India privacy proposal remains source of legal uncertainty, Intel exec says

18 March 2019 9:33am

14 March 2019. By Vesela Gladicheva.

Much about a proposed data privacy law for India drafted by government-appointed experts is still unclear, causing legal uncertainty on top of concerns about the prospect of hefty fines and prison sentences for violations, an executive at Intel said today.

Riccardo Masucci, global director of privacy policy at the US chipmaker, told a conference in London that the bill's emphasis on obtaining consent from users to lawfully handle data and the role and enforcement approach of the new data-protection regulator, as well as the extent of further rules the government and regulator will define at a later stage, all amount to "potentially cumbersome requirements."

Data privacy legislation became necessary following a landmark 2017 ruling by India's Supreme Court that said for the first time that privacy is a fundamental right. Last summer, a committee appointed by the government and chaired by former Judge BN Srikrishna released a draft comprehensive data protection bill.

The government is expected to present a bill to Parliament after India's general election wraps up in May, though it's unclear to what extent it will incorporate the recommendations of Srikrishna's panel.

Intel has closely tracked developments around the new law, as it will affect its research and development centers in Bangalore and their emphasis on artifical intelligence technology.

Masucci said the current proposal would pose difficulties for Intel, including the need to hire a data-protection officer in India, keep records of data processing, carry out audits and security reviews, and manage a low threshold for reporting data breaches.

'Critical' information

More challenging, he said, will be the government's ability to decide in the future what types of data should be classed as "critical," triggering an obligation on companies to keep such data within India's borders.

"At the moment, we have no visibility on which are the categories of data that could be defined as critical data," Masucci said. The success of new technologies such as artificial intelligence is linked to "our ability to move data," he added.

Another problem will be the limited situations in which companies can process data under the proposals without seeking individuals' consent. That could be expanded in the future, Masucci said, but the lack of clarity is a "big degree of uncertainty."

The risk of drawing fines of up to 50 million rupees (about $718,000) or a three- to five-year prison sentence adds complexity, he said.

Masucci also pointed to the bill's data-localization obligations.

"We welcome the provision allowing the government to decide if some transfers are legitimate between two countries or for some specific sectors," he said. "The problem is that we don't know it yet."

Andrea Jelinek