'If Indians are to be truly protected, Parliament must review and address these dangerous provisions before they become law.'
Neha Alawadhi, Karan Choudhury, Peerzada Abrar report.
The Personal Data Protection Bill, which was cleared by the Cabinet, gives the Centre powers to exempt any agency from the provisions of the legislation.
The exemption clauses in the Bill have left large technology companies and digital commerce firms worried about continuing their business in the country.
The Bill states that the central government can decide in the interest of 'sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order' or for preventing incitement to the commission of any cognisable offence relating to certain conditions, and direct that 'all or any of the provisions' of the Personal Data Protection Bill would not apply to 'any agency of the Government'.
Pointing out that the Bill is very different from the first draft under the Justice B N Srikrishna committee, experts called the exemptions to government departments "overarching".
The first draft, that was submitted to the government earlier, had disallowed processing of personal data in the interest of State security 'unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved'.
Apar Gupta, executive director at the Internet Freedom Foundation, argued that the current Bill doesn't deal with any kind of surveillance reform, which could include CCTV monitoring, social media monitoring, etc.
"It is not at all contemplated considering consent is a precondition to personal data collection," Gupta said.
Digital commerce firms fear a major impact on business if the draft Data Protection Bill is passed in the current form.
They fear plenty of hurdles in not only their day to day operations, but also vis-à-vis their business models.
This could even hit the investment cycles for the coming year, according to industry representatives.
"This is going to impact the way we work and our business models. This is a myopic way of looking at data protection. Changing the way we work almost on a yearly basis is next to impossible. Spends on processing and handling data would sky-rocket. Many companies including ours would have to rethink investment plans," said a senior vice president of a multinational digital commerce firm.
Analysts believe the Bill, in this form, can be a major hindrance to the idea of ease of doing business.
"The bill creates a need for the data fiduciary (firm/individual) to obtain certification of the privacy by design policy from the Data Protection Authority. Such provisions lead to unnecessary compliance burden on companies and hinders the ease of doing business, which is much needed to boost the IT sector in the present economic climate," said Salman Waris, managing partner at TechLegis Advocates & Solicitors, a law firm.
According to Waris, the provisions relating to processing data outside the country require multiple consents and approvals both from individual data principals and the government.
It cannot be undertaken unless prior approval of the central government is obtained in advance, making the process cumbersome.
An executive at a large US-based technology firm, who did not wish to be named, also pointed out that the requirement for businesses to share non-personal data with the government when asked for would be a thorny issue.
The Bill says the central government can, in consultation with the Data Protection Authority, direct any 'data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the central government, in such manner as may be prescribed.'
Legal expert Amber Sinha said more clarity would be required on the issue of non-personal data.
In the current form, it is possible it could clash or be complicated by intellectual property laws, trade secrets, and database rights.
"Essentially what we see in the Bill is that the Indian State sees data essential to its national and geopolitical ambitions and it wants to leverage the data that is available in the country for various purposes," Sinha added.
While there has been some relaxation on the kind of personal data that can be processed outside the country, the provision got a mixed response from industry and experts.
"Depending on the nature of the data being collected, the Bill sets out rules as to where the data can be processed and stored and requires sensitive data to be stored in India while permitting such data to be processed outside India with the explicit consent of the user," Atul Pandey, partner at Khaitan & Co, has observed.
The push for data localisation stems from the recent privacy concerns surrounding WhatsApp, and the government's desire to suitably monetise the vast amounts of data being collected in India, according to Pandey.
However, such data localisation measures will act as a substantial financial constraint for companies considering that fresh infrastructure will be required to be set up in India, he said.
"Additionally, the government will also be wary of possible reciprocal actions being undertaken by other countries, considering that companies based out of such countries will have to abide by data localisation laws in India."
An expert on the Indian information technology services industry said the Bill's provisions were adequate for IT services firms like Infosys, Wipro and so on.
Social media burden
Exceptions made for government use of data, verification of social media users, and the forced transfer of non-personal data represent significant threats to privacy, analysts have said.
"If Indians are to be truly protected, Parliament must review and address these dangerous provisions before they become law," said Udbhav Tiwari, public policy advisor at Mozilla.
The Bill has defined social media intermediaries as entities primarily or solely enabling online interaction between two or more users, while allowing them to create, upload, share, disseminate, modify or access information using its services.
The Bill places an obligation on social media companies to enable the users who register their service from India, or use their services in India, to voluntarily verify their accounts in such manner as may be prescribed.
Also, any user who voluntarily verifies his account shall be provided with a 'demonstrable and visible mark of verification, which shall be visible to all users of the service'.
An executive with a large social media firm, who did not wish to be named, said, "in addition to the large number of consent requirements for processing personal data, we will be burdened with additional user profiling requirements as well."