As the date for submission of public comments on India’s Data Protection Bill nears, Internet and Mobile Association of India (IAMAI) on September 24 pointed out two main issues of the industry with the draft.
The industry body said across financial technology and advertising technology companies, the definition of data fiduciary and the multiple consent mechanism suggested under the Bill were problematic for business.
As per the Bill, a data fiduciary is a person or entity who will decide how personal data collected will be processed or acted upon. For instance, a hospital collecting your name, number, address, ailment, medical history and so on for further processing will be identified as a fiduciary.
The industry association includes companies such as the Indian arms of Google, Facebook, Twitter, as well as the parent company of Paytm- One97, and Mobikwik.
The government has invited public comments on the Bill until September 30.
The Personal Data Protection Bill made public by the Ministry of Electronics and Information Technology on July 27 details the rules and obligations for different entities who process personal data in the country.
It defines data fiduciary as “any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data”.
The association members raised concerns over the definition of data fiduciary that covers any agency dealing with personal data.
The Bill places the responsibility of establishing proof of consent from a person for processing his personal data on the fiduciary.
“If each agency is considered as a data fiduciary and has to take consent for using data, there will be numerous consent requirements that will inundate consumers with requests and significantly slow down the functioning of the present seamless digital services,” IAMAI said in a statement.
Over the past two months, the conversation around the Bill has focused around the issue of data localisation, with foreign-headquartered firms largely batting against the issue.
Paytm and PhonePe have supported data localisation in response to the banking regulator, Reserve Bank of India’s call for storing financial data locally, taking on Google in public posts.
Indian IT services body National Association of Software and Services Companies has also been very vocal in opposing data localisation or mandatory storage of data in India. On the larger issue of localisation though, there seems to have been no consensus so far.
IAMAI further said, “with various stakeholders involved in the handling of data it becomes difficult to identify on whom the liability would lie in case of any lapse in adhering to the bill.”
The members also raised concerns over the penalty mechanisms suggested in the Bill. It suggests flat rates of penalties based on revenues of the fiduciary without considering the severity of damage.
The proposal suggests penalties for non-compliance at Rs five crore or two percent of a company’s total worldwide turnover of the preceding financial year, whichever is higher.
The IAMAI also raised concerns over the extended definitions of sensitive data as many of these details are easily available or attributable currently.
“For instance, caste, which is defined as sensitive data, can easily be determined by the surname of the person, thereby creating a challenge for businesses as to whether an individual’s surname is to be considered as sensitive personal data,” the association said.
Since the Bill suggests special measures for any fiduciary handling sensitive personal data, it could effectively cover all personal data as ‘sensitive’ and put compliance burdens on every data fiduciary, it added.