Companies fear new data law may upset cross-selling cart

Bengaluru | Mumbai: Several enterprises including banks, healthcare and telecom companies utilising user data to sell varied products and services to consumers, fear that India’s new data law will restrict the scope of their operations, legal experts aware of the matter said. The Digital Personal Data Protection (DPDP) Bill, which received the President’s assent on August 11, has proposed that companies and businesses — which collect and store user data and are termed as data fiduciaries — cannot process the personal data of any user without explicit consent. It requires them to specifically state the “purpose” for which data is collected and to also delete information when user consent is withdrawn.

Typically, companies offering multiple services utilise stored data to cross-sell their other products and services are now a worried lot and seeking legal opinion, as per experts cited above. Narayana Health, one of India’s largest hospital chains, said current regulations do not permit hospitals to delete patient records.

There is a need for “carveout for health data” in the new privacy law, said Viren Shetty, vice chairman of Narayana Health, adding that information is required to “treat patients”. The Bengaluru-headquartered company has 47 healthcare centres in the country. “We can make a representation to make a carve-out for health data, as data fiduciaries we are supposed to hang on to it,” he told ET. “As far as defining purpose is concerned, it is self-explanatory, we take patient consent that we are going to use patients’ data for treating them better,” he said.

Bankers, who spoke on the condition of anonymity, said the new law could impact their business as it restricts cross-selling opportunities.