Asia Internet Coalition (AIC) & The Software Alliance (BSA) suggests changes in the "Draft Digital Personal Data Protection Bill", 2022 :

Industry bodies Asia Internet Coalition (AIC) and The Software Alliance (BSA)?represent the interest of big tech majors and count 谷歌 , Meta , 亚马逊 , and 微软 as its members.

1. The upper age limit of 18 for defining “child” clashes with other data protection frameworks such as the GDPR and the United States’ Children’s Online Privacy Protection Act.

• This could prevent some children — particularly teenagers — from accessing services. It could also increase the cost for data fiduciaries to provide these services,”
• The AIC also called on the government to ‘empower’ data fiduciaries to develop internal mechanisms to obtain parental consent for children below 18 years of age. The group also sought the ministry’s nod for tracking and monitoring minors if it is ‘done in the best interests of a child and as long as the same is age appropriate.’

2. These industry bodies called for defining the criteria for the composition of proposed Data Protection Boards (DPB). They also sought more clarity on the membership requirements for the committee that will nominate DPB members.

3. BSA recommended that the selection committee should comprise the Chief Justice of India, or a judge nominated by him, alongwith the Cabinet Secretary and an expert nominated by the CJI in consultation with the latter.?

4. These big tech majors have sought further clarity on clauses governing the transfer of personal data outside India. The current draft of the Bill retains a ‘white-list’ approach, meaning data can be processed online in countries allowed by the government.?

5. BSA called for adoption of an ‘accountability model’ that puts the onus of protection of the personal data on entities that collect such data.

6. Meanwhile, the AIC sought the formulation of a black list that would specify the countries where the user data could not be processed.?

7. Noting that the draft Bill does not specify a transition period, the BSA has sought a minimum transition period of two years to ensure sufficient time for companies to comply with the norms.

8. AIC urged the Centre to reconsider certain requirements, including the appointment of an independent auditor, data protection impact assessments, and periodic audits, to ease compliance burden on significant data fiduciaries (SDFs).?

9. The industry bodies also highlighted concerns around obligations related to reporting of data breaches. In essence, it sought to define the very definition of data breaches, which would otherwise ‘flood’ the authorities with excess information and may also cause ‘undue distress’ to data principals.

In their comments, both argued that the draft Bill mandates reporting of data breaches to the DPB, which overlaps with current norms under which CERT-In is the reporting authority.

This would create additional reporting obligations for the impacted companies and cause inadvertent delays.?

10. Another major takeaway of the report was that the industry body AIC sought the re-introduction of codes of conduct as a way to promote co-regulation in the domain of data protection. In addition, the industry bodies urged the MeitY to undertake adequate consultation prior to adopting subordinate legislation to allay concerns of all stakeholders.?

After being in limbo for close to three years, the?new iteration of the DPDP Bill, 2022, was released earlier this year. The draft norms have come under fire from different stakeholders such as digital advocacy groups and internet activists over concerns ranging from ‘state surveillance’ to non-independence of the DPBs.

As the debate rages on, the ministry recently?extended the last date of public feedback on the draft Bill?to January 2, 2023. The Bill has specified a host of norms that will govern the digital ecosystem and will penalise the non-adherents. With much at stake, it remains to be seen how the proposed law shapes up amidst an evolving Indian digital space.

(Excerpts from INC42 article and various reports )