According to Information Technology Industry (ITI) Council, significant controls and exemptions by the government under the proposed Digital Personal Data Protection (DPDP) Bill 2022 is likely to affect investment in data centres and data processing activities in India. The comment by the global technology body comes in response to the draft Digital Personal Data Protection (DPDP) bill 2022 floated by the Ministry of Electronics and Information Technology (MeitY) for public consultation.
As per ITI, the bill grants significant controls to the executive arm of government of India and delegates much of the detailed rulemaking authority to separate, as yet undefined processes. That said, ITI believes that the government is also afforded a broad exemption from the bill’s application, which could make it harder for companies to invest in data centres and data processing activities in India.
ITI represents global technology majors such Google, Microsoft, Meta, Twitter, Apple, etc. The draft DPDP has exempted government-notified data fiduciaries from several compliance burdens such as provisions dealing with informing an individual about the purpose for data collection, collection of children’s data, risk assessment around public order, appointment of data auditor, etc.
The industry body, however, has supported the bill on various points such as permission to store data outside India, delineation of roles and responsibilities of entities that determine the purposes and means of the processing of personal data (data fiduciary) and entities that process personal data solely under direction and contract (data processor), etc.
The industry body further notes that DPDP bill represents the cornerstone of India’s broader digital ecosystem. It considers the move as an important moment for India to demonstrate global leadership in developing robust and consistent data protection standards that enable innovation and facilitate cross-border trade.
Separately, ITI has suggested the government to remove the concept of a “consent manager” or “consent manager platform” as it is unclear the way in which data fiduciaries, consent managers, and data principals, should interact with each other. The industry body said that data breach notification rules are currently broad, requiring every data breach to be notified to both the data protection board (DPB) and each affected data principal. To this end, ITI has recommended that only those breaches that are likely to have a material impact on the rights of the affected citizen should be reported to the board.
Moreover, in case of protection of children’s data, ITI wants the government to reconsider imposing blanket prohibitions on tracking, behavioural monitoring and targeted advertising, and confine restrictions only to instances of data processing of children that can manifestly cause significant harm.
