March 04, 2020

WASHINGTON – Today, 15 international technology and business trade associations respectfully urged India’s Joint Parliamentary Committee to amend the Personal Data Protection (PDP) Bill 2019 suitably in order to truly uphold privacy protection and remove barriers to the growth of the economy. In a letter led by the Information Technology Industry Council (ITI), the global associations commended the Government of India’s prioritization of the technology sector and privacy for Indian citizens but expressed concerns with its current approach to data protection in the PDP Bill.

“We welcome the significant progress that the Government of India has made on the protection of personal data for Indian citizens. India has long been a global technology leader that creates and supplies goods and services to contribute to a productive, competitive, and innovative global economy and society,” the associations wrote. “However, we are concerned that some provisions in the personal data protection bill would hamper the country’s economic growth, constrain the ability of companies operating in market to innovate, and in some cases potentially undermine the protection of Indian citizens’ privacy.”

The groups raised specific concerns regarding the bill’s approach to data localization, regulating non-personal data, and government access to both personal and non-personal data, the bill’s open-ended definition of sensitive personal data, and the lack of a definition for critical personal data.

“Privacy and user trust are central to our member companies’ businesses, and that commitment to privacy is fulfilled no matter where our user’s data is stored,” the associations wrote. “Our companies operate at a global scale and the free flow of data across borders is fundamental to maintaining trust and providing the highest quality products and services. We are deeply concerned that the PDP Bill requires a copy of sensitive personal data to be stored in India even when conditions for its cross-border transfer are met, and that critical personal data cannot be transferred under any conditions.”

The letter is in addition to recently submitted comments to the Joint Parliamentary Committee on the Personal Data Protection Bill 2019 by many of the associations on the letter and their member companies.

Read the letter here or below.

Joint Industry Letter on the Personal Data Protection Bill, 2019

March 5, 2020

Smt Meenakshi Lekhi,

Chairperson,

Joint Parliamentary Committee on the Personal Data Protection Bill, 2019.

Respected Smt Meenakshi Lekhi ji,

It is our pleasure and honor to be able to present our recommendations on the crucial Personal Data Protection (PDP) Bill, 2019 through your office to the Parliament of India.

Our trade associations represent a global community of companies that develop, sell, or rely on digital technologies and services for day to day business operations. We welcome the significant progress that the Government of India has made on the protection of personal data for Indian citizens. India has long been a global technology leader that creates and supplies goods and services to contribute to a productive, competitive, and innovative global economy and society.

However, we are concerned that some provisions in the PDP Bill would hamper the country’s economic growth, constrain the ability of companies operating in market to innovate, and in some cases potentially undermine the protection of Indian citizens’ privacy.

Privacy and user trust are central to our member companies’ businesses, and that commitment to privacy is fulfilled no matter where our user’s data is stored. Our companies operate at a global scale and the free flow of data across borders is fundamental to maintaining trust and providing the highest quality products and services. We are deeply concerned that the PDP Bill requires a copy of sensitive personal data to be stored in India even when conditions for its cross-border transfer are met, and that critical personal data cannot be transferred under any conditions. Requirements around critical data are particularly concerning because there is no definition of such data, creating significant uncertainty for businesses operating in India. In addition, the open-ended nature of the definition of sensitive personal data, which would allow it to be expanded at any time through government notification, raises significant concerns. The ambiguity in the definitions, and the restrictions on where data must be stored based on those definitions, presents a serious constraint for many companies when planning their future investments in India.

We also recommend that lawmakers remove Article 91 (2) on non-personal data from the PDP Bill given that the policy objective of regulating non-personal data is inherently different from that of personal data protection. There is an existing committee looking into non-personal data that should be granted the time and resources to examine this issue in all its dimensions before proposing any legislation. Relatedly, we also respectfully ask that the Government of India establish clear parameters for government access to both personal and non-personal data, grounded in rule-of-law processes that protect the privacy of citizens and business confidence.

In addition to these items, many of our associations and member companies have submitted comments to your committee with further detail on these and other concerns for your consideration, including mechanisms for cross-border transfer of data, the role and responsibilities of the Data Protection Authority, the use of consent for data processing, penalties, and more. We kindly refer you to these submissions for additional details.

We therefore urge the Government of India to seek long term solutions on these matters and amend the PDP Bill suitably in order to truly uphold privacy protection and remove barriers to the growth of the economy. We remain committed to providing any additional input or assistance that may be helpful to achieve these goals.

Signed,

Information Technology Industry Council (ITI)

ACT | The App Association

BSA | The Software Alliance

Coalition of Services Industries (CSI)

CompTIA

Computer & Communications Industry Association (CCIA)

DIGITALEUROPE

Global Data Alliance

Internet Association (IA)

Japan Business Machine and Information System Industries Association (JBMIA)

Japan Electronics and Information Technology Association (JEITA)

Japan Information Technology Services Industry Association (JISA)

National Foreign Trade Council (NFTC)

techUK

United States Council for International Business (USCIB)

CC:

Shri Ajay Prakash Sawhney, MEITY, GoI

Shri Shailendra Singh, Additional Secretary, DPIIT, GoI

Shri Guruprasad Mohapatra, Secretary, DPIIT, GoI

Shri Gopalakrishnan S, Additional Secretary, MEITY, GoI