The draft Personal Data Protection Bill 2018 (PDP Bill) is out in the public domain and is generating a lot of debate, criticism, and feedback from various stakeholders. The Bill will have a far-reaching impact on all aspects of a business — including data collection, processing, storage, and cross-border data transfers.
Inc42, along with Delhi-based legal firm Ikigai Law (Previously TRA Law), is initiating a dialogue on the impact of the Bill on startups. ‘The Dialogue: A Roundtable Discussion’ will provide a platform to make your voice heard by those who make the policy and play an active role in shaping how this bill will affect the Indian ecosystem.
We invite all startups, investors, and other stakeholders from the Indian startup ecosystem to come and enrich the roundtable.Fill This Form To Join The Discussion
Data is supreme. No matter which technology you’re leveraging — artificial intelligence, IoT, blockchain, big data analytics, SaaS-based solutions, or deeptech — if you’re a technology startup in India, you’re likely involved either in data collection or operation.
With an aim to regulate how Indian users’ data should be managed, processed and transferred across borders by data fiduciaries, a 10-member Committee of Experts chaired by former Supreme Court Justice BN Srikrishna on July 27 submitted its report and a draft Personal Data Protection Bill, 2018. The committee was earlier tasked by the Central government with creating a comprehensive framework for data protection in India.
The draft PDP Bill mandates live data mirroring or localisation (meaning that at least one copy of all personal user data must be stored in India), which will drive up costs for companies. Startups will be required to conduct periodic reviews of their security practices and data protection impact assessments.
The draft PDP Bill also prescribes steep penalties and even a list of non-bailable and cognizable criminal offences for violation of the law and wants all large data fiduciaries to appoint data protection officers.
Apart from this, it proposes the creation of a Data Protection Authority (DPA) with overarching powers to deal with all data-related issues in the country, which may result in the re-creation of the erstwhile ‘License Raj’ in the tech sector.
All these provisions are likely to dis-incentivise innovation and incentivise the license raj era.
While most corporates maintain some sort of piggy banks and are capable of hiring data protection officers to deal with the legalities, most Indian startups run on “piggy bank money” raised from their investors and don’t have funds to spend continuously on legal compliances.
So, what is the way forward for startups? What are the essential steps one has to take in the transition period to ensure they’re prepared when the Bill is implemented?
We will enable ecosystem partners to discuss and seek the answers.
With The Dialogue — A Roundtable on the draft Personal Data Protection Bill, Inc42 and Ikigai Law are providing a platform for stakeholders to discuss the Bill and its implications for Indian startups.
Data Localisation: ‘Chilling Effect’ On Startups
What’s the biggest issue with the draft PDP Bill for startups? Data localisation and the resulting costs for companies. Tuhina Joshi, Associate, Ikigai Law explains that according to a McKinsey report, 80% of tech-based startups worldwide are ‘born global’, utilising foreign customers, financing, and suppliers from day one. It is estimated that cutting off access to global cloud computing services — through localisation — will force local companies in Brazil and the EU to pay 10.5 to 62.5% more for some cloud computing services.
She adds, “Enforcing data localisation requirements would massively raise operational costs for startups, as they would have to invest in local data centres. This would have a chilling effect on innovation by bootstrapped startups by imposing a high barrier of entry for new local entrants in a wide range of sectors in the Indian market.”
While data localisation is largely being seen as an added layer for protection of Indian data introduced by pro-government think tanks, Pooja Sareen, Editor-In-Chief, Inc42 Media, believes that such a big step can’t be taken simply under the garb of security and safety measures.
“Although the data localisation clause in the Bill might help drive BharatNet and similar projects across the country, it will be a costly affair for Indian tech startups who want to cater to the global market,” says Sareen.
Data Protection Authority: Another Authority, Another Headache
The draft Personal Data Protection Bill proposes the establishment of a separate Data Protection Authority (DPA) to implement, regulate, and oversee data protection in the country.
This doesn’t bode well for startups as the Data Protection Authority is vested with broad, overarching powers to discharge quasi-executive, quasi-legislative and quasi-judicial functions, according to Joshi. “This includes mandating compulsory audits for all personal data by external auditors, assigning public trust scores, the presence of harsh criminal penalties, onerous reporting obligations to the DPA, etc,” she opines.
Given the fact that startups usually fall short of resources such as time, manpower, and, most importantly, money which they would utilise to meet the compliances in time, this will have adverse implications for startups. Sareen states, “Complying with norms and orders as directed by the DPA will be a tedious task for startups. In case of GST disputes, we have seen how the Telangana Authority for Advance Ruling (AAR) and West Bengal AAR not only gave conflicting verdicts but also used different methodologies to arrive at their conclusions.”
So, Who Benefits From The PDP Bill? Difficult To Say
Complying with the provisions of the draft PDP Bill will require huge investments from companies on several fronts, which will ultimately increase the cost of the related product/service. “Ultimately, the cost of all regulation will percolate to the consumer. In an alternate scenario, if the regulated entity bears the costs, its profits will be eroded until it is no longer profitable or even possible to remain in business. Both of these scenarios would be counterproductive to user interest,” says Joshi.
The Inc42-Ikigai Law Roundtable on the Draft Data Protection Bill will debate and seek answers to the above-mentioned issues, amongst others. It will also decode the proposed Bill for ease of understanding. So, to hear it from the experts, put forward your views, and discuss your concerns with them — we invite you to attend the upcoming Roundtable discussion on September 7.Fill This Form To Join The Discussion