Though the draft has significantly simplified the legislation and addressed several industry concerns regarding the Bill’s previous versions, experts said the current version does not go into the specifics of the implementation.
The subsequent rules, which will be notified later under the law, will define the exact guardrails under which data will be governed in India, they added.
Experts also said that broad exceptions provided for the government, both central as well as state, are worrisome because the government is the largest collector of data and, thereby, the largest data fiduciary.
A lot is “left to the rules,” and the “executive in India has a track record” of relying on rules to expand its powers, said Mishi Choudhary, technology lawyer and legal director at SFLC.
Free cross-border flow of data within trusted nations mooted
“The Bill meets expectations of people protection but ensures that the government retains all power without any checks or balances as it makes laws about individuals and businesses,” Choudhary said.
This, along with the exclusion of personal data stored and/or processed in non-digital formats, may present a gap that stymies efforts to protect personal data and ensure privacy in entirety, said Manish Sehgal, partner at Deloitte India.
The draft Bill’s proposal to do away with the distinction between sensitive personal data and critical personal data can have serious consequences in case of a data breach as it could put individuals’ safety in jeopardy, several experts said.
“While the intent to create a simple compliance regime is laudable, the current approach may lead to the unintended consequence of ‘treating unequals equally’ and having to balance between creating a higher compliance burden for data which is less important and protecting truly sensitive data,” said Arun Prabhu, partner and head of technology, media and telecom at law firm Cyril Amarchand Mangaldas.
The government released the new draft of the legislation on November 18 and has sought public feedback till December 17.
The simplified Bill, with only 30 clauses, has been applauded by the industry for dropping clauses on inclusion of non-personal data, regulation of social media, audit of hardware products along with its earlier stance on hard data localisation.
The current Bill has called for transfer of data and its storage to “trusted jurisdictions.”
The draft Bill’s relatively soft stand on data localisation requirements and permitting data transfer to select global destinations based on pre-defined assessments is likely to foster country-to-country trade agreements, Sehgal of Deloitte said.