions of 18 years on certain services. Such a bar will exclude an important demographic from the digital ecosystem and will contradict most data regimes, which create enabling provisions for the youth aged between 13 and 18 years. The government should bring in a graded and proportionate risk-based approach for children’s age of consent, depending on the kind and nature of services provided. The rigid approach of setting 18 years as the blanket age of consent will be against the principle of ‘the best interest of the child’ in a digital world, as it will create barriers for a child to attain educational and recreational fulfillment available on the internet.
Transparency Requirements: The Government should also review the ‘transparency’ requirement suggested by the JPC.It is very broad and may encroach upon the data fiduciaries’ intellectual property rights. It may be harmful to data fiduciaries if they are mandated to publicly disclose their algorithms and other proprietary information, without adequate safeguards.
The association is of the view that collectively the JPC recommendations have fundamentally altered the structure of the bill from that of a personal data protection bill to a generic data protection bill. This in itself calls for wider stakeholder consultations and impact assessment reports before these recommendations are hardcoded into law.
