Over December 2019 and January 2020, NASSCOM and DSCI conducted a series of Consultation Sessions across Delhi NCR, Mumbai and Bangalore on the Personal Data Protection Bill, 2019.
Based on the inputs received from members, both during the Consultation Sessions, as well as through written submissions provided by members, the following issues arise as key concerns:
- Categorisation of Sensitive Personal Data and its consequential impact
- Restrictive grounds for Processing Personal Data and Sensitive Personal Data
- Restrictions and conditions for Cross-Border Transfer of Sensitive Personal Data and Critical Personal Data
- Lack of appropriate framework to build trust for processing of global data in India: Power to Exempt certain Data Processors from data processing obligations
- Provisions Dealing with Non-Personal Data
- Strengthening of framework for an effective and accountable Data Protection Authority (DPA)
- Lack of appropriate grading of Criminal Offences
Moreover, there appear to be several interpretative ambiguities under the current draft of the PDP Bill 2019 – either on account of the framing of the provisions, or on account of the lack of sufficient detailing in the PDP Bill 2019. In particular, the interpretative issues exist with regard to:
- Provisions relating to the designation of Significant Data Fiduciaries, in particular, relating to the DPA’s exercise of the discretion in designating a significant data fiduciary, provisions relating to the appointment of Data Protection Officer by significant data fiduciaries, and modalities of the requirement for Data Audits;
- The definition of “Personal Data” under the PDP Bill 2019, in particular the inclusion of “inferences derived” within the scope of the definition;
- Timelines for implementation and the geographical scope of application of the provisions of the PDP Bill 2019;
- Mechanism and scope of the certification and publication process of Privacy by Design policies;
- Technical requirements for the exercise of a data principal’s right to correction, and the corresponding compliance requirements for data fiduciaries;
- The lack of a definition for “financial institutions” under the Bill;
- The Central Governments power to prohibit the processing of certain categories of biometric data; and
- Definition of ‘harm’ under the PDP Bill 2019, and potential exceptions to the same.
NASSCOM and DSCI believe, that these concerns, if addressed, can help operationalise an effective framework for individual privacy in India, while projecting India as a trusted, efficient and competitive player in global digital value chains.