SUMMARY
Industry groups have urged to revise the definition of a ‘child’ to mean an individual under the age of 13 years
The proposed Data Protection Board is not independent, claims Google and Meta-backed Asia Internet Coalition
Industry bodies seek a minimum transition period of two years to ensure sufficient time for companies to comply with the norms
Industry bodies Asia Asia Internet Coalition (AIC) and The Software Alliance (BSA) have pitched a slew of revisions and recommendations in the draft Digital Personal Data Protection Bill, 2022.
In their comments submitted to the Ministry of Electronics and Information Technology (MeitY), the two industry groups have urged to revise the definition of a ‘child’ to mean an individual under the age of 13 years.
It is pertinent to note that the AIC and the BSA represent the interest of big tech majors and count Google, Meta, Amazon, and Microsoft as its members.
“The upper age limit of 18 for defining “child” clashes with other data protection frameworks such as the GDPR and the United States’ Children’s Online Privacy Protection Act. This could prevent some children — particularly teenagers — from accessing services. It could also increase the cost for data fiduciaries to provide these services,” the BSA said.
Echoing a similar sentiment, the AIC called on the government to ‘empower’ data fiduciaries to develop internal mechanisms to obtain parental consent for children below 18 years of age. The group also sought the ministry’s nod for tracking and monitoring minors if it is ‘done in the best interests of a child and as long as the same is age appropriate.’
Training its guns at the proposed Data Protection Boards (DPB), the industry bodies called for defining the criteria for the composition of such a panel. It also sought more clarity on the membership requirements for the committee that will nominate DPB members.
The BSA recommended that the selection committee should comprise the Chief Justice of India, or a judge nominated by him, alongwith the Cabinet Secretary and an expert nominated by the CJI in consultation with the latter.
Among other things, the big tech majors have sought further clarity on clauses governing the transfer of personal data outside India. The current draft of the Bill retains a ‘white-list’ approach, meaning data can be processed online in countries allowed by the government.
The BSA called for adoption of an ‘accountability model’ that puts the onus of protection of the personal data on entities that collect such data. Meanwhile, the AIC sought the formulation of a black list that would specify the countries where the user data could not be processed.
Noting that the draft Bill does not specify a transition period, the BSA has sought a minimum transition period of two years to ensure sufficient time for companies to comply with the norms.
In its comments to the ministry, the AIC urged the Centre to reconsider certain requirements, including the appointment of an independent auditor, data protection impact assessments, and periodic audits, to ease compliance burden on significant data fiduciaries (SDFs).
The industry bodies also highlighted concerns around obligations related to reporting of data breaches. In essence, it sought to define the very definition of data breaches, which would otherwise ‘flood’ the authorities with excess information and may also cause ‘undue distress’ to data principals.
In their comments, both argued that the draft Bill mandates reporting of data breaches to the DPB, which overlaps with current norms under which CERT-In is the reporting authority.
This would create additional reporting obligations for the impacted companies and cause inadvertent delays.
“… we request the MEITY to reconsider the requirement to report personal data breaches to both the Indian Computer Emergency Response Team, as well as the Data Protection Board. If the requirement to report breaches is retained, the law ought to contain impact thresholds that guide entities in assessing whether to report an incident,” the BSA said.
Another major takeaway of the report was that the industry body AIC sought the re-introduction of codes of conduct as a way to promote co-regulation in the domain of data protection. In addition, the industry bodies urged the MeitY to undertake adequate consultation prior to adopting subordinate legislation to allay concerns of all stakeholders.
After being in limbo for close to three years, the new iteration of the DPDP Bill, 2022, was released earlier this year. The draft norms have come under fire from different stakeholders such as digital advocacy groups and internet activists over concerns ranging from ‘state surveillance’ to non-independence of the DPBs.
As the debate rages on, the ministry recently extended the last date of public feedback on the draft Bill to January 2, 2023. The Bill has specified a host of norms that will govern the digital ecosystem and will penalise the non-adherents. With much at stake, it remains to be seen how the proposed law shapes up amidst an evolving Indian digital space.
