India’s proposed Personal Data Protection Bill — which would regulate how data of the country’s 1.3 billion people is stored, processed and transferred — could be on track for approval early next year.

Following the legislation’s introduction in Parliament last week, a Joint Select Committee of 20 members of Lok Sabha and 10 members from Rajya Sabha was formed. The committee will review the bill and submit a report with its findings to Parliament in January before the end of the 2020 budget session.

“While the PDPB undergoes deliberation and amendments based on the recommendations of the Joint Select Committee, organizations across India need to kick-start their journey for a privacy-ready future as this legislation requires significant changes to be made in the way organizations across the country collect and process personal data,” said KPMG IT Advisory-Risk Consulting Director Mayuran Palanisamy, CIPT, who is based in India.

The bill's provisions 

Key pieces of the legislation include the creation of a data protection authority, requirements for technology companies to obtain explicit permission for most uses of personal data and allowing citizens more ownership over their personal data. It also enables the central government to exempt government agencies from the bill’s requirements “in the interest of sovereignty and integrity of India.” Under the bill, social media intermediaries would be required to provide users an option to verify their identity.

Additionally, it provides both the right to data erasure and the right to be forgotten, regulates research on data, and heavily regulates biometrics.

IAPP Country Leader for India Rahul Sharma said that while the bill is slightly better structured than previous iterations, it does include more stringent regulations. Sharma said there are concerns among Indian citizens it provides the government too much power, given its exemptions for government agencies.

There are also concerns surrounding the independence of the DPA, which “has been whittled down” since it would be established by the government, said Shweta Reddy D., CIPP/US, who works in the tech policy field in India.  

Industry has concerns 

With the bill’s new regulatory focus and fines for noncompliance, “organizations are closely monitoring the status” of the regulation, Palanisamy said, noting the bill’s “overarching applicability” to process personal data in connection with any business carried out in India “will be cause for concern for organizations around the world.”

Information Technology Industry Council Senior Vice President of Policy and Senior Counsel John Miller said there's a need for more stakeholder consultation on certain provisions, including those surrounding "social media intermediaries," "voluntary verification" and surrounding definitions themselves. "Critical personal data," for example, shall only be processed within India, under the bill, but "doesn't seem to be defined," Miller said. 

Miller also takes issue with Clause 91 of the bill, which allows companies to release non-personal data and anonymized personal data, and its impact on future technological growth. 

“It’s clearly an important topic with respect to issues like artificial intelligence going forward,” Miller said. “There’s so much non-personal data that really is central to technology and data innovation. While there’s not a concerning provision on non-personal data, it kind of tees up the question of what exactly is being planned for non-personal data regulation down the line and how that will interact with this law.”

But he's not completely sour on the bill. He did add that India is “really trying to create a privacy law that balances all interests and is in the interests of not only the Indian people, citizens and the Indian government, but also of the private sector.”

Advocates more positive 

Pam Dixon, a longtime privacy advocate and executive director of the World Privacy Forum, is unreservedly supportive of the bill. She said the bill “took the best of statutes globally,” like the EU General Data Protection Regulation, for example, and combined them in one bill. While there has been criticism that the central government can exempt government agencies, Dixon said, “that wasn’t a surprise,” adding government is not “broadly covered in (the) GDPR” either.

“This bill is not a cookie-cutter of the GDPR. It is uniquely Indian in thought and articulation,” Dixon said. “Is the bill perfect? Absolutely not, such a thing does not exist. But the bill is absolutely remarkable. It is a high-quality bill. ... I do think that should this bill be tabled in Parliament and pass, it would provide a meaningful advancement in data protection privacy in India and would benefit the people there. It appropriately and fairly reigns in a lot of the things that a lot of us are really concerned about.”

Specifically, Dixon applauds the bill's inclusion of penalties assigned for the re-identification of deidentified data, its incentivizing of “the proper use and construction around data” and the individual rights granted, including the right to data deletion in cases of improper use or collection.

The bill could be slated for passage at the end of the budget session in March 2020. “So all things considered, that’s not a ton of time,” Miller said. “But there is some time for stakeholders to engage with the Indian government and try to engage on the bill.”

He's hopeful his calls will be heard.

“We should continue to have a consultative process to make sure that we get data protection right for Indian citizens and for continued innovation and that we not rush to do so,” he said. “I don’t know what the best timeline is, but having some type of consultative process, particularly given all the changes and allowing for public comments, would certainly be a welcome result.”

Photo by Srikanth D on Unsplash