Draft Personal Data Protection Bill has several ambiguities: IAMAI demands clarity

A Roundtable discussion was recently hosted by the Internet and Mobile Association of India on the Impact of the Draft Personal Data Protection Bill (PDP), 2018 on Ease of Doing Business in India to create a dialogue between key industry representatives, civil society and media personnel on the different aspects of the draft PDP bill that are areas of concern for the industry.

The discussion among the industry representatives which included both Indian and Oversees companies revolved around several areas of ambiguity that exist in the draft Bill which need to be better clarified for businesses to fully comprehend the extent of adjustments businesses will have to do to comply with them. Below are the areas of the ambiguity which were discussed which will lead to the unnecessary compliance burden.

1. The Bill categorizes data as Personal Data, Sensitive Personal Data, and Critical Personal data, but the industry lacks clarity on which data qualifies under which head and hence is not equipped to take necessary precautions.
2. The Bill talks of consent and explicit content for different categories of data; but there is no clarity on what would qualify as consent and explicit consent. Thus, businesses have no idea of the compliance requirements involved.
3. The PDP Bill creates a need for the data fiduciary to repeatedly obtain consent from the data principal for every step of the processing activity. The problem gets aggravated when data collection and processing are done by different agencies, in which case, each fiduciary will have to take consent at every step of the operation. The discussion suggested that obtaining consent at all points of data collection and processing is at times either impossible, impractical or unnecessary. Alternately, as long as the processing of the data does not deviate from the original purpose, repeated consent requirements should not be imposed.
4. The PDP applies to all sectors of the economy that collect personal data. Many of the digital services are actually digitalization of offline businesses. There is a concern about how each sector is equipped to handle the provisions and the linkage effect of such unpreparedness.

The association suggested that to enhance ease of doing business, companies should be permitted to self-determined reasonable purposes of data processing. Furthermore, all legal bases for collecting, using and disclosing personal data should be treated equally instead of relying on consent as the primary ground for processing personal data.

The discussion was an attempt to help create a holistic well-informed public discourse on the Bill, which IAMAI believes will eventually strengthen the collective effort to draft a well-devised Data Governance regime in India.

The industry stated that if these issues need to be addressed well in time, it hampers ease of doing business and will also affect the vision of Digital India.