NEW DELHI – Today, global tech trade association ITI offered recommendations to help ensure provisions of the Personal Data Protection Bill (PDPB) protect Indian citizens' privacy while supporting, rather than harming, India’s economic growth and innovation leadership. In a letter to Shri Ashwini Vaishnaw, Minister of Electronics & Information Technology for the Government of India, ITI underscored that certain recommendations in the Report of the Joint Parliamentary Committee on the PDPB could unintentionally limit the ease of doing business in India, hamper the country’s continued economic growth, and constrain the ability of Indian and global companies to innovate in India.

“ITI foresees a risk that other competing economies that offer less complex and more practical regulatory environments for data may attract investments away from India,” ITI wrote in the letter. “We are optimistic that the Honourable Prime Minister’s vision of making India a $5 trillion economy can materialise soon if the Indian Government continues to focus on risk-based regulations and policies that balance regulatory burden with benefits to the Indian public. Furthermore, given the implications of certain elements of the Report, we feel strongly that the process of developing a comprehensive data protection framework must be transparent, risk-based, and iterative to ensure alignment with government objectives and the avoidance of collateral impacts on Indian businesses, consumers, and workers.”

In the letter, ITI outlined a range of concerns and recommendations to the Ministry, including::

  • Incorporation of non-personal data (NPD) within a single legislative act. The policy objective of regulating non-personal data is disconnected from protecting Indian citizens’ privacy rights and is thus fundamentally different from that of personal data protection. ITI considers it essential to exclude non-personal data from the proposed personal data protection legislation to align with global frameworks and requests MEITY to reconsider the recommendation of the Joint Parliamentary Committee to include non-personal data within the PDPB.

  • Strict data localization obligations. The goal of securing Indian citizens’ data might be undermined through data localization requirements, which create a single point of failure, present a target for a cyber intrusion or attack, and reduce access to state-of-the-art solutions globally. MEITY should reconsider the data localization obligations in the PDPB in the interest of protecting the privacy and security of India-based users and promoting the Government of India’s ease of doing business goals.

  • Restrictions on cross-border transfers of data. Restrictions on data flows would undoubtedly create further business uncertainty as well as friction in the Indian business environment that will slow data innovation. MEITY should ease the extensive requirements for transferring data out of India, including obtaining approvals of the Data Protection Authority (DPA) and the Central Government for many cross-border transfers. As an ideal alternative, the DPA should be empowered to approve model contractual clauses and other internationally recognized cross-border data transfer mechanisms.

Earlier this month, ITI led a multi-association letter to the Ministry of Electronics and Information Technology (MEITY) requesting that it conduct additional consultations with all concerned stakeholders before introducing any updated data protection bill in Parliament.

Read the full recommendations here.

Related [Data & Privacy]