Mobile application developers, e-commerce players and social media companies can expect their compliance costs to increase with the rules under the new Digital Personal Data Protection law likely to prescribe a consent notice to every user explaining the nature of data being collected and the purpose for which the data will be used.
The rules that are currently being drafted, will make it mandatory for companies to issue such a notice to users to explain how the user can withdraw consent. At present, most mobile application developers seek access to various user data such as phone contact list, camera, location without explaining why they need such data.
According to a draft of the model notice seen by businessline, tech companies (data fiduciaries) are supposed to take informed consent of customers for every itemized personal data point which they collect from customers (data principles).
An industry expert said while this is good for the consumers, compliance cost on companies may go up drastically.
For example, if a data fiduciary is collecting the name, email address, credit card details and residential address from a data principle, they will have to give the stated purposes for every data item.
Better informed customers
“This means that with the implementation of the DPDP Bill, the unmitigated collection of personal data of customers, including unrelated requests to essentially mine customer data (accessing customer contact list, location for unrelated reasons) could end. Customers will be better informed about risks and benefits of giving consent, while this will create a slew of compliances for data fiduciaries operating in India,” said an industry expert.
According to the draft model, the companies also have to clearly state that they will only collect as much personal data necessary for the stated purposes. Customers also have the choice to inform data fiduciaries that the data only be retained till the purpose is served.
Customers will also be given due process to erase the personal data shared, unless there is some legal requirement to retain it.
Even though the DPDP Act was passed in August last year, nearly a year on, customers are still devoid of a proper framework to preserve the sanctity of their personal data. While the IT Ministry has completed the draft process of their rules, certain modifications regarding the processing of children’s data and the exact reporting time for data breaches continue to be made. The Ministry will release the draft rules again for consultation but they are not expected to come out anytime soon, according to industry insiders.