USIBC’s Comments on Ministry of Electronics and Information Technology’s (MeitY) Draft Data Protection Bill

Governments across the world are endeavoring to create policies that ensure robust consumer privacy protections and promote the growth of technology. Interestingly, both India and the United States are currently at a similar crossroads as a recently-passed California privacy law is stimulating interest in a federal U.S. privacy legislation. Yet, India and the United States are uniquely positioned to propel their leadership in advanced technology with already highly integrated technology, investment, and human capital. As both evaluate how to create a coherent, streamlined set of privacy rules that benefit legitimate uses of data and do not forestall innovation, any new Indian or American privacy law must strive for global interoperability and the free flow of data, while stimulating socio-economic growth and ties between the United States and India. The U.S. Chamber of Commerce is uniquely positioned to play a constructive role, and the business community welcomes an ongoing conversation focused on solutions, economic growth, and consumer protection.

Developing a privacy regime requires taking a judicious and thoughtful approach that draws on global best principles and practices that balance privacy, innovation and global interoperability, while designing a regime that is aligned to work within existing legal structures in an effective and efficient manner. The U.S. Chamber of Commerce has developed a set of privacy principles to help achieve a privacy framework that is balanced, flexible, globally interoperable, and protects the free movement of data while protecting consumers:

1. A comprehensive framework of regulation that ensures certainty and consistency
2. Risk-focused and contextual privacy protections
3. Transparency in collection, uses and sharing of consumer data
4. Industry neutrality
5. Flexibility to develop adaptable, consumer-friend privacy programs
6. Harm-focused enforcement
7. Enforcement that promotes efficient and collaborative compliance
8. International leadership that promotes the free flow of data and interoperability between global frameworks
9. Encouragement for privacy innovation
10. Risk-based approaches to data security and breach notification

In some areas, India’s draft data protection bill takes on excessive regulation that will needlessly impede the free flow of digital commerce without providing meaningful privacy protections to consumers. This approach would burden all participants in India’s digital economy, and it would have disproportionate economic impacts on small- and medium-sized enterprises (SMEs) and entrepreneurs. USIBC emphasizes the following changes to the draft legislation to align it international norms that will promote data stewardship in the digital economy, and stimulate economic growth, job creation, innovation, and entrepreneurship:

• Remove the data localization requirement and moderate onward transfer restrictions.
• Expand grounds for data processing.
• Clarify that the law would not apply to foreign national data processing.
• Clarify the definitions of personal data and anonymized data.
• Eliminate residency requirement for data protection officer (DPO).
• Reform restrictions on processing data of under-18s.
• Reform excessive penalties.
• Provide sufficient time for implementation.

Creating a privacy framework that is balanced, flexible, globally interoperable, and ensures the free movement of data while protecting consumers is central to India’s digital transformation, the promotion of India’s global competitiveness, and the Digital India vision. These changes will create solutions that not only advance India’s IT sector, but deepen U.S.-India commercial ties.