The present form of the Bill envisages an individual or a group of individuals acting as data fiduciaries, but it is a moot point since blockchain is decentralised
“Without a clear data fiduciary, it may be difficult to enforce the provisions of the Bill,” the Crypto Legal and IBF report said
The report has recommended that the Data Protection Bill widen its scope of definitions to include blockchain terminologies
Regulatory bodies Crypto Legal and Indian Blockchain Forum (IBF) have released a discussion paper based on the recent Digital Personal Data Protection Bill that talks about the impact the Bill will have on the blockchain industry.
According to the discussion paper, the Digital Personal Data Protection Bill fails to address the unique challenges that tech such as blockchain and decentralised ledgers pose. The decentralised nature of blockchain-based applications makes it extremely difficult to identify a specific ‘person’ or group of persons who can be said to determine the purpose and means of the processing of personal data, the report claimed.
Furthermore, the Indian Blockchain Forum and Crypto Legal’s report added that in definition, the present form of the Bill envisages an individual or a group of individuals acting as data fiduciaries.
“But it is a moot point whether a node participating in the consensus mechanism of a blockchain protocol can be said to fall within its ambit. A single person or group of persons may not always be in control of the data on the blockchain,” the report reads.
“This presents a problem for the bill, which requires the identification of a data fiduciary who is responsible for the data. Without a clear data fiduciary, it may be difficult to enforce the provisions of the Bill,” it further said.
The report has recommended that the Data Protection Bill widen its scope of definitions to include blockchain terminologies. Anonymisation and pseudonymisation of data must be encouraged and a principals-based approach (not geography-based) should be practised for the international transfer of data since blockchains can be jurisdiction-less, the report said.
The new draft Personal Data Protection Bill has been out for industry consideration for quite some time. Tabled for recommendations for the third time, the Bill has narrowed the scope, by considering only personal and digital data in India (and concerning Indians).
The draft Bill imposes data localisation and storage norms, restricting geographical storage of data by the collecting companies to ‘trusted’ geographies. The Bill imposes heavy penalties for violations of any provisions of the legislation (as high as INR 500 Cr) and talks about the use of personal data by companies (digital or not) and limits the scope to ‘use for the purpose it was collected only’.
Further, the government has proposed establishing an online redressal forum, the Data Protection Board of India. Since the previous versions had several compliance burdens including data management, data governance and even cybersecurity, the current draft has been updated to reduce the compliance burden on startups and Big Tech.