IAMAI flags ambiguities in draft data protection bill; seeks clarity on classification, consent
Industry body IAMAI on Thursday said more clarity was needed on classification of data and consent requirements in the draft Personal Data Protection Bill, and argued that businesses need to fully comprehend adjustments they would have to make to comply with the norms.
The Internet and Mobile Association of India (IAMAI) flagged ambiguities that exist in the draft Bill and further said these would "lead to unnecessary compliance burden".
IAMAI, which hosted a discussion on the issue with stakeholders like industry representatives and members of civil society on Wednesday, said industry lacks clarity on which data is categorised as personal, sensitive, and critical.
It suggested that repeated consent requirements should not be imposed on data fiduciary as long as processing of data does not deviate from the original purpose.
"The Bill creates a need for the data fiduciary to repeatedly obtain consent from the data principal for every step of the processing activity. The problem gets aggravated when data collection and processing are done by different agencies, in which case, each fiduciary will have to take consent at every step of the operation," it said.
IAMAI suggested that obtaining consent at all points of data collection and processing is "at times either impossible, impractical or unnecessary". "Alternately, as long as the processing of the data does not deviate from the original purpose, repeated consent requirements should not be imposed," it said.
The linkage effect
Stating that the Bill will apply to all sectors of the economy that collect personal data, there is a concern about how each sector is equipped to handle the provisions, and the linkage effect of such unpreparedness.
The association suggested that to enhance ease of doing business, companies should be permitted to self-determined reasonable purposes of data processing. Furthermore, all legal bases for collecting, using and disclosing personal data should be treated equally instead of relying on consent as the primary ground for processing personal data, it said.
The discussion, IAMAI said, was an attempt to help create a holistic, well-informed public discourse on the Bill, which will eventually strengthen the collective effort to draft a well-devised data governance regime in India.
The industry stated that if these issues were not addressed in time, they would hamper ease of doing business and would also affect the vision of Digital India.
The Personal Data Protection Bill, which is proposed to be tabled in Parliament, offers a detailed framework to regulate flow of personal data, including cross-border data flows.
(Edited by Teja Lele Desai)