The National Association of Software and Services Companies (NASSCOM) met the Honorable Union Minister of Railways; Communications and Electronics and Information Technology Ashwini Vaishnaw along with Alkesh Kumar Sharma, Secretary, MeitY last week for a roundtable discussion on the recently announced draft Digital Personal Data Protection Bill 2022. The meeting was attended by industry leaders, startups, and SMEs who provided their initial feedback and suggestions on the bill.
The Minister Ashwini Vaishnaw provided several key messages, including:
- All future rules will be put up for public consultation in line with parliamentary mandate
- The Bill is designed to be simple to not just read, but also to implement across use-cases, as it will serve as a horizontal baseline that will cut across sectors and use-cases. Moreover, it is important for such a law to remain flexible and agile to technological changes.
- The Data Protection Board will be designed to redress concerns and complaints regarding data protection in a manner that the mechanism is accessible and effective for every strata of the society.
- As the Bill gets finalised, on cross-border data flows, government will ensure that the approach focusses on strengthing data protection without disrupting data flows.
- A good idea for startups and technology providers to offer their feedback will be to test the Bill against their specific use-cases to identify gaps, if any, and provide suggestions accordingly
- The shift away from revenue-based penalties is to ensure certainty and avoid getting into debates on revenue calculations which have created concerns in other regulatory regimes
The industry stakeholders appreciated the draft Digital Personal Data Protection Bill 2022, welcoming that, as compared to the previous drafts, this version has been simplified by removing past proposals that were not related to personal data protection, such as non-personal data, or that would have posed significant concerns to ease of doing business, such as the criminal offence, the hardware certification scheme, or the statutory data residency requirements.
The technology neutral design of the Bill combined with focus on leveraging technology to enchance the effectiveness of the data protection board and enable consent management were noted as key features that would help the Bill meet its objectives.
On cross border data flows, the industry felt that a framework prepared in consultation with government departments, sectoral regulators, and public consultations, should provide a clear, proportionate and enabling framework. Industry welcomed the retention of forward-looking concepts, such as the consent manager, to enable citizens to effectively manage their consent.
Recognizing that data is central to every country and industry, NASSCOM will continue to work with the government and the industry, and make recommendations that are aimed to not only further strengthen this bill from a privacy and innovation perspective, but also bolster India’s narrative as a trusted global partner for all invested in digital transformation.