India’s Personal Data Protection Bill requires specific grounds for reasonable purpose processing to be specified in the law

Unlike the European Union’s General Data Protection Regulation, India’s Personal Data Protection Bill requires specific grounds for reasonable purpose processing to be specified in the law. This approach looks restrictive and short-sighted, and could hamper innovation, without which a digital economy cannot hope to prosper.

There are major areas of concern in the present formulation of the Bill that is before a select committee of Parliament.

  1. The pivot of the framework appears to be a domineering mandate to be given to a data regulator, structurally geared to intervene rather than facilitate.

  2. Second, the Bill has broad-based restrictions on the transfer of data overseas from India, which could hive our market off from the global digital economy.

  3. Third, the Bill seeks to protect privacy by way of what looks like a regulatory sledgehammer that imposes extensive compliance requirements with little aid to data protection.

  4. Fourth, the Bill sets forth an inflexible framework that is bereft of any formal consultative rule-making process, which is likely to stifle innovation in the sector.

  5. Lastly, substantial portions of the Bill are out of sync with international data protection practices, which could blunt India’s competitive advantage as a digital market.

These aspects of the Bill require substantial changes for it to not only achieve its objective of privacy protection, but also to avoid stunting the growth of our digital economy.