In the worst-case scenario, it will be next to impossible for tech companies like Amazon and Google to run any service that requires user biometrics.
Karan Choudhury, Neha Alawadhi, Nidhi Rai report.
Asking a Google Home or Alexa device to play your favourite song, unlocking a mobile phone with your fingerprint or face scan, and using iris scan to access your bank account may all just become difficult if the draft Data Protection Bill gets Parliament's nod in its current form.
Clause 92 of the draft Bill seeks to ban the processing of certain forms of biometric data, unless permitted by law.
This, according to industry experts, will have a far-reaching impact on companies in almost every sector -- from the digital commerce to banking, health care and even automobile industry.
Companies, which use fingerprint scanners, voice command tools, iris and face scanners, among other biometric data, will have to deal with the impact if the Bill is signed into law.
According to industry experts, companies like Google and Amazon, which use biometric data, may be affected.
To begin with, both firms have voice assistants and various other products and these will be directly impacted by Clause 92.
In the worst-case scenario, it will become next to impossible for these tech firms to run any service that requires user biometrics.
"Google uses voice for running things like Google Translate and Google Home Amazon has Alexa voice assistant. If the draft Bill gets passed, their operations would be massively hit. Amazon, which is trying to create an online buying service based on user voice commands, will be left stranded," said a senior vice president of one of these firms.
Experts believe that Clause 92 of the draft Bill makes it clear that no data fiduciary (firm or an individual) shall process such biometric data as may be notified by the central government unless the processing is permitted by law.
At the moment what sort of biometric data will be allowed and what won't, and which firm can collect what kind of data are not clear.
"This is one of the several ambiguities in the current draft. It bars the processing of certain forms of biometric data. However, the provision lacks clarity on which kind of biometric data cannot be processed and what can be processed," said Salman Waris, managing partner at TechLegis Advocates & Solicitors, a law firm.
"It could lead to regulatory confusion and complicate things for companies that are involved in dealing with biometric data or are manufacturing devices that are dependent on processing of biometrics like phones, voice recognition-operated devices, IoT technology firms, fintech, and banking industry," Waris added.
Mobile phone makers may be one of the worst-hit -- they will have to start storing all biometric data locally and this will be an added infrastructure cost.
"The storing of biometric data locally will mean that all phone companies which store biometrics on their servers to authenticate user access will have to store and process this data in India," said Sachin Taparia, founder & chairman, LocalCircles.
Since biometric is classified as sensitive data, Taparia added local storage and processing of this information does make sense.
Card companies to be affected
Consent mechanism is at the heart of data sharing and the idea is to make the customer the owner of her/his data.
Under the account aggregator (AA) framework, the customer should be given the right to approve the sharing of data between two banks.
This is to make the customer powerful and also to educate her/him about how the data is being used.
The Financial Stability and Development Council has already approved the AA framework.
"Banks are better placed when it comes to data protection. There will be an impact on banks but they are also prepared for it, especially those which have foreign operations," said a banking expert.
"We are already spending money on this, but now we have to look at consent mechanism and I think we will be given a two-year window to build it. We have to see the details of the law. I think this law will impact the card companies more because they are not storing data locally," the banking expert added.