The DPB has had several additions that increase non-consensual processing of data, and thereby displace consent from the foundation of a bill that is ostensibly designed for data protection law.
Clause 13 of the DPB notes that non-consensual processing of data “can reasonably be expected by the data principal.” Clause 14 also disregards user consent for measures like search engine operation and credit scoring. In fact, Section 13 (Processing of personal data necessary for purposes related to employment etc.), provides an employer (the data fiduciary here) access to the personal data of an employee (data principal) without consent if the employer makes a determination that it is “not appropriate” or involves “disproportionate effort” to request consent from an employee or a potential employee.
Respondents found the absence of a clear definition of “reasonable purposes” to be another factor for causing ambiguities and increasing compliance burdens.
They also remain unsure of how to properly take stock of informed user consent in ways that explains to them what are the possibilities for their data storage, transfer, and processing. One of the respondents said, “Now, the problem is (that) consent is a legal language, more or less in terms of how it is going to be (materialised and therefore implemented). So when the Bill talks about explicit consent, now, translating that into a localised format is going to be a major challenge. And that needs some level of creativity to solve.”
The DPB expects businesses to have multiple levels of consent mechanisms and also operate with consent managers. Respondents found this to be a cumbersome addition to doing compliance.
A founder of an agritech business said, “I’m not sure of what it is that the government entails from us from a regular, you know, from a day, from a monthly perspective? Are they asking us for a report? It’s not clear to me right now.” She added that while they value user consent and privacy, “we don’t think you have to have multiple steps and multiple things of consent, and we don’t believe in making the process very cumbersome for the companies.”
For her, a good middle path would be to have “basically just one sign off or one waiver that says - hey, I’m going to use this data for this, this is for our purposes only, and it’s not going to be shared with any third party. And I think that pretty much should be okay, because it covers everything. Just this instead of having to engage with the data protection officer and different levels of compliance. Then, if the company is found in violation of that, then action might be taken.”
Another architect from a FinTech business said users are used to a one click system for all. “So the more steps you create into your journey, the more friction it trades for the end consumers.” For their business, one that connects across different verticals, consent has to be taken from “not only from the end consumer, but from the lenders, merchants, and so on.”
{{ gettext('Login to leave a comment') }}
{{ gettext('Post a comment…') }}{{ errorMsg }}
{{ gettext('No comments posted yet') }}