Update: NASSCOM-DSCI Feedback on the Personal Data Protection Bill, 2019
Blog: NASSCOM Official Blog
As a part of the consultation process undertaken by the Joint Parliamentary Committee (JPC) chaired by Member of Parliament, Smt. Meenakshi Lekhi, NASSCOM, together with the Data Security Council of India (DSCI) submitted their comments on the Personal Data Protection Bill, 2019 (PDP Bill) on 26 February 2020. The NASSCOM-DSCI submission was prepared based on extensive industry consultation carried out between December 2019 and January 2020.
More recently, NASSCOM was invited by the JPC to submit a presentation on its views on the PDP Bill. Accordingly, NASSCOM and DSCI submitted a presentation deck before the JPC on 8 July 2020, highlighting the key points from its February 2020 Submission.
In particular, the presentation highlighted the eight foreseeable challenges in the context of the PDP Bill:
- Appropriately defining the scope of Sensitive Personal Data
- Appropriately defining grounds for processing Sensitive Personal Data
- Considering implications of the above, on issues relating to cross-border processing of Sensitive Personal Data and Critical Personal Data
- Properly defining the carve-outs for processing of foreign nationals’ data
- Reconsidering the inclusion of criminal offences in the PDP Bill
- Reconsidering provisions relating to the sharing of Non-Personal Data under the PDP Bill
- Providing additional clarity on the scope of application of the PDP Bill and the transition timelines available to the industry for compliance
- Appropriately defining the functions of the Data Protection Authority (DPA)
As with the February 2020 submissions, NASSCOM-DSCI highlighted that certain types of personal data, such as Official Identifiers and Financial Data, should not be treated as Sensitive Personal Data under the PDP Bill – given especially the wide definitions afforded to these terms under the PDP Bill. Instead, it was advocated that a risk-based approach should be adopted to the classification of Sensitive Personal Data.
Likewise, emphasis was also placed on the need to extend the “reasonable purposes” ground available for the processing of Personal Data, to the processing of Sensitive Personal Data as well – particularly, in the context of processing of Sensitive Personal Data for employment purposes (such as processing of biometric data for maintenance of attendance).
Other issues, such as greater clarity over adequacy mechanisms, and the precise scope and conditions of the exemption to processing of foreign nationals’ data; in addition to making such an exemption explicit in the Bill itself.
A point was also made as to the inclusion of Non-Personal Data within the Scope of the PDP Bill, especially considering that the Ministry of Electronics and Information Technology (MeitY) has already established a Committee on Non-Personal Data, to consider in detail the framework for sharing of non-personal data, together with adequate safeguards for such sharing.
Lastly, the presentation emphasized upon the need for the DPA to be independent, and for it to adopt a co-regulatory approach through hard-coded obligations to consult industry and other regulators. Likewise, the DPA should imbibe regulatory governance, and adopt open and effective consultation processes.
NASSCOM and DSCI have not deposed before the JPC as on date. The contents of our submissions to the JPC are being withheld from publication, till the conclusion of the JPC’s process.