9 hours Ago
With India’s Digital Personal Data Protection (DPDP) Rules expected to be finalised within the next couple of months, consumer interest and industry bodies have expressed concerns about the compliance costs and administrative burden on businesses, owing to certain provisions of the draft rules like processing of children’s data, user consent mechanisms and transfer of personal data. Consumer Unity & Trust Society (CUTS) International, a think tank invested in inclusive digital economy, asked the government to conduct a Regulatory Impact Assessment (RIA) with a cost-benefit analysis. Such an RIA will assess the effectiveness and consequences of the draft rules, and ensure that it does not impose “unnecessary costs, including compliance and administrative burdens,” it said.
“Suboptimal regulations can lead to unintended costs, reduce regulatory efficiency and create barriers to compliance, ultimately hindering the effectiveness of the DPDP Act. An RIA enables a systematic evaluation of the direct and indirect impacts of regulatory proposals using consistent analytical methods. It provides a checks-and-balances mechanism to ensure that the government exercises its regulatory authority in a manner that effectively protects the data rights of the citizens while avoiding excessive burdens on businesses and service providers,” said CUTS International.
Stating that the government should consider alternative approaches for requirements like verifiable parental consent, CUTS suggested the government hold consultations with organisations experienced in conducting RIA, including businesses in Tier-II and III towns, which deal with challenges like lower digital literacy and limited regulatory awareness. However, the inconvenience of corporates cannot be the focus for the DPDP rules, Akshayy S Nanda, Partner, Data Privacy and Competition laws at Saraf & Partners, told businessline . Arguing that privacy of individuals cannot be compromised due to compliance cost, Nanda said, “The government has made the law less prescriptive when compared to other countries.
It has also endeavoured to ensure that the law can be complied with. But, corporates generate significant revenue using the personal data of individuals, which can be redirected for compliance adherence.” In case of smaller businesses, Nanda said the rules wouldn’t impose a huge cost impact.
While entities like hospitals or fintech companies may need to deal with higher compliance measures, he argued that the law provides smaller organisations, handling non-sensitive or low-volume data, the flexibility to determine the degree of measures they want to put in place. Meanwhile, industry body Nasscom focused on the provision asking the significant data fiduciaries to undertake measures for the transfer of personal data outside India. Nasscom said that the provision is “inconsistent with the spirit and objectives” of the Act.
“Even with a careful reading of the Act, the industry could not envisage that the proposal to restrict transfer of personal data by Significant Data Fiduciaries (SDF) was possible in this manner, given the perimeter of transfer restrictions laid out in the Act. Therefore, a scenario where the rules could introduce new obligations, which are unable to envisage from a reading of the Act, undermines the ability of stakeholders to understand the intent of the Parliament and causes a sense of uncertainty and unease, which is avoidable,” said Nasscom. Rather than directing the significant entities to undertake measures, Nasscom suggested that the government impose additional measures on significant data fiduciaries to ensure data transfer protections.
Comments.
