IAMAI Warns India's Data Protection Framework May Disadvantage Startups and MSMEs:

The Internet and Mobile Association of India (IAMAI) has noted that the current data protection system of India may be potentially harmful to start-ups and MSME’s as compared to established corporations.

IAMAI claimed that smaller businesses are likely to meet onerous requirements of this framework visible in the DPDP Act and rules due to lack of adequate financial and technical resources during their submission on the draft Digital Personal Data Protection (DPDP) Rules.

IAMAI is one of over 600 Indian and international digital companies which makes them extremely important to the development of data policy for the country.

Moneycontrol has a submission to the Ministry of Electronics and Information Technology (MeitY) dated last March 5 that details the entry that was reviewed.

“IAMAI in its submission said," India’s data protection framework may inadvertently disadvantage start-ups and MSMEs compared to large corporations. Compliance to the DPDP Act demands significant financial and technical resources, which large companies, with dedicated legal and IT teams, are better placed to absorb such requirements."

"It is claimed that, compared to large businesses, start-ups and SME’s who are resource constrained will have greater difficulty meeting the requirements without cutting down on innovation," it said.

In detailing its issues, IAMAI pointed out the lack of clarity with respect to the classification of Significant Data Fiduaries (SDFs). As per the DPDP Act, the government has the authority to designate any data fiduciary as SDFs depending on the quantity of personal data they handle, among other factors, and those entities will be subject to additional compliance obligations.\n\nIAMAI indicated that criterions for classification, like “volume and sensitivity of personal data processed,” are still not objective. “Having criteria based on the volume of data as a basis for notifying some Data Fiduciaries as SDFs could pit Indian firms against their foreign counterparts,” added IAMAI. \n\nIt further suggested that companies be allowed to show cause before being categorized as SDFs and urged for qualitative clarifications on compliance measures.\n\nIAMAI also opposed possible limitations on cross-border data flows on the grounds that such steps would cut off Indian companies from the global data marketplace and increase their compliance burden.\n\nFinally, it raised issues regarding the extent to which provisions on ‘traffic data’ even cover non-personal data as such goes beyond the DPDP Act.

The obstacles in the cross-border data transfer can limit India’s ability to optimize data driven operations, especially with the significant contribution to GDP from outsourcing and other services exports. These challenges can hinder achieving the goal of ‘Digital India’, ” it noted.

While addressing children’s data, IAMAI raised the concern that requiring platforms to authenticate every user’s parent/guardian identity raises the need for excessive data collection, which increases compliance headaches and goes against minimizing data collection.

“You placing a requirement on platforms to authenticate parents for users, places an unreasonable burden on companies and does not align with international privacy regulations,” IAMAI pointed out.

On a responsibility of the government to request information under Rule 22, IAMAI called for more safeguards to make sure businesses are not compelled to divulge sensitive information such as proprietary algorithms and trade secrets or even confidential customer information.

“Business are likely to suffer significantly , without due regard to the funds spent, and they will fail to innovate when this is mandatory requested information of the government," it cautioned.

For the purposes of this study, I reminisce improvising with placards at first unfamiliar to me, or being timid in the face of elaborate screen stories. IAMAI has suggested a timeframe of 24 months to enable businesses to adjust to the modifications put forward by the regulators. Moneycontrol has contacted the trade body for additional remarks and the article will be changed after the response is received.