What Does The Data Protection Bill 2021 Mean For Commercial Industries?

The second working session at the Bar Association of India's Seminar on the Personal Data Protection Bill, 2021 held on 3rd May 2022 at New Delhi looked into the nuances of the impact that the impugned bill might bring upon industries. It focusses on what such a bill and its regulations mean for corporations and clients of law firms. The Panel was chaired by Dr. Pinky Anand, Senior Advocate & Vice President, BAI. She set the stage for the discussion by emphasizing how such a regulatory framework would increase the ease of doing business in the country, and why the absence of such a regulation so far had led the companies to uncertain junctions on data privacy. Dr. Pinky also stated how data changeability will be a big advantage for corporations given by the new bill. Ashish Aggarwal Mr. Ashish Aggarwal is the head of policy at NASSCOM. His work focusses on the regulatory framework of data, e-commerce, social media platforms, fin-tech and telecom value added services. He was also part of the team that designed the National Pension Scheme. Mr. Aggarwal submits that law, unlike a software code is not created overnight, wherein you could test out a code with dummy data and immediately fix the glitches. The creative process of law is much more complex, and therefore this bill invites such an extensive process. To establish the importance of such a law, Mr. Aggarwal invited the panels attention to the demographics of India. India is the IT and business process management (BPM) services hub to more than 120 odd countries, and we as a country are clocking in a massive $178 billion IT-BPM export industry, and domestic markets are going to touch $50 billion. These numbers add a dimension to our perspective on the data privacy law that is different from that of a European or American perspective. We have an opportunity in our law to help further enhance the trust of the global markets in our industry by enabling more global data to be processed here in safe manner without burdensome compliances. At the same time, there is a big surge in the number of tech start-ups over the past decade, who aim to be Unicorns (valued over $1 billion) and to be global. Therefore, our law will need to be global in its approach and be interoperable with, at least, the laws of our main trading partners on key principles of privacy laws protection and enforcement mechanisms. It becomes imperative that we have a comprehensive law that protects data privacy, since that would induce trust on digital markets and promote their growth. The bill also needs to recognize that the heterogeneity in our population will make it difficult for the common citizen to understand and exercise the right to privacy. Therefore, the focus on state capacity for creating awareness and addressing complaints swiftly and fairly will be a key parameter of success.All these aspects must be kept in mind while analyzing the possible impact of this law. The two big positives of this law are that first it enhances privacy, and second that it is applicable horizontally across industries. A flaw, however, is that the law has tried to bring under it — both personal, and non-personal data. One of the big concerns that is often faced with the General Data Protection Regulation (GDPR) is that of compliance, with the record keeping requirements being one such example. A Data Protection Bill which tries to bring both personal and non-personal data under it will raise the level of complexity to avoidable level and add additional layers of uncertainty for the industry. Therefore, Mr. Aggarwal believes that if they are separated, there will be better ease of compliance for corporations and industries. It will also enable the data protection authority to focus on its main objective of privacy protection. He highlighted a few other points where this law falls short: First, with respect to data classification – Official identifiers by default are seen as sensitive personal data. This will result in enormous costs, as official identifiers like Aadhar, and Passport numbers are processed on a daily basis for various reasons. The GDPR allows for such regulations but leaves it for national authorities to decide on additional safeguards without automatically recognizing it as a sensitive personal data. Financial information is by default a sensitive personal data in our bill whereas globally it is not treated as such. Given that financial sector is highly regulated and also the fact that all personal data enjoys a high level of protection – treating a wide range of financial information as sensitive data by default is likely to lead to burdensome compliance. Our proposed definition of health data is very broad. Given this is a sensitive data, it is important that the definition is narrowed down to the data of an individual's health condition. This will also align it to the global understanding. A broad...

What Does The Data Protection Bill 2021 Mean For Commercial Industries?

LIVELAW NEWS NETWORK

Tags