Industry Bodies Seek Revisions In The Draft Data Protection Bill, 2022

Industry Bodies Seek Revisions In The Draft Data Protection Bill, 2022

SUMMARY

Industry groups have urged to revise the definition of a ‘child’ to mean an individual under the age of 13 years

The proposed Data Protection Board is not independent, claims Google and Meta-backed Asia Internet Coalition

Industry bodies seek a minimum transition period of two years to ensure sufficient time for companies to comply with the norms

Industry bodies Asia Asia Internet Coalition (AIC) and The Software Alliance (BSA) have pitched a slew of revisions and recommendations in the draft Digital Personal Data Protection Bill, 2022. 

In their comments submitted to the Ministry of Electronics and Information Technology (MeitY), the two industry groups have urged to revise the definition of a ‘child’ to mean an individual under the age of 13 years.

It is pertinent to note that the AIC and the BSA represent the interest of big tech majors and count Google, Meta, Amazon, and Microsoft as its members. 

“The upper age limit of 18 for defining “child” clashes with other data protection frameworks such as the GDPR and the United States’ Children’s Online Privacy Protection Act. This could prevent some children — particularly teenagers — from accessing services. It could also increase the cost for data fiduciaries to provide these services,” the BSA said.

Echoing a similar sentiment, the AIC called on the government to ‘empower’ data fiduciaries to develop internal mechanisms to obtain parental consent for children below 18 years of age. The group also sought the ministry’s nod for tracking and monitoring minors if it is ‘done in the best interests of a child and as long as the same is age appropriate.’

Training its guns at the proposed Data Protection Boards (DPB), the industry bodies called for defining the criteria for the composition of such a panel. It also sought more clarity on the membership requirements for the committee that will nominate DPB members.

The BSA recommended that the selection committee should comprise the Chief Justice of India, or a judge nominated by him, alongwith the Cabinet Secretary and an expert nominated by the CJI in consultation with the latter. 

Among other things, the big tech majors have sought further clarity on clauses governing the transfer of personal data outside India. The current draft of the Bill retains a ‘white-list’ approach, meaning data can be processed online in countries allowed by the government. 

The BSA called for adoption of an ‘accountability model’ that puts the onus of protection of the personal data on entities that collect such data. Meanwhile, the AIC sought the formulation of a black list that would specify the countries where the user data could not be processed. 

Noting that the draft Bill does not specify a transition period, the BSA has sought a minimum transition period of two years to ensure sufficient time for companies to comply with the norms.

In its comments to the ministry, the AIC urged the Centre to reconsider certain requirements, including the appointment of an independent auditor, data protection impact assessments, and periodic audits, to ease compliance burden on significant data fiduciaries (SDFs). 

The industry bodies also highlighted concerns around obligations related to reporting of data breaches. In essence, it sought to define the very definition of data breaches, which would otherwise ‘flood’ the authorities with excess information and may also cause ‘undue distress’ to data principals.

In their comments, both argued that the draft Bill mandates reporting of data breaches to the DPB, which overlaps with current norms under which CERT-In is the reporting authority.

This would create additional reporting obligations for the impacted companies and cause inadvertent delays. 

“… we request the MEITY to reconsider the requirement to report personal data breaches to both the Indian Computer Emergency Response Team, as well as the Data Protection Board. If the requirement to report breaches is retained, the law ought to contain impact thresholds that guide entities in assessing whether to report an incident,” the BSA said.

Another major takeaway of the report was that the industry body AIC sought the re-introduction of codes of conduct as a way to promote co-regulation in the domain of data protection. In addition, the industry bodies urged the MeitY to undertake adequate consultation prior to adopting subordinate legislation to allay concerns of all stakeholders. 

After being in limbo for close to three years, the new iteration of the DPDP Bill, 2022, was released earlier this year. The draft norms have come under fire from different stakeholders such as digital advocacy groups and internet activists over concerns ranging from ‘state surveillance’ to non-independence of the DPBs.

As the debate rages on, the ministry recently extended the last date of public feedback on the draft Bill to January 2, 2023. The Bill has specified a host of norms that will govern the digital ecosystem and will penalise the non-adherents. With much at stake, it remains to be seen how the proposed law shapes up amidst an evolving Indian digital space.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

Industry Bodies Seek Revisions In The Draft Data Protection Bill, 2022-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

Industry Bodies Seek Revisions In The Draft Data Protection Bill, 2022-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

Industry Bodies Seek Revisions In The Draft Data Protection Bill, 2022-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

Industry Bodies Seek Revisions In The Draft Data Protection Bill, 2022-Inc42 Media
Industry Bodies Seek Revisions In The Draft Data Protection Bill, 2022-Inc42 Media
You’re in Good company