The Internet and Mobile Association of India (IAMAI) has sought clarity over the Personal Data Protection (PDP) Bill, which is in the public domain for consultation. At a roundtable discussion over the Bill, the IAMAI said there were several areas of ambiguity in the Bill that could cause unnecessary compliance burden.
“The Bill categorises data as personal data, sensitive personal data and critical personal data, but the industry lacks clarity as which data falls under which head, and hence is not equipped to take necessary precautions,” the IAMAI said.
The Bill talked of consent and explicit consent for different categories of data, but there was no clarity on what would qualify as consent and explicit consent, it said and added, the businesses had no idea of the compliance requirements.
The Bill also creates a need for the data fiduciary to repeatedly obtain consent from the data principal for every step of the processing activity. “The problem gets aggravated when data collection and processing are done by different agencies. In this case, each fiduciary will have to take consent at every step of the operation,” it said.
As per the discussion, obtaining consent at all points of data collection and processing is at times either impossible, impractical or unnecessary. “As long as the data processing doesn’t deviate from the original purpose, repeated consent requirements should not be imposed”, the association said.
The PDP applies to all sectors of the economy that collect personal data.
As many digital services are actually digitalisation of offline businesses, it expressed concern over preparedness of various sectors to handle the provisions.
The roundtable on the “impact of the draft PDP Bill on the ‘ease of doing business’ in India” was to initiate a dialogue between key industry representatives, civil society and media personnel.
The discussion among the industry representatives, which included Indian and oversees companies, revolved around the areas of ambiguity that needed to be clarified for businesses to comprehend the extent of adjustments they will require to comply with it.
To enhance ease of doing business, companies should be permitted to self-determine reasonable purposes of data processing, it said.
All legal bases for collecting, using and disclosing personal data should be treated equally instead of relying on consent as the primary ground for processing personal data, the IAMAI advocated.