IT Minister Ashwini Vaishnaw said the government will get the Parliament’s nod latest by the monsoon session
IAMAI and others have recently slammed the JPC Report On Data Protection Bill, calling it ‘out of sync’ with reality
The bill will prove vital to India’s startup ecosystem, and finding a balance is key
The Union Minister for IT, Ashwini Vaishnaw, noted that the government is working towards getting the approval of the Parliament on the Data Protection Bill latest by the Monsoon Session. The minister said, “I think we should be able to resolve them very soon and bring it…our target was actually this Budget session itself. But, definitely, by the monsoon session, we should be able to do that.”
Vaishnaw, while talking about the consultations and the JPC report on the Bill, said, “The consultations which happened were very comprehensive and the report which has come out is again a very comprehensive report. It definitely is a complex subject…which has matters that need to be resolved”.
Incidentally, a few days ago, IAMAI slammed the same report, calling it ‘out of sync’ with reality, raising a flurry of concerns with the government, including hard data localisation norms, trade secret concerns, treating intermediaries as publishers and age restrictions on certain products.
What Is A Data Protection Bill?
The Bill, essentially, seeks to protect individuals’ personal data, and establish a data protection authority for the same. The Bill has proposed to restrict the use of personal data without the explicit consent of the users. A comprehensive report on the Bill was tabled by the Joint Parliamentary Committee (JPC) on 16th December 2021.
The Bill has proposed to direct the flow and the use of personal data, protect individuals’ rights when their personal data is processed, and work out a framework for international data transfer, accountability of entities processing personal data of Indians, and remedies for harmful and unauthorised data processing.
In December, the JPC recommended stricter norms to regulate social media platforms by holding them accountable for the content they host. The JPC noted that the Centre must ensure data localisation norms are duly followed by all local and foreign entities, with the establishment of the DPA. Along with this, the panel also recommended that the government should widen the scope of the data protection legislation to include both personal and non-personal data, and seek greater accountability from social media channels, treating them as ‘publishers’.
More importantly, it also will allow the DPA to access non-personal data, and the government to exempt its probe agencies from the purview of the Bill altogether. This is one of the moves that has seen strong opposition from opposing MPs, think tanks, and multiple industries alike.
However, the IT minister recently said that globally, the government exemptions are ‘far, far more’ than what has been proposed in India’s legislation. He cited the EU’s General Data Protection Regulation, or GDPR, and noted that while that lists out nine exemptions, India’s legislation proposes only four.
He argued, “There are other geographies where the data protection bill has given a complete exemption to the government…no reasons required. We have given reasons which are required as per the Constitution. It is a very fair construct,” noting that saying that the government will not be accountable “is an unfair and uninformed way of looking at it.”
However, this is not the only problem with the Bill.
Issues Within the Data Protection Bill
The government has already taken the scenic route on the Bill; it has had to implement multiple recommendations of the JPC. Regardless of the JPC recommendations, the DP bill still remains a worry for the startup community.
One of the key reasons why the otherwise positive-sounding Bill has been causing worries across multiple startup circles is the data localisation mandate. While major tech companies such as WhatsApp and Visa are already compliant with the localisation norms, it will prove a tough hurdle for the startups, who have limited access to resources and have to look at better-priced data storage solutions, which are usually overseas.
A localisation norm will force startups to look for options in India. The cost of data transfer notwithstanding, the fact that India’s startups will have limited access to the global internet means that if this data localisation is strictly enforced, the tech startup ecosystem risks losing crucial opportunities.
Ironically, this approach has come from a desire not to bury the Indian startup ecosystem, especially the technology startups, under unnecessary compliances. The government fails to note that the Bill, in its current form, will only lead to more resources being used to comply with the rules, hence burdening the ecosystem.
As of now, the government finds itself stuck, and with the potential of the startup ecosystem on the line, a correct decision is desperately needed. The draft Bill has already seen its fair share of amendments, yet, the controversies continue to plague the matter. The reason for this controversy still remains the so-called ‘problem clauses’. These clauses pertain to government surveillance, media regulation, limiting data transfer outside the country, and powers of the DPA.
The JPC also did not recommend any major dilution of the exemption clause, which gives powers to the government to keep any of its agencies outside the purview of the legislation. Also, the Bill seeks to regulate non-personal data, or NPD, within the personal data protection framework. That will give the government the power to access NPD, while also enabling the Data Protection Authority, or DPA, to investigate any NPD breaches that happen.
While the government keeps pushing for the Bill, citing the citizens’ privacy and security concerns, these aspects of the Bill still raise concerns.
Scope for Improvement?
The government, for now, looks keen on improvements within the draft Bill, before tabling the same in both houses of the parliament. The IT minister did take cognizance of the issues that stakeholders have expressed, and he noted that the government will look to ‘tweak’ the draft legislation to ensure a smooth implementation.
“The points which have been flagged by the committee [JPC], should we put it in this Bill, include it in this Bill or should we think of a separate, totally new legislation for many other things which are happening. These are some issues which need to be resolved,” he said.
Of course, there is a lot at stake here; the $200 Bn IT industry, employing millions of people, for instance, with a major chunk of the startup ecosystem. Vaishnaw, however, assured that the government will take all measures to ensure that there is no adverse impact of the legislation, on any sector.
“We will proceed carefully. I do not think we should rush it, at all,” the IT minister said. Since the legislation will define India’s digital ambitions, and whether they are fulfilled or not, the government should take its time, and feedback from the stakeholders, to improve and deliberate on the Bill at length.
Vaishnaw added that some companies have expressed concerns over a new set of compliances. He said, “What is important is that the compliance mechanism should be as digital as you can make it, then the friction is reduced. The objective should be met, friction should not be there. That is the work we are trying to accomplish, and it is a complex task.”
The Government Needs to Avoid the Impasse
The government needs to pull itself out of the current impasse it finds itself in. The JPC recommendations, in many cases, have only caused more controversy than they have helped resolve.
However, if the government does not iron out the kinks that already existed in the old draft, that just means that the law will be delayed more. But the government can’t afford to hold another round of consultations with the stakeholders, as that will only mean that the Bill will be left behind the curve of changes in technology. Since the landscape changes so fast, it is better to implement the legislation as soon as possible, and then the government can alter the superstructure as and when the digital landscape shifts.
India is already struggling with fundamental issues related to privacy, even though multiple jurisdictions have data protection regimes in place. In some of these places, the data is better protected than what India is proposing to do.
Right now, the government needs to address the issues that are still there in the Bill. The government has been expecting technology to drive India’s economy towards the $5 Tn-mark, and therefore, it needs a data protection law that does not inhibit the growth of India’s digital economy. As such, the ball is in the Centre’s court, to find a balance.