Stakeholders and industry bodies seek the removal of the clause that empowers the central government to demand non-personal data from companies, as part of their submission to the Joint Parliamentary Committee (JPC) on Personal Data Protection Bill 2019.
They also sought a review of the exceptions granted to the government with respect to the law and the clause for voluntary verification of social media users.
The 30-member JPC, headed by chairperson Meenakshi Lekhi, invited comments on the bill that was referred to it for deliberation on December 11 last year. The last date for submission of comments was on February 25, following which the committee was expected to submit its first report to the Cabinet by the end of the budget session.
Global software industry body BSA raised concerns on provisions of non-personal data and restrictions on transfer of personal data outside the country.
“We urge the JPC, as it considers revisions to the bill, to eliminate provisions concerning non-personal data from the Personal Data Protection Bill and remove the data localisation requirements and restrictions on international data flows," Venkatesh Krishnamoorthy, country manager at BSA India, said. Microsoft, Oracle and Salesforce are some of its members.
The Internet and Mobile Association of India (IAMAI) in its submission said that “... there is no inherent contradiction between ensuring privacy of individuals and the growth of the digital sector such that the first can be fulfilled without restricting the latter”. Members of the IAMAI include media houses, emerging business and consumer internet companies in India such as OYO, Flipkart, MakeMyTrip and BillDesk.
“As such, we welcome the JPC accepting public comments and hope that they will improve the provisions surrounding government exemptions, independence of the data protection authority, forced data transfers and social media user verification,” Udbhav Tiwari, policy advisor at Mozilla Corporation.
Donor-supported legal services organisation Software Freedom Law Centre, in its submission, said that the bill falls short of a strong rights framework.
“The bill fails to provide for a comprehensive mechanism to serve notice to data principals regarding processing of personal data. To promote full disclosure of data collection and processing activities, it is essential that notice be provided to data principals in all instances of data collection, whether with or without consent,” said the organisation in a post. It added that the powers of the Data Protection Authority were diluted as part of the bill.