BIF lauds and welcomes the draft Bill for Data Protection

Broadband India Forum (BIF), the leading independent Think-Tank and Policy Forum for Digital Communications in the country, observes that the Draft Bill aims to significantly facilitate ease of doing business and develop India’s digital economy while equally and adequately protecting the privacy of personal data. The attempt by the Ministry of Electronics and Information Technology (MeitY) to create a much simplified framework, particularly compared to earlier versions of the Draft Bill, is highly commendable because it recognizes the need for technology regulation to remain adaptive over time.

In particular, the Draft Bill addresses, in principle, varied aspects with respect to need of and concerns on transfer of personal data outside India, while keeping the required flexibility with the rule making powers.

At the same time, there are certain areas where some more deliberations/clarifications may be highly desirable for a smooth functioning of the new framework.

The financial penalties, for example, are of magnitude greater than penalties under other comparable legislations like Malaysia and Thailand, which are also in first stage of having a comprehensive data protection law. Since this is India’s first attempt at a comprehensive data protection law, severe penalties would not be appropriate. India may consider a staggered approach and may increase the penalty caps in a phase-wise manner so that these liabilities are in-step with the development of India’s compliance and enforcement landscape. The Draft Bill should further identify a more graded penalty structure which is commensurate with the degree of harm that a violation or non-compliance may invite.

Some provisions of the Draft Bill would require significant changes to business processes, such as cross-border data flow, consent seeking, language options to data principals, etc. We suggest a phased implementation with sufficient timeframe allocated for specific provisions that require higher compliance efforts. The Joint Parliamentary Committee in its report on the Personal Data Protection Bill, 2019 recommended that an approximate period of 24 months be provided from the date of its notification for implementation of all provisions of the law. It is requested that the Ministry provide specific transition periods within the text of the law.

The definition of ‘Personal data’ should be simplified so that Data Fiduciary can give to the Data Principal an itemised notice (which needs to contain a description of personal data sought to be collected by the Data Fiduciary and the purpose of processing of such personal data). Considering the specific purpose of the Act, it is critical that the subject matter i.e. personal data sought to be collected is defined unambiguously. However, a combined reading of definitions of ‘personal data’ and ‘data’ may mean that apart from information of an individual from which she can be identified, even any facts, concepts, opinions or instructions which can be communicated or interpreted with respect to an individual can also be called personal data. It is submitted that personal data should only be confined to information in nature of one or more identifiers with respect to the individual in regard to which itemised notice can be given.

Section 9(9) of the Draft Bill provides that the Data Fiduciary may, where consent of the Data Principal has been obtained, share, transfer or transmit the personal data to any Data Fiduciary. This is very salient and much required provision. However, the framework for its proper functioning needs clarification. This is so when there is a corresponding provision in Section7(1) of the Draft Bill that consent of the Data Principal is for specified purpose. Since consent and the specified purpose are protections to the Data Principal, certain clarifications are required in the given framework, like whether while seeking consent from the Data Principal, the Data Fiduciary can mention a specific purpose of the sharing, transferring or transmitting the personal data with any other Data Fiduciary, the purpose of transferee Data Fiduciary may not be known to the Data Principal, in such case. Further, how will withdrawal of consent work in case personal data has been shared with another Data Fiduciary.

Further, there are some other provisions in the Draft, including need for minimum age of 18 in the definition of child and corresponding parental consent, operation of cross border data flow, additional obligations on significant data fiduciaries etc. which may require further deliberation to draw a proper balance between the digital growth while protecting the privacy of personal data.

T.V. Ramachandran, President, Broadband India Forum, commented, “This is a very praiseworthy and forward-looking measure by the Government to put in place a comprehensive framework that finely balances aspects of digital development, data protection and privacy. The new law could become a benchmark for many nations.”

CT Bureau