On Thursday, the IT industry’s apex body Nasscom and the Data Security Council of India (DSCI) welcomed the revised data protection bill 2019, saying a robust data protection law is critical to safeguard the privacy of Indian citizens while driving India’s success in the digital economy.
The joint parliamentary committee (JPC) has released a reworked version of the 2019 Bill, now called the “Data Protection Act of 2021” (2021 Bill).
“While the JPC has retained much of what was positive with the 2019 Bill, and accepted many more recommendations from the industry, certain areas will require further deliberation – particularly the expansion of the scope to cover non-personal data,” Nasscom President Debjani Ghosh said.
“Nasscom will continue to work with the government towards passing a law that brings regulatory certainty and delivers on our collective duty to protect India’s personal data,” she added.
The JPC has made certain significant recommendations that apparently go beyond the scope of the proposed data protection law, including those around stringent data localization policies, social media intermediaries, and financial systems.
NASSCOM-DSCI expects these to be widely debated and discussed so that India continues to enable cross-border data flows without undue restrictions, provide an effective ‘Safe Harbour’ regime for intermediaries and ensure a globally competitive market ecosystem for FinTech and the financial sector in general.
The proposal in the report to have the Bill apply to “non-personal data” and having a “single regulator” for both personal and non-personal data needs careful analysis and deeper debate, Nasscom said.
“This is required as the imperatives for a policy on non-personal data are to enable data driven innovation and unlock economic value. These imperatives arguably require a different regulatory approach than that needed for regulating personal data processing, where the focus is primarily on protecting privacy and preventing harms arising from the abuse of personal data,” it elaborated.
India’s Information Technology (IT) and Business Process Management (BPM) industry’s annual exports to over 100 countries stand at $150 billion.
“The need to exempt the processing of foreign data in India from certain conditions, the retention of broad powers to exempt stage agencies without sufficient checks and balances, and an emphasis on treating processing by the state and the private sector equally should be viewed in this context,” said Nasscom.
Gaurav Shukla, Partner, Deloitte India, said the committee had recommended a phased approach to implement the provisions of the Data Protection Act.
“This gives both data fiduciaries and processors the time to lay out a strong strategy and implement it. The timing is also appropriate as organisations are ready to enter the new calendar year. The recommendations of the Committee are also expansive as it brings in social media platforms and recommends bringing in regulation around IoT devices,” he said.