New Delhi: The US-India Business Council and internet and mobile players' body IAMAI have flagged concerns about certain provisions in the Personal Data Protection Bill, saying that these will impinge on privacy of Indian citizens and create challenges for businesses.
The Personal Data Protection Bill, 2019, was introduced in the Lok Sabha on Wednesday, and the government proposed sending the Bill to a joint select committee of both Houses of Parliament amid protests by the Opposition.
The Internet and Mobile Association of India (IAMAI) said the Bill in its current form "compromises" on privacy of Indian citizens as "it has built in far too many exceptions for government agencies to access personal information of the citizens".
The Bill proposes that personal data will not be processed without consent of the owner of the information, and that no personal data will be processed except for clear and lawful purpose.
However, one of the provisions of the Bill will "empower the central government to exempt any agency of the government from application of the proposed legislation" -- which experts say will give sweeping powers to government agencies to collect data of citizens.
The Bill also states that the Centre can direct any data processor to "provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the central government".
The US-India Business Council (USIBC) said the Bill contains several new provisions outside the core issue of data privacy that raises serious concerns for the private sector, particularly the inclusion of requirements around non-personal data and social media intermediary liabilities.
"These two issues are distinct from personal data issues and are complex in their own right. Given the need for additional discussion, we urge the government to remain focused on essential data privacy issues and to take up these matters as part of existing policy efforts taking place in parallel to the Bill," it added.
IAMAI pointed out that the provision for the Centre to seek anonymised and non-personal data from any data fiduciary via the Data Protection Authority (DPA) - along with the fact that insights derived from personal data are also considered as personal data - raises issues of undermining Intellectual Property Rights of businesses engaged in data services.
The association also raised concerns over the fact that the government itself today offers many services in competition to private service providers. The right of the government over data assets of private businesses risks creating unlevel playing field for private businesses, it said.
The USIBC recommended that the Bill be revised to provide ample time for establishing a new DPA and strengthening the DPA's independence and effectiveness.
"We remain committed to working closely with the government as the Bill moves through the parliamentary process... we will continue to seek opportunities for industry and India's leading trading partners to share their views as new policy takes shape," it added.
IAMAI highlighted that the requirement to get a certification from the DPA in order to do business in India, would create a "restrictive Certification and Licensing regime" for organisations to operate in India.
"IAMAI highlighted that the world wide web (WWW) is borderless with many services originating in other countries and still being accessible to a global audience including India. Such a provision risks isolating India as service providers who do not get certification from the DPA cannot offer their services in India," it said.
Industry body Nasscom has also sought more clarification on certain provisions of the Bill.
"The central government has the power to exempt data processors, that process personal data of data principals who are outside the territory of India. While this was included in the earlier draft of the Bill as a miscellaneous provision, this has now been included under the chapter on exemptions under the Bill," Nasscom said.
The industry, in particular the IT-BPM and GCC industries, will need greater certainty on the scope and issuance of the exemption, it added.
Nasscom flagged that "financial data" continues to be defined broadly under the Bill.
"This is an area of concern, especially with reference to employee data processing for operations such as payroll services, that requires processing of financial data. Given that explicit consent is the only ground for processing sensitive personal data, the classification of 'financial data' as sensitive personal data poses potential problems for other business operations such as risk management, fraud detection, among others," it noted.
It also sought clarity in areas such as classification of significant data fiduciaries and of certain personal data as critical data, and cross-border transfer of sensitive personal data.