Industry body IAMAI has said more clarity is needed on classification of data and consent requirements in the draft Personal Data Protection Bill, and argued that businesses need to fully comprehend adjustments they will have to make to comply with the norms. Internet and Mobile Association of India (IAMAI) flagged ambiguities that exist in the draft Bill and further said these will “lead to unnecessary compliance burden”.
IAMAI, which hosted a discussion on the issue comprising stakeholders like industry representatives and members of civil society, said the industry lacks clarity on which data is categorised as personal, sensitive and critical. It suggested that repeated consent requirements should not be imposed on data fiduciary as long as processing of data does not deviate from the original purpose.
“The Bill creates a need for the data fiduciary to repeatedly obtain consent from the data principal for every step of the processing activity. The problem gets aggravated when data collection and processing are done by different agencies, in which case, each fiduciary will have to take consent at every step of the operation,” it said.
IAMAI suggested that obtaining consent at all points of data collection and processing is “at times either impossible, impractical or unnecessary”. “Alternately, as long as the processing of the data does not deviate from the original purpose, repeated consent requirements should not be imposed,” it said.
Stating that the Bill will apply to all sectors of the economy that collect personal data, there is a concern about how each sector is equipped to handle the provisions, and the linkage effect of such unpreparedness. The association suggested that to enhance ease of doing business, companies should be permitted to self-determined reasonable purposes of data processing.
Furthermore, all legal bases for collecting, using and disclosing personal data should be treated equally instead of relying on consent as the primary ground for processing personal data, it said.
The discussion, IAMAI said, was an attempt to help create a holistic well-informed public discourse on the Bill, which will eventually strengthen the collective effort to draft a well devised Data Governance regime in India. The industry stated that if these issues need to be addressed well in time, it hampers ease of doing business and will also affect the vision of Digital India.
The Personal Data Protection Bill, which is proposed to be tabled in Parliament, offers a detailed framework to regulate flow of personal data, including cross-border data flows.
If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]