Data Protection Bill requires social media companies to create e-KYC like validation process. The validated users will get something like a blue tick or ‘visible mark of verification, which shall be visible to all users of the service’. This will turn companies like Facebook and Twitter into e-KYC firms, allowing government to identify the identity of each ‘verified profile’.
Experts feel this will, on the one hand, increase compliance costs for social media companies, while at the same time, allow government to track individuals on social media more effectively. In addition, the Bill has diluted the initial requirement of holding all personal data within the country, now allowing the processing of such data to be done outside.
Sensitive data
“The Bill proposes for a regulatory sandbox for entities engaged in developing of new technologies in the nature of artificial intelligence and machine learning. These entities will enjoy certain exemptions from purpose, storage and consent require'ments. The Bill also proposes limiting local storage requirements to sensitive personal data (as opposed to all personal data) and moots an exclusion for search engines. While the above changes would arguably help enable certain types of businesses, other changes, such as lack of a clear implementation roadmap, transition provisions and the requirement to share anonymised and non-personal data under certain circumstances may be of concern to businesses,” Arun Prabhu, Partner, Cyril Amarchand Mangaldas.
‘Growth-friendly policy’
Such provisions were not included in the draft and no public consultation was carried out, creating confusion among experts. Kumar Deep, country manager ITI council said, “We appreciate the government’s exhaustive consultation process throughout its consideration of the Personal Data Protection draft Bill. ITI hopes that lawmakers continue to deliberate the revised Bill, specifically with regards to the new clauses introduced and encourages further public consultation to help ensure a future-ready innovation and growth-friendly data policy for India.”
Corporate India is also concerned about the timelines to comply with the new rules, which is 24 months for large companies.
Experts feel companies will need to re-engineer their entire business processes to comply with the law and that may take a lot longer.
Please Email the Editor