Data Protection Bill: Nasscom lists concerns and seeks clarity

The central government has the power to exempt data processors that process personal data of data principals that are outside the territory of India. While this was included in the earlier draft of the bill as a miscellaneous provision, this has now been included under the chapter on exemptions under the bill. However, no material changes have been made to the text. The industry, in particular the IT-BPM and GCC industries, will need greater certainty on the scope and issuance of the exemption.

Inclusion of provisions dealing with non-personal data: The bill empowers the government to direct data fiduciaries or data processors to share anonymised data or non-personal data for the purpose of enabling better targeting for delivery of services or for the formulation of its evidence-based policies. The government has to make annual disclosures of the directions issued under this provision. However, no safeguards have been provided for protecting IP rights, or other business sensitive non-personal data.

Categories of sensitive personal data: The bill retains “financial data” as a category of sensitive personal data. Further, “financial data” continues to be defined broadly under the bill. This is an area of concern, especially with reference to employee data processing for operations such as payroll services, that requires processing of financial data. Given that explicit consent is the only ground for processing sensitive personal data, the classification of “financial data” as sensitive personal data poses potential problems for other business operations such as risk management, fraud detection, among others.

Nasscom has sought clarity on the classification of data. “While the classification of data has been designed in the same manner, personal data now covers inferences drawn for the purposes of profiling, we will be studying this closely to assess its impact.”

It has also sought clarity on:

Classification of significant data fiduciaries: The bill provides certain factors that need to be considered by the DPA while classifying certain data fiduciaries as “significant data fiduciaries”. It needs to be made abundantly clear that these factors will be assessed cumulatively, instead of individually, by the DPA.

Classification of certain personal data as critical data: The government retains the power to notify any personal data as critical data. However, the bill still does not provide any definition for critical data, or provide any guidelines for the determination of what may be notified as critical data. This is an area that needs further clarity to create business predictability from an operational standpoint.

Cross-border transfer of sensitive personal data: The bill requires continued storage of sensitive personal data in India, in instances where a cross-border transfer of sensitive personal data is affected. It is unclear as to what this requirement entails vis-à-vis manner of storage.

Removal of transitional provisions: The bill excludes transitional provisions provided in the earlier draft. Upon enactment, the industry will need sufficient time to implement changes in their business models. Accordingly, there is a need for further clarity from the government on the manner in which various provisions will be brought into force, so that the industry is able to achieve meaningful compliance.