Big data has haunted the business pages of the last ten years like a specter. The rise of corporate titans like Amazon and Facebook, major government leaks, accusations of election fraud and censorship, and even the mundane ads that pop up in our Google searches, all lead back to data – where data is kept, who has access to it, and whether courts can compel data as evidence.

All over the world, privacy laws are finally catching up with this explosion in big data. The European Union implemented its General Data Protection Regulation (GDPR) this year; the United Kingdom and the U.S. state of California implemented their own shortly thereafter, followed by countries from Brazil to Oman. In India, former supreme court justice BN Srikrishna chaired a ten-member committee of experts to discuss what data privacy legislation ought to look like in parliament. Those recommendations came out in July.

The Association of Corporate Counsel (ACC), a global legal association representing more than 45,000 in-house counsel employed by over 10,000 organizations in 85 countries, including in India, read the Srikrishna Committee’s bill and submitted some recommended modifications. ACC’s comments focus on two elements of the bill: grounds (other than consent) for processing personal and sensitive data, and the cross-border transfer of personal data. Both of these issues are important to in-house lawyers who advise their corporations on data protection.

One of ACC’s most pressing concerns with the bill was its call for data localization. This language includes a requirement that a “serving copy” of personal data be stored in India, and that critical personal data only be processed in the country. It is unclear what this “serving copy” should be, as the bill doesn’t define it. This is confusion can be dangerous. While these requirements are supposed to support law enforcement, for example, they may indeed hamper it. Under the restrictions of international data flow that this bill proposes, fraud detection of every scale would be more complicated and slower.

“ACC takes particular objection to the limits on cross-border data transfers in the bill,” said Mary Blatch, ACC associate general counsel and director of advocacy. “These restrictions would affect the ability of our in-house lawyer members to access data that they need to ensure their companies are compliant with Indian and international laws.”

ACC also strongly recommended that the final bill include contractual necessity as a ground for processing both personal and sensitive personal data. The exclusion of this processing ground in the language of the bill could potentially hold back online business in India. Multiple consent requirements – sign here, click yes, over and over – simply wear consumers out, discouraging the expansion of digital commerce.

In the interests of Indian business, and inhouse counsel in India and abroad, ACC urges Parliament to consider its recommendations, and to craft a final bill that takes on the new digital reality sensibly.