India's data protection Bill has been in the eye of a storm ever since it was submitted to the government by a Committee headed by Justice Srikrishna.
Apart from the issues associated with the requirement for data localisation, which is likely to increase the costs and the burden of compliance on small and large firms, there are other issues that have been flagged by different industries.
While a large part of the focus has been on technology firms, in its current form however, the Bill will be applicable to a host of other industries from finance to aviation, manufacturing to healthcare.
"The law may be targeted towards big tech (companies), but even if you are a small "kirana" (grocery) store guy using a computer to store your customer’s number, the same law will be applicable to him," said Pratibha Jain, partner at law firm Nishith Desai Associates.
The Bill allows a person to withdraw consent for processing any of their personal data collected by a person or entity who will decide how personal data collected will be processed or acted upon.
"In lending, for example, the Bill allows for a customer to give partial consent. Suppose a customer is sharing eight information items for lending. Now if they want to withdraw consent for one or two of these permissions, it may not be possible to provide credit. Does that constitute denial of service?" asked Alok Mittal, Managing Director, Indifi Technologies Private Limited, a platform for enabling debt financing for small businesses.
Mittal also said criminal liability was an issue and that the Bill leaves a lot of room for interpretation.
Similarly, hotels, airlines, retail
and other industries that offer loyalty programmes would find it tough to comply with the requirements of compliance.
Besides, seeking consent every time personal data is processed would hinder the customer experience.
"The law should allow for some sort of breather or a waiver during the initial transition period," suggested Singh.