After the government extended the deadline for public responses on the draft Personal Data Protection Bill to September 30, the Telangana government has raised concerns that the implementation of certain clauses, especially the one on data localisation, will isolate Indian startups and hurt investments in the state and the country. The Bill has evoked much criticism since it was recently tabled by the Justice BN Srikrishna Committee.
According to a media report, Telangana’s IT Minister K T Rama Rao may write a letter to Union minister for electronics and IT Ravi Shankar Prasad, expressing concerns that the draft Bill’s excessive notice requirements, its restrictive grounds of processing, and harsh cross-border transfer norms could threaten Telangana’s startup initiatives and hurt its business-friendly image.
A top official of the Telangana government was cited as saying that certain proposals in the draft Data Protection Bill, including one that recommends global Internet companies host user data locally, could increase operational expenses and impact business growth.
Data localisation would raise the cost of doing business in Telangana along with discouraging foreign investments in the state, the state official said.
An official spokesperson of the Union ministry for electronics and IT was cited as saying, “We are working out a monumental law. Views of state governments and public response are being sought. Data protection law would also be placed for Cabinet’s approval before finalising the legislation. The exercise is aimed at having a model law that has a blend of security, privacy, safety and innovation.”
In the last three years, Telangana has attracted investments worth $11.5 Bn and is currently the country’s second highest contributor to IT exports. Hyderabad, the capital of Telangana, houses engineering and back offices of multinational companies such as Facebook, Microsoft, Google, and Apple.
Data Protection Bill: A Point Of Contention
India is at present seeing ongoing debates on the draft Personal Data Protection Bill, which makes it mandatory for data fiduciaries (entities collecting or processing the data) to inform their users about what data they wish to collect, the purpose of collection that data, if it will be transferred to third parties or outside the country, how it will be stored, for how long it will be retained, and so on.
The draft PDP Bill mandates live data mirroring or localisation (meaning that at least one copy of all personal user data must be stored in India), which will drive up costs for companies. Startups will be required to conduct periodic reviews of their security practices and data protection impact assessments.
Inc42, in association with Ikigai Law (Formerly TRA), on September 7, organised a roundtable interactive session called ‘The Dialogue’ with startups to discuss the impact of the Bill on their businesses once it gets enacted in Parliament. ‘The Dialogue’ addressed the key points of the PDP Bill — data localisation, data criticality, consent notices to users, and consent requirements among others.
The roundtable was attended by startup founders who brought up a host of challenges that have not been addressed or answered in the existing draft Bill.
In April, the Reserve Bank of India (RBI) had asked all payment system operators in the country to store data relating to their customers in India to ensure that user details remain secure in case of privacy breaches. The payment system companies have been given six months i.e. till October to comply with the new norms.
Recently, Google CEO Sundar Pichai wrote a letter to Minister Prasad saying, “Free flow of data across borders — with a focus on user privacy and security — will encourage startups to innovate and expand globally and encourage global companies to contribute to India’s digital economy.”
[The development was reported by ET.]