Hardware Regulations and Cross Border Data Flow

The Plunge Daily has been holding a series of talks around personal data protection. In the third conversation on Feb 16, eminent industry experts came together to discuss the Data Regulations Bill 2021 on Twitter Spaces.

Hosted by Ashutosh Bhattacharya, Public Policy and Communication Advisor, with guests Kazim Rizvi, Founding Director of The Dialogue, Lloyd Mathias, Angel Investor and Business Strategist and Nirupama Soundarajan, Head of Research and Senior Fellow at Pahle India Foundation, it was an insightful session for the listeners.

Kazim Rizvi opened the conversation by discussing the salient points of the revised Data Protection Bill 2019 and the recommendations of the Joint Parliamentary Committee which has included regulations of hardware in the Data Protection Bill 2021.

It lays down the mandate of regulation of hardware devices which collect personal data. It requires the testing of devices to ensure hardware meets the norms set by Department of Telecommunications (DoT). This is possibly done in view of threats from other countries like China to hardware security.

It is the first time that hardware devices have been brought under regulation with respect to information. Testing and certification of hardware would now be required to protect citizens. The new clause has been added from a national security perspective.

Objective of Data Protection Bill, 2021

The government objective through the bill is to protect the user and their personal data that’s been collected by their devices.

At this point it must be noted that there are a gamut of electronics and hardware devices that are manufactured outside the country. We do need a strong mechanism to protect devices but is the Data Protection Bill appropriate? There are questions regarding clarity of desired outcome, the larger intent at hand and whether we are over regulating through this bill.

Existing Guidelines Mandate Testing of Devices

There already are multiple regulations in place for hardware testing. For example, the DoT has procedure in place for testing of telecom equipment. There are allocated labs and infrastructure is being created for testing. Lloyd Mathias said that there is an overlapping of regulators as mechanisms for testing are already in place. There should be a relook at strengthening the existing mechanisms.

We still require clarity on who will be the ultimate owner of testing and whether the testing would be before sale or before import.

The proposed amendment by JPC is like over regulation. Also, regulatory ambiguity causes problems for manufacturers and the industry at large.

Mixing National Security Objectives with Consumer Data Security

Nirupama Soundarajan said that the objectives of protecting the user data and national security should be tackled separately. This is because the threat perception hinges on certain nations, hence we need separate standards for nations where threat perception is higher as compared to other friendly nations. The lines are greying a bit when it comes to personal data and national security.

If there is no differentiation, not only will the economic costs be higher, we will also have more delays and end up stifling the local, indigenous industry.

Clear Definition and Separation of Accreditation and Auditing Agencies

There is a maker-checker issue that must be addressed. A clear definition of accreditation and auditing agencies is needed. Execution rigour is important but there has to be simplicity rather than duplication in regulation.

The technical know-how and administration required to carry out the testing will be sizeable as it is a specialised job.

The impact in the industry cannot be underestimated. It would affect costing as the manufacturers would pass the costs to consumers. Additional testing would also delay launches etc because of compliance issues.

More Clarity on Certain Issues

A few other issues must be cleared. Mala fide intentions as mentioned in the bill need to be defined.

The regulations may need to be differentiated depending on the country as a blanket regulation will stifle India’s own developmental capacity.

The concept of certification, at which stage it is needed must also be clearly laid out otherwise it will have a detrimental impact on supply chains.

It should be clear who bears the liability, whether it is the brand, the investor or the manufacturer.

As technology evolves new laws are definitely needed. Industry will have to adapt to improve processes to meet new standards. But compliance should be appropriate and proportionate to the end objective.