Changes to India’s data bill will lead to 'higher business failure rates'

A parliamentary report recommending changes to India’s personal data bill has been described as being out of sync with the country’s ambitions for the future of its technology sector.

India’s Internet and Mobile Association of India (IAMAI) raised concerns about a Joint Parliamentary Committee (JPC) report on the Personal Data Bill 2019. The report reviewed the country’s first data protection law and was tabled in parliament last December.

The IAMAI said yesterday the recommendations have fundamentally altered the structure of the bill, morphing it from a personal data protection bill into a more generic data protection bill, according to the Economic Times. The organisation added it believes the bill will negatively impact parts of the tech industry, including large tech companies, tech services companies, and startups.

The report recommends introducing strict data localisation requirements, which the IAMAI said will lead to higher business failure rates, create barriers to growth for startups, increase costs of compliance for companies, and slow down the socioeconomic benefits gained from the digital economy. It added the changes will have a drastic negative impact on Indian consumers being able to access a truly global internet.

The JPC also suggested tasking the Data Protection Authority (DPA) with consulting the government on all cross-border sensitive personal data transfers. This not only contradicts established global practices and undermines the role of the DPA, the IAMAI argued, but also subjects data flows to a cumbersome and inefficient process.

It added the suggested retrospectively applicable requirement to bring back data taken abroad poses a number of operational and technical challenges. This is especially true since relevant businesses would be subject to policies which weren’t enforced at the time of data collection.

“This calls for wider stakeholder consultations and impact assessment reports before these recommendations are hardcoded into law,” said the IAMAI in its statement.

The association added that while the JPC expands the scope of the bill to include non-personal data, it fails to account for the different value propositions offered by the two.

The report also recommends the DPA should create a framework to monitor, test, and certify hardware and software for computing devices. The IAMAI urged the government to refrain from developing new standards as there is a time-tested regime which devices sold in the country are subjected to. It underlined this new requirement would hamper India’s ability to attract global businesses and investment, and that the current rules and regulations are sufficient to address hardware and software certification requirements.

The IAMAI also urged the government to review a suggested transparency requirement. This is very broad and may encroach upon data fiduciaries’ intellectual property rights, it said, adding it may be harmful if they're mandated to publicly disclose their algorithms and other proprietary information without adequate safeguards.