Big Tech, including Google, Meta, Twitter, Apple and Microsoft, has sought revision in the definition of a child under the Digital Personal Data Protection (DPDP) Bill to mean an individual under the age of 13, a re-look at provisions to facilitate cross-border data transfer and around two years of a transition period for the implementation of this legislation, among others.
These requests were made in submissions by the Asia Internet Coalition (AIC) and The Software Alliance (BSA) to the Ministry of Electronics and Information Technology (MeitY) as part of the consultations on the DPDP Bill. Later on December 23, the ministry is set to meet stakeholders and discuss the various provisions of the Bill.
While AIC's members include Amazon, Meta, Google, Twitter, Meta, LinkedIn and so on, the BSA members are Adobe, IBM, Microsoft, Zoom, Shopify, AWS and others.
Redefine child
The DPDP Bill defines a child under Clause 2(3) as someone below the age of 18 years.
Clause 10 of the Bill contains obligations for data fiduciaries such as Google, Apple, Meta and so on to obtain verifiable parental consent; not undertake tracking or behavioural monitoring of children and not target advertisements at them.
Both AIC and BSA in their submissions asked MeitY to revise the definition of child to mean an individual under the age of 13.
"The upper age limit of 18 for defining ‘child’ clashes with other data protection frameworks such as the GDPR and the United States’ Children’s Online Privacy Protection Act. This could prevent some children — particularly teenagers — from accessing services. It could also increase the cost for Data Fiduciaries to provide these services," BSA said in its submission.
The AIC said, "The overall prohibitions on monitoring, profiling and targeted advertising (at children) should also be reconsidered by the MeitY. This is because the bar on monitoring or tracking children may lead to a scenario where data fiduciaries are unable to undertake tracking or beneficial monitoring of children to deter online harm and ensure their online safety..."
More clarity on cross-border data transfer
Both BSA and AIC have asked for more clarity on Clause 17 of the DPDP Bill, which governs the transfer of all forms of personal data outside India. The Bill says the data can be transferred to countries which the government allows (a white-list approach).
While AIC urged MeitY to provide a "negative list of countries" where personal data cannot be transferred, the BSA, representing Microsoft, IBM, AWS and others suggested that the Bill—other than the white-list approach—should have an accountability model.
In this accountability model, BSA explained that data fiduciaries, while being responsible for the data, can transfer/process data anywhere.
Both BSA and AIC also suggested that the Bill should be revised to state that cross-border transfer data will be permitted anywhere for contractual purposes.
"We would like to highlight our concern with a potential scenario that may arise under the DPDP Bill – i.e., data fiduciaries being based in countries that are not permitted by the Central Government for the purpose of cross-border data transfers. In line with global frameworks, such as the EU’s General Data Protection Regulation (GDPR), relaxations ought to be granted to data fiduciaries that find themselves in such a situation. This is especially important if personal data transfers are considered necessary for providing services, adhering to contractual obligations owed to a data principal...," AIC said.
Deemed consent
Clause 7 of the DPDP Bill has introduced the concept of "deemed consent" for processing personal data for specific purposes, such as "public interest". Both BSA and AIC want the Bill to include "contractual reasons" for processing data with deemed consent.
"The non-inclusion of contractual necessity as a ground of processing personal data without consent (or by assuming deemed consent) may lead to a scenario where consent has to be taken from data principals during every stage of processing their personal data, even if done in pursuance of contractual obligations," AIC said.
Redefine data breach
Both AIC and BSA have taken objection to the definition of the personal data breach as "unauthorised processing of personal data" in the DPDP Bill. The Bill states that all personal data breaches have to be reported to the Data Protection Board (DPB).
"Such broad-based reporting may not only flood the DPB with excess information but may also cause undue distress to data principals," AIC opined.
Both AIC and BSA requested MeitY to prescribe a risk-based threshold for reporting breaches.
The AIC also pointed out that currently data fiduciaries also have to report cyber security incidents, including data breaches to the Indian Computer Emergency Response Team (CERT-In).
"Since the Indian Computer Emergency Response Team expects cyber-incidents such as data breaches or data leaks to be reported to it in a specific format and within specific timelines, a dual requirement under the DPDP Bill may increase the compliance burden on data fiduciaries and data processors, without resulting in any added benefits," the industry body representing Meta, Twitter and Google added.
Time period of implementation
The Bill states that different provisions may come into force on different dates. However, Big Tech is concerned with the lack of clarity on the timeline for the implementation of its various provisions.
"Ambiguity on these timelines for compliance creates significant concerns because organisations require adequate time to put in place systems and processes to meaningfully implement the Bill's requirements," BSA said.
While the AIC did not suggest any specific timeline, the BSA urged the government to provide a transitional period of at least 2 years for implementation.
"All implementing regulations should be finalised at least 12 months before they take effect, to ensure that companies have sufficient time to operationalise their requirements," BSA said.
Data Protection Board must be independent
The DPDP Bill proposes the establishment of DPB to ensure compliance with the provisions of the Bill.
Both BSA and the AIC were critical of the provisions in the Bill that give significant control of the DPB to the central government, thus raising questions over its independence.
Currently, the DPDP Bill states that the central government will appoint members of the DPB including its chief executive and so on.
BSA urged MeitY to revise the criteria and recommended that the selection committee should consist of the Chief Justice of India (or a judge nominated by him), Cabinet Secretary and an expert nominated by the Chief Justice in consultation with Cabinet Secretary.
Criticism of exemptions to government
The AIC criticised Section 18 of the DPDP Bill, which like its predecessor, the Personal Data Protection Bill 2019, awards exemptions to the central government and its agencies from provisions of the Bill on grounds like security of the state and so on.
The body said, "This would give the notified government instrumentalities immunity from the application of the law, which could result in immense violations of citizen privacy. This is because these standards are excessively vague and broad, therefore open to misinterpretation and misuse.
"If the law is not applied to government instrumentalities, data collection and processing in the absence of any data protection standards could result in mass surveillance. Any exemption sought by government agencies should be granted only if they fulfil the standards of legality, necessity and proportionality," it added.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
