Much higher compliance burden on start-ups: IAMAI on Data Protection Bill

IAMAI’s members are currently evaluating the report by the Joint Parliamentary Committee [JPC] on PDP submitted to the Parliament on December 16, 2021. Prima facie it seems that the draft that was put out in 2019 after the widest possible consultations has changed fundamentally, including the title of the bill from Personal Data Protection Bill to Data Protection Bill. Certain other deviations such as the recommendations that social media intermediaries could become publishers in certain circumstances and a few aspects of data localisation norms change the original structure of the bill substantially.

The report currently encompasses non-personal data within the personal data protection bill, which is contrary to the recommendations of the expert committee appointed by the Ministry of Electronics & Information Technology (MEITY) to develop a framework for non-personal data governance.

IAMAI further said that the requirement on DPA to consult the Central Government before issuing any approvals or decisions on cross-border data flows would create an incredibly slow and cumbersome process for decisions and would mitigate the autonomy and efficiency of a specialised body such as the DPA.

IAMAI also raised its concerns on imposing age restrictions of 18 years on certain services that will exclude an important demographic from the digital ecosystem and will contradict most data regimes that create enabling provisions for 13-18 years. In addition, the inclusion of ‘psychological manipulations’ which impairs the autonomy of any individual (without sufficient understanding of what this would entail) under the meaning of ‘harm’ creates immense room for inaccurate interpretations of the law.

Above all, IAMAI feels that the recommendations may bring a much higher compliance burden on start-ups, and suggests that an expert group should be set up to study the impact of these recommendations on start-ups.

IAMAI is confident that the government will continue the transparent and consultative ethos under which the earlier draft bill was developed and urge further deliberations on the report. Certain provisions in the report such as the new requirement for hardware/ device testing need to be discussed with the industry as the outcomes of such a mechanism are not clear given that data fiduciary is already legally accountable for complying with the law.

The bill will impinge upon the IP rights of the companies as part of the new requirements on data portability and algorithmic transparency. These objectives can be achieved without compromising on trade secrets.