The Association of Corporate Counsel (ACC), a global legal association representing more than 45,000 in-house counsel employed by over 10,000 organizations in 85 countries, including in India, recently submitted recommended modifications to the Srikrishna Committee’s Personal Data Protection Bill. ACC’s comments focus on the grounds other than consent for processing personal and sensitive data and the cross-border transfer of personal data, issues important to in-house lawyers who advise their corporations on data protection.
A primary concern with the bill is its call for data localization, including the requirement that a “serving copy” of personal data be stored in India and the rule that critical personal data only be processed in the country. It is unclear what this “serving copy” should be, as there is no definition in the bill. ACC goes on to state that while these requirements are supposed to support law enforcement, they may indeed hamper it. Under the restrictions of international data flow that this bill proposes, fraud detection of every scale would be more complicated and slow.
“ACC takes particular objection to the limits on cross-border data transfers in the bill,” said Mary Blatch, ACC associate general counsel and director of advocacy. “These restrictions would affect the ability of our in-house lawyer members to access data that they need to ensure their companies are compliant with Indian and international laws.”
ACC also strongly recommends that the final bill include contractual necessity as a ground for processing both personal and sensitive personal data. The exclusion of this processing ground in the language of the bill stands to hold back online business in India. Multiple consent requirements fatigue consumers, who are already aware of the personal data they provide during a transaction, discouraging the expansion of digital commerce.