Industry bodies in favour of 'phased implementation' of personal data bill

Nasscom said the clause on cross-border data flow should recognise a range of transfer mechanisms

Industry bodies have suggested that the government follow a "phased implementation" of the recently drafted Digital Personal Data Protection Bill, 2022, once it becomes a law so that entities have adequate time to transition into the new regime.
 

According to a report by The Economic Times, Nasscom has suggested that the government consider a timeframe of 24 months for implementation of the new iteration, the same as was for the earlier versions of the draft.
 

Industry body BSA (The Software Alliance) has suggested a transitional period of at least two years for the implementation of the bill.
 

In its submission to the government, BSA said all implementing regulations should be finalised at least 12 months before they take effect to ensure that companies have sufficient time to operationalise the requirements.
 

Industry bodies have also said that complex and undefined terms in the draft such as ‘automated’, ‘online’, ‘digitised’, and ‘offline’ makes the bill hard to interpret. They also suggested that the bill should mention that it does not apply to the processing of personal data not in electronic form.
 

Ashish Aggarwal, the vice-president and head of public policy at Nasscom, told ET that the bill only applies to the processing of personal data. “However, unlike previous drafts, the exclusion of anonymised data, i.e., data that is not or no longer personal data is not explicitly stated. We have suggested that this should be stated in the bill.”
 

Nasscom also said the clause on cross-border data flow should recognise a range of transfer mechanisms.
 

Companies like Reliance Jio, Bharti Airtel and Paytm have opposed the Centre's move to allow the transfer of personal data of Indians to ‘trusted geographies’, and have sought data of Indians to be stored within the country. This is contrary to the position taken by the industry’s nodal grouping, the Internet and Mobile Association of India (IAMAI).
 

“We strongly recommend it recognise other transfer mechanisms, including transfers made with the consent of the data principal and transfers based on interoperable mechanisms such as model contracts, intra-group schemes, and certifications like the APEC Cross-Border Privacy Rules (CBPR) system,” Venkatesh Krishnamoorthy, BSA’s country manager, India, told the publication.