The information technology sector will petition the government over concerns that the broad exemptions sought by lawmakers in the proposed Data Protection Bill will adversely impact the fortunes of India’s $190 billion IT-BPM industry in the European Union, senior executives told ET.
In addition to opposing wide-ranging access to personal data being sought by the government, the industry representation will also highlight the inclusion of non-personal data in the bill, absence of timelines by when government agencies need to be compliant with the provisions as well as lack of applicability to personal data in the physical format.
Exemptions sought by the Indian government over access to personal data has left regulators and corporations worried and will adversely impact the Indian IT business in Europe, according to Rama Vedashree, CEO of Data Security Council of India (DSCI), an affiliate of industry body Nasscom. Such exemptions—which could dilute a comprehensive data privacy regime—could make it difficult to get the nod of the EU for an adequacy status—which facilitates business between the EU and other countries, she told ET.
The industry grouping will send a representation to the central government as early as next week, she added.
Currently, India does not have the adequacy status with the EU, which helps to enhance Indian companies’ prospects of getting business from organisations and governments in the region.
‘EU seeks assurance’
Continental Europe broadly accounts for 11% of overall business for the country’s IT sector while the US and the UK constitute as its largest markets with a share of 62% and 17%, respectively. Nasscom estimates that offshoring prospects from Europe are expected to increase in the coming years.
While the government may not exercise the (exemptions sought) without due process, their inclusion in the proposed Bill will worry global privacy regulators, according to the DSCI chief.
“India is the global hub of IT which processes data of nationals of many countries. The EU seeks assurance on behalf of governments as well as its agencies and companies that there will be no unfettered government access to personal data of foreign nationals, which may be processed in that country,” said Vedashree, a member of the Justice BN Srikrishna committee, which prepared the first draft of the Personal Data Protection Bill.
A recent report commissioned by the European Data Protection Board (EDPB) also called out data policies of India—specifically the exemptions that the government has sought—as an area of concern.
“The concept of ‘national security’ is recurring, vague and broad, and it is often used as a ground to access any personal information stored in the Indian territory, including personal data of persons in the EU,” said the report by the Centre for IT and IP Law of KU Leuven with support from research agency Milieu for the EDPB. The body is established by the General Data Protection Regulation (GDPR) and facilitates application of data protection rules throughout the EU.
Experts are of the view that the Court of Justice for the European Union has made clear that the laws of any third countries in which businesses are operating, including India, must provide a level of protection that is essentially equivalent to that of the European Union, if those companies are transferring the personal data of European citizens.
“If regulatory authorities adopt a position that determines India lacks sufficient privacy safeguards, it could disrupt the seamless, free flow of data between India and Europe, hurting Indian businesses and citizens alike,” said John Miller, Senior Vice President of Policy and General Counsel for industry grouping Information Technology Industry Council (ITI).
Built-in safeguards
To be sure, the Indian government along with the Joint Committee of the Parliament (JCP) has always maintained that there are enough safeguards which are built into the Data Protection Bill to ensure that citizen data is not misused.
In a recent interview to ET, PP Chaudhary, the chairman of the JCP studying the Personal Data Protection Bill, said “enough safeguards” have been built into the legislation and a right balance between the country’s need for security and integrity and sovereignty must be provided.
ITI’s Miller pointed out that as the proposed Data Protection Bill India is currently contemplating inclusion of such “problematic provisions” the “Indian government ( should) strongly consider opening another round of formal consultation to solicit stakeholder views on how to make certain the bill protects Indian citizens’ privacy rights in alignment with global standards,” he added.
