{"id":17493,"date":"2019-12-14T09:08:47","date_gmt":"2019-12-14T03:38:47","guid":{"rendered":"https:\/\/www.technologyforyou.org\/?p=17493"},"modified":"2019-12-14T09:08:47","modified_gmt":"2019-12-14T03:38:47","slug":"nasscom-dsci-statement-on-personal-data-protection-bill-2019","status":"publish","type":"post","link":"https:\/\/www.technologyforyou.org\/nasscom-dsci-statement-on-personal-data-protection-bill-2019\/","title":{"rendered":"NASSCOM – DSCI Statement on Personal Data Protection Bill 2019"},"content":{"rendered":"

To deliberate on the recently tabled Personal Data Protection Bill, NASSCOM-DSCI held an industry <\/span><\/strong>consultation with its members today. Debjani Ghosh, President NASSCOM, said, <\/strong>A robust data <\/span>protection law is critical for India\u2019s success in the data economy and we are very happy that the <\/span>Government is taking the necessary steps to pass the law at the earliest. Am also happy that the voice <\/span>of the industry has been heard and that this version has incorporated several of the recommendations <\/span>made. There are a few areas where we still need further clarity and NASSCOM will continue to work <\/span>with the Government to ensure the bill is a win -win for India and the Industry.<\/span><\/p>\n

The notable positive changes in the draft of the Bill include :<\/span><\/strong><\/span><\/p>\n

\u2022 Removal of Restrictions on Cross-Border Transfer of Personal Data \u2013<\/strong> The earlier draft of the <\/span>Bill required one copy of personal data to be stored within the territory of India, for transfers <\/span>of Personal Data to take place. Further, such transfers could only take place on the basis of<\/span>
\nstandard contractual clauses, intra-group transfer schemes or adequacy decisions. These <\/span>restrictions have now been removed.<\/span><\/p>\n

\u2022 Removal of Passwords from the indicative list of Sensitive Personal Data \u2013<\/strong> Passwords have <\/span>been removed from the indicative list of Sensitive Personal Data under Clause 2(36) of the Bill.<\/span><\/p>\n

\u2022 Certain Offences Removed from the Bill \u2013<\/strong> The earlier draft of the Bill listed the obtaining, <\/span>transferring or selling of personal and sensitive personal data in a manner contrary to the Act, <\/span>as an offence. These provisions have now been removed.<\/span><\/p>\n

\u2022 Relaxations on Cross-Border Transfer of Critical Data \u2013<\/strong> It has been explicitly clarified in the <\/span>Bill, that personal data which is notified by the Central Government as critical data, may be <\/span>transferred outside the territory of India in certain limited circumstances \u2013 i.e. (i) prompt<\/span>
\naction for the provision health services or emergency services; and (ii) where the transfer is <\/span>to a territory where the Central Government allows the transfer of critical data.<\/span><\/p>\n

\u2022 Creation of sandbox to encourage innovation \u2013<\/strong> The Data Protection Authority (DPA) shall <\/span>create a sandbox for encouraging development of artificial intelligence, machine learning or <\/span>any emerging technology in public interest.<\/span><\/p>\n

\u2022 Due Process Requirements for Investigating Offences \u2013<\/strong> The power granted to police officers <\/span>above the rank of Inspector to investigate offences under the Bill have been removed. Any <\/span>investigation has to happen on the basis of a complaint by the DPA, and subsequent to a court<\/span>
\norder issued on the basis of such complaint.\u00a0<\/span><\/p>\n

The key areas of concern for the industry however, are:<\/span><\/strong><\/span><\/p>\n

\u2022 Power to Exempt certain Data Processors \u2013<\/strong> Central Government has the power to exempt <\/span>data processors, that process personal data of data principals who are outside the territory of <\/span>India. While this was included in the earlier draft of the Bill as a miscellaneous provision, this<\/span>
\nhas now been included under the Chapter on exemptions under the Bill. However, no material <\/span>changes have been made to the text. The industry, in particular the IT-BPM and GCC industries <\/span>will need greater certainty on the scope and issuance of the exemption.<\/span><\/p>\n

\u2022 Inclusion of Provisions Dealing with Non-Personal Data \u2013<\/strong> The Bill empowers the Central <\/span>Government to direct data fiduciaries or data processors to share anonymised data or non-<\/span>personal data for the purpose of enabling better targeting for delivery of services or for the <\/span>formulation of evidence based policies by the Central Government. The Central Government <\/span>has to make annual disclosures of the directions issued under this provision. However, no <\/span>safeguards have been provided for protecting IP rights, or other business sensitive non personal data.<\/span><\/p>\n

\u2022 Categories of Sensitive Personal Data-<\/strong> The Bill retains \u201cfinancial data\u201d as a category of <\/span>sensitive personal data. Further, \u201cfinancial data\u201d continues to be defined broadly under the <\/span>Bill. This is an area of concern, especially with reference to employee data processing for<\/span>
\noperations such as payroll services, that requires processing of financial data. Given that <\/span>explicit consent is the only ground for processing sensitive personal data, the classification of <\/span>\u201cfinancial data\u201d as sensitive personal data poses potential problems for other business<\/span>
\noperations such as risk management, fraud detection, among others. <\/span>Lastly, there are some areas where we will be seeking further clarity. For instance, while the <\/span>classification of data has been designed in the same manner, personal data now covers inferences <\/span>drawn for the purposes of profiling, we will be studying this closely to assess its impact. <\/span><\/p>\n

Other areas <\/span>where clarity will be sought includes:<\/span><\/strong><\/span><\/p>\n

\u2022 Classification of Significant Data Fiduciaries \u2013<\/strong> The Bill provides certain factors that need to <\/span>be considered by the DPA while classifying certain data fiduciaries as \u201csignificant data <\/span>fiduciaries\u201d. It needs to be made abundantly clear that these factors will be assessed <\/span>cumulatively, instead of individually, by the DPA.<\/span><\/p>\n

\u2022 Classification of certain Personal Data as Critical Data \u2013<\/strong> The Central Government retains the <\/span>power to notify any personal data as critical data. However, the Bill still does not provide any <\/span>definition for critical data, or provide any guidelines for the determination of what may be<\/span>
\nnotified as critical data. This is an area that needs further clarity to create business <\/span>predictability from an operational standpoint.<\/span><\/p>\n

\u2022 Cross-Border Transfer of Sensitive Personal Data \u2013<\/strong> The Bill requires continued storage of <\/span>sensitive personal data in India, in instances where a cross-border transfer of sensitive <\/span>personal data is affected. It is unclear as to what this requirement entails vis-\u00e0-vis manner of <\/span>storage.<\/span><\/p>\n

\u2022 Removal of Transitional Provisions \u2013<\/strong> The Bill excludes transitional provisions provided in the <\/span>earlier draft. Upon enactment, the industry will need sufficient time to implement changes in <\/span>their business models. Accordingly, there is a need for further clarity from the Central<\/span>
\nGovernment on the manner in which various provisions will be brought into force, so that the <\/span>industry is able to achieve meaningful compliance.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

To deliberate on the recently tabled Personal Data Protection Bill, NASSCOM-DSCI held an industry consultation with its members today. Debjani Ghosh, President NASSCOM, said, A robust data protection law is critical for India\u2019s success in the data economy and we are very happy that the Government is taking the necessary steps to pass the law […]<\/p>\n","protected":false},"author":1,"featured_media":17494,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,9231],"tags":[10267,10266],"class_list":{"0":"post-17493","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-security","8":"category-top-stories","9":"tag-nasscom-dsci-statement-on-personal-data-protection-bill-2019","10":"tag-personal-data-protection-bill-2019"},"_links":{"self":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts\/17493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/comments?post=17493"}],"version-history":[{"count":0,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts\/17493\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/media\/17494"}],"wp:attachment":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/media?parent=17493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/categories?post=17493"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/tags?post=17493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}