Personal Data Protection Bill: Why the draft is drawing more jeers than cheers

Last week, a committee of experts led by former Supreme Court judge BN Srikrishna unveiled a draft of the Personal Data Protection Bill that will be tabled in parliament. The bill aims to enhance data protection and comes at a time concerns about data breaches are rising not just in India but globally.

In its 213-page report, the panel made a number of recommendations including that all “critical personal data” on people in India should be processed within the country and that cross-border transfer of such data won’t be allowed. It also suggested setting up a Data Protection Authority to implement the proposed law.

While the draft bill has been largely welcomed, several of its provisions have also raised concerns. Critics, for example, say the requirement of storing data locally could deter foreign tech firms and hamper Indian startups’ ability to compete globally. Here’s what industry groups, analysts and entrepreneurs think about the draft bill.

Mohan Kumar, executive director, Norwest Venture Partners:

This is a setback for most consumer-tech startups. The consent has to be explicit and it will have a big impact on consumer-tech startups. But it is better for these companies to let this happen in a controlled manner rather than something more dramatic happening two years down the line.

What happened to Facebook this quarter could happen to these companies, too. When you ask explicit permission from customers at every juncture, you will likely see a lot of customers refusing to give that. And the customer can revoke it any time, too.

The customers tend to give permissions when asked generally as part of the terms and conditions. This worked for a lot of companies and now they are seeing a backlash. While there will be pushback from the industry, they cannot force many changes. They took it to extreme levels.

When KYC (know your customer) norms became mandatory, we saw fintech companies struggling and a lot of small players dropping out of the wallet business. Why should a fintech company have more advantages than a bank? Your bank does not share your account balance with anyone. Here the fintech company probably might have shared it with the whole world.

WhatsApp wanted to make its messages viral and hence gave unlimited forwards. Now, (after it curbed forward messages) the messages exchanged on the platform itself will reduce.

NASSCOM-Data Security Council of India (DSCI):

The bill has suggested a much-needed framework for data protection and privacy. It builds on the Supreme Court judgment that advocated privacy as a fundamental right for the country and creates a framework for all stakeholders to be more responsible and build trust while dealing with personal data. NASSCOM-DSCI welcome the thrust on creating an institutional structure through a Data Protection Authority in the country as well as the importance of Privacy by Design.

NASSCOM-DSCI has been advocating for a healthy balance between privacy and innovation... Policies that govern data protection, storage and classification need to be carefully crafted given the global footprint of the IT-BPM sector. Mandating localisation of all personal data as proposed in the bill is likely to become a trade barrier in the key markets. Startups from India that are going global may not be able to leverage global cloud platforms and will face similar barriers as they expand in new markets.

Devendra Rane, founder of online insurance marketplace Coverfox:

There is a long way to go before this will be law and a lot more discussions have to happen... This does not seem to have included inputs from industry stakeholders and a lot of grey areas need to be addressed more clearly.

It is not clear whether we can share data with third parties. For some transactions to happen on marketplace platforms, we need to share data with such third-party players. For instance, in our case, we also source data from regional transport offices, which is publicly available data. We store data when accidents happen.

The online market is still in the nascent stage and how we have structured so far is based on upselling or cross-selling. The whole business models have to be reworked.

Rajeev Chandrasekhar, Member of Parliament:

The Justice Srikrishna Committee report on data protection and the draft Personal Data Protection Bill 2018 is a step closer towards a legal framework for consumers' data protection. This is a big boost to Digital India.

Vidur Gupta, partner, government and public sector, EY India:

The committee’s report will be a key step towards building the important base of ‘trusted’ digital India. The proposed Digital Protection Authority with wider powers would be beneficial. The recommendation of bringing public entities under the law would not only strengthen the confidence of citizens but also define specific safety measures for their personal data while using e-governance services.

Siddharth Vishwanath, partner, cybersecurity, PwC India:

The draft is on expected lines. It clearly addresses key tenets like individuals’ rights over their data, data protection and breach notification. The penalties are structured in a manner to create adequate deterrence. It will clearly drive the industry to create a safer ecosystem in the data economy.

Venkatesh Krishnamoorthy, country manager-India, BSA | The Software Alliance:

We support the effort to create a comprehensive legislation to protect the personal information of citizens in India. However, including data localisation requirements in such legislation is contrary to the goals of promoting a Digital India, as global data transfers are critical to cloud computing, data analytics, and other modern and emerging technologies and services that underpin global economic growth. BSA recommends that India’s Personal Data Protection Bill avoid imposing undue restrictions on the ability to securely transfer personal data outside of India.

Ramesh Mamgain, area vice president for India and SAARC at Commvault, a US-based data protection and information management software company:

The recommendation for setting up a Data Protection Authority is a reflection of a comprehensive approach towards data management in India. Several instances of data leaks in the past had created an alarming situation across the country… The proposed data protection law in India is a much-needed regulation which will institutionalise processes for organisations across all sectors to better manage both primary and secondary data.