ArrowArtboardCreated with Sketch.Title ChevronTitle ChevronEye IconIcon FacebookIcon LinkedinIcon Mail ContactPath LayerIcon MailPositive ArrowIcon PrintTitle ChevronIcon Twitter
Business trends

India's tech industry up in arms over proposed data privacy law

Critics say bill will hit small companies and gives government too much power

E-commerce, social media, banking, finance, insurance and health care companies would be the most affected by the Personal Data Protection Bill. (Nikkei montage)

BANGALORE -- Proposed rules to regulate the way companies handle customers' personal data has received a mixed response from India's private sector, with some businesses praising it as necessary to protect privacy and others complaining that it will adversely impact their operations.

India's Personal Data Protection Bill seeks to protect consumers' financial details, biometric data, caste, religious and political beliefs and other personal information from unauthorized access -- although, controversially, state agencies are exempt under certain circumstances.

If the bill, which also recommends the setting up of a Data Protection Authority to enforce compliance, becomes law, it will affect all the companies that store or process user data. E-commerce, social media, banking, finance, insurance and health care sectors will likely be affected the most.

First tabled on the same day that Parliament passed India's controversial Citizenship (Amendment) bill, which allows citizenship for non-Muslim immigrants, the bill is now being discussed by a 20-member parliamentary panel that will take feedback from citizens, business establishments, law-enforcing agencies and other groups. Once the reworked bill is tabled in parliament, it will need majority votes in both houses of the legislature to become law.

Karnika Seth, a Supreme Court lawyer and a cyber law expert, said legislation to govern the handling of data is much-needed as cyber crimes, breach of privacy and unauthorized collection of data have become rampant, while India's existing Information Technology Act and Information Technology Rules, enacted years ago, are not thorough enough to protect personal data.

The Internet and Mobile Association of India, however, fears the proposed law will impose extra costs that could harm the business environment. Despite being the world's third largest recipient of venture capital after the U.S. and China, funding for the country's tech sector has cooled off lately due to the slowing economy and fallout from WeWork's IPO debacle late last year.    

In a statement, The Internet and Mobile Association of India expressed concern that the proposed law could harm the business environment. (Photo by Hiroshi Kotani)

The trade body said in a statement that the provisions of the bill put the functioning of businesses at risk. It said the enormity of some of the proposed requirements, such as mandated storage of information on local servers, will test many smaller businesses' capacity and that some requirements are restrictive for service providers.

The statement pointed out that the bill mandates all businesses collecting personal data to have a "Privacy by Design" policy in place and to be certified by the DPA to operate. IAMAI said such rules will create a restrictive certification and licensing regime and may handicap India's technology startups.

The National Association of Software and Services Companies (Nasscom) and Data Security Council of India have written a letter to the government, demanding more clarity on the proposed law.

The concerns come as the number of internet users in India is forecast to almost double to 850 million by 2022 from 2017 levels, according to PwC, which recently described India as "the world’s most promising Internet economy".

"The provisions restricting the cross-border flow of personal data are particularly concerning as these mandate localization of all personal data and provide wide discretion for classifying personal data as critical data required to be stored only in India. We believe that localization generally does not address the objectives of data security and privacy," the group said in the statement.

"Mandating data localization would undermine the competitiveness of Indian startups, SMEs, e-commerce companies, fintech and other technology-driven companies. With data localization, India would become a less attractive destination for startups based outside of India."

Cybersecurity expert and author Na Vijayshankar offered another perspective on the bill.

"If you are collecting huge data and you did not do anything for the security of that data, the impact will be huge," he said, adding that while the IT Act comes into play only after a crime happens, the new law seeks to bring in DPA to continuously monitor that the data remains uncompromised.

He added that big IT companies such as Infosys and Wipro will not be much affected if the law is enacted as they already abide by strict protocols on data security. He said such companies will need to introduce only minor changes under the new requirements.

While the impact on India's IT giants like Infosys will be relatively small, the proposed law will likely burden startups, small and medium-size enterprises, and e-commerce companies.   © AP

A technical expert who did not want to be named said companies would have to ensure data encryption and relocate their servers to India, both of which would jack up costs. Furthermore, he said Indian servers were already costly and less reliable and that companies would also need to spend on periodic security audits and appoint data protection officers.

He gave the example of the General Data Protection Regulation, which became effective in the European Union in May 2018. He said the regulation forced Microsoft to spend on new architecture and hiring 300 more engineers.

He pointed out that Microsoft had the deep pockets to make those changes but smaller Indian companies could be hammered by such costs. He pointed out that unlike the European regulation, India's bill recommends heavy penalties on organizations that don't abide by the rules.

Under the new regime, companies that fall foul of the data protection guidelines will have to pay up 150 million rupees ($2.1 million) or 4% of their annual turnover, whichever is higher. Failing to audit data will trigger a penalty of 50 million rupees or 2% of the annual turnover, whichever is higher.

Such concerns run alongside larger worries about some of the bill's more controversial provisions which recommend that the government be empowered to collect anonymized, non-personal data from private companies for purposes such as public interest, service delivery and others.

Mozilla Corp., the company behind the popular web browser Firefox, called this "a dramatic step backward in terms of the exceptions it grants for government processing and surveillance." IAMAI has also flagged the bill for this reason.

Furthermore, social media platforms such as Facebook, Twitter, WhatsApp and ByteDance-owned TikTok will be required to let users submit a government-approved identity proof and have their account verified, akin to the blue tick reserved for public figures. This would consume significant resources.

Seth said the bill will have a major impact on almost all the private companies in the technology industry. "A balanced approach is beneficial as it will not stifle the digital economy and not having any restrictions will leave too much lacunae in law for invasion of one's privacy," she said.

 

Sponsored Content

About Sponsored Content This content was commissioned by Nikkei's Global Business Bureau.

You have {{numberArticlesLeft}} free article{{numberArticlesLeft-plural}} left this monthThis is your last free article this month

Stay ahead with our exclusives on Asia;
the most dynamic market in the world.

Stay ahead with our exclusives on Asia

Get trusted insights from experts within Asia itself.

Get trusted insights from experts
within Asia itself.

Try 1 month for $0.99

You have {{numberArticlesLeft}} free article{{numberArticlesLeft-plural}} left this month

This is your last free article this month

Stay ahead with our exclusives on Asia; the most
dynamic market in the world
.

Get trusted insights from experts
within Asia itself.

Try 3 months for $9

Offer ends October 31st

Your trial period has expired

You need a subscription to...

  • Read all stories with unlimited access
  • Use our mobile and tablet apps
See all offers and subscribe

Your full access to Nikkei Asia has expired

You need a subscription to:

  • Read all stories with unlimited access
  • Use our mobile and tablet apps
See all offers
NAR on print phone, device, and tablet media

Nikkei Asian Review, now known as Nikkei Asia, will be the voice of the Asian Century.

Celebrate our next chapter
Free access for everyone - Sep. 30

Find out more