Industry body National Association of Software and Service Companies, better known as NASSCOM, has urged the government to ensure that the exemptions intended for early-stage start-ups in the Digital Personal Data Protection (DPDP) Bill, do not 'unintentionally undermine' the proposed legislation's objectives.
The trade association of India's IT-BPM industry with over 3,000 members, said that the exemptions to early-stage start-ups should be based on fairness and transparency principles. NASSCOM made these recommendations in their submission to the Ministry of Electronics and Information Technology on the DPDP Bill 2022.
The submission of NASSCOM is in reference to the 'Exemptions' clause of the bill. The section says that the Indian government may exempt "certain data fiduciaries or class of data fiduciaries" from Sec 6, Sec 9 (2) and (6), Sec 10, 11 and 12 of the Act.
While Section 6 deals with grounds for processing digital personal data, Section 9 talks about the responsibilities of data fiduciaries. Section 10 has additional obligations for data fiduciaries in relation to processing of personal data of children and so on.
In particular, NASSCOM, in their submission said Clauses 6, 10, 12 (1) and 2 should continue to apply for early-stage start-ups and "exemptions are only granted after having regard to the fairness and transparency principle".
Clause 12 of the DPDP Bill has provisions on right to information about personal data. Specifically, Clause 12 (1) and (2) say that a data principal would have the right to obtain from a data fiduciary the confirmation on whether a data fiduciary has processed or is processing personal data.
It also says that the data principal can obtain a summary of personal data that has been processed or is being processed by a fiduciary.
The government wanted to provide exemptions in this regard in the DPDP Bill 2022. However, the NASSCOM in their submission wants these provisions to continue to be applicable to early-stage start-ups.
In regards to the proposed exemption to early-stage start-ups in relation to children's data, NASSCOM said, "Obligation to prevent harm to children under Clause 10(2) should continue to apply."
Transitional period
The industry body also requested a time period of around 24 months for implementation of the DPDP Bill when it becomes a law.
The body, in their submission to MeitY, said that many obligations of the DPDP Bill will be resource-intensive and that a transition period should be given by the government for easing into the legislation.
"Many entities will be implementing safeguards for all personal data for the first time. Not all will be starting from the same maturity level or be operating at the same level of volume or complexity of processing. Some suggested obligations are also relatively more resource-intensive than others," NASSCOM said.
The industry body pointed to the Srikrishna Committee and Joint Parliamentary Committee of the erstwhile PDP Bill 2019, wherein it was laid down that a transition period of 24 months would be given for companies to adjust to the new legislation.
Language requirement
The industry body also asked the government to reconsider the DPDP Bill's obligation to provide information in 22 languages of the country.
"The clause will be prohibitively expensive and create high administrative costs on all Data Fiduciaries as translations to all 22 languages will always be required by default," the body said.
NASSCOM instead urged the government to create a 'reasonableness" obligation by requiring data fiduciaries to provide information in English and "any or more" languages.
"This would afford flexibility to data fiduciaries to apply this obligation contextually, while still ensuring data principals have local language options," NASSCOM added.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
