Proposed rules to regulate the way companies handle customers’ personal data has received a mixed response from India’s private sector, with some businesses praising it as necessary to protect privacy and others complaining that it will adversely impact their operations.
India’s Personal Data Protection Bill seeks to protect consumers’ financial details, biometric data, caste, religious and political beliefs and other personal information from unauthorized access — although, controversially, state agencies are exempt under certain circumstances.
If the bill, which also recommends the setting up of a Data Protection Authority to enforce compliance, becomes law, it will affect all the companies that store or process user data. E-commerce, social media, banking, finance, insurance and health care sectors will likely be affected the most.
First tabled on the same day that Parliament passed India’s controversial Citizenship (Amendment) bill, which allows citizenship for non-Muslim immigrants, the bill is now being discussed by a 20-member parliamentary panel that will take feedback from citizens, business establishments, law-enforcing agencies and other groups. Once the reworked bill is tabled in parliament, it will need majority votes in both houses of the legislature to become law.
Karnika Seth, a Supreme Court lawyer and a cyber law expert, said legislation to govern the handling of data is much-needed as cyber crimes, breach of privacy and unauthorized collection of data have become rampant, while India’s existing Information Technology Act and Information Technology Rules, enacted years ago, are not thorough enough to protect personal data.
The Internet and Mobile Association of India, however, fears the proposed law will impose extra costs that could harm the business environment. Despite being the world’s third largest recipient of venture capital after the U.S. and China, funding for the country’s tech sector has cooled off lately due to the slowing economy and fallout from WeWork’s IPO debacle late last year.
The trade body said in a statement that the provisions of the bill put the functioning of businesses at risk. It said the enormity of some of the proposed requirements, such as mandated storage of information on local servers, will test many smaller businesses’ capacity and that some requirements are restrictive for service providers.
The statement pointed out that the bill mandates all businesses collecting personal data to have a “Privacy by Design” policy in place and to be certified by the DPA to operate. IAMAI said such rules will create a restrictive certification and licensing regime and may handicap India’s technology startups.
The National Association of Software and Services Companies (Nasscom) and Data Security Council of India have written a letter to the government, demanding more clarity on the proposed law.
The concerns come as the number of internet users in India is forecast to almost double to 850 million by 2022 from 2017 levels, according to PwC, which recently described India as “the world’s most promising Internet economy”.
“The provisions restricting the cross-border flow of personal data are particularly concerning as these mandate localization of all personal data and provide wide discretion for classifying personal data as critical data required to be stored only in India. We believe that localization generally does not address the objectives of data security and privacy,” the group said in the statement.
“Mandating data localization would undermine the competitiveness of Indian startups, SMEs, e-commerce companies, fintech and other technology-driven companies. With data localization, India would become a less attractive destination for startups based outside of India.”
Cybersecurity expert and author Na Vijayshankar offered another perspective on the bill.
“If you are collecting huge data and you did not do anything for the security of that data, the impact will be huge,” he said, adding that while the IT Act comes into play only after a crime happens, the new law seeks to bring in DPA to continuously monitor that the data remains uncompromised.
He added that big IT companies such as Infosys and Wipro will not be much affected if the law is enacted as they already abide by strict protocols on data security. He said such companies will need to introduce only minor changes under the new requirements.
A technical expert who did not want to be named said companies would have to ensure data encryption and relocate their servers to India, both of which would jack up costs. Furthermore, he said Indian servers were already costly and less reliable and that companies would also need to spend on periodic security audits and appoint data protection officers.
He gave the example of the General Data Protection Regulation, which became effective in the European Union in May 2018. He said the regulation forced Microsoft to spend on new architecture and hiring 300 more engineers.
He pointed out that Microsoft had the deep pockets to make those changes but smaller Indian companies could be hammered by such costs. He pointed out that unlike the European regulation, India’s bill recommends heavy penalties on organizations that don’t abide by the rules.
Under the new regime, companies that fall foul of the data protection guidelines will have to pay up 150 million rupees ($2.1 million) or 4% of their annual turnover, whichever is higher. Failing to audit data will trigger a penalty of 50 million rupees or 2% of the annual turnover, whichever is higher.
Such concerns run alongside larger worries about some of the bill’s more controversial provisions which recommend that the government be empowered to collect anonymized, non-personal data from private companies for purposes such as public interest, service delivery and others.
Mozilla Corp., the company behind the popular web browser Firefox, called this “a dramatic step backward in terms of the exceptions it grants for government processing and surveillance.” IAMAI has also flagged the bill for this reason.
Furthermore, social media platforms such as Facebook, Twitter, WhatsApp and ByteDance-owned TikTok will be required to let users submit a government-approved identity proof and have their account verified, akin to the blue tick reserved for public figures. This would consume significant resources.
Seth said the bill will have a major impact on almost all the private companies in the technology industry. “A balanced approach is beneficial as it will not stifle the digital economy and not having any restrictions will leave too much lacunae in law for invasion of one’s privacy,” she said.