Introduced in Parliament on 11 December 2019, the PDP Bill will require startups to overhaul their operations, rework their business practices, and totally change how they use data. From demanding access to the proprietary data of companies to restricting the flow of data, the PDP Bill will ask startups to revamp their data-related processes and embed privacy within their system architectures. In a bid to understand and manage the implications of the PDP Bill on startups, Inc42 and Ikigai Law will be hosting a roundtable discussion, ‘The Dialogue’ in Delhi.
Currently, the PDP Bill is being examined by a joint parliamentary committee (JPC), which had invited stakeholder comments by February 25, 2020. Taking this feedback cycle further, The Dialogue: Impact Of The Revised PDP Bill On The Indian Startup Ecosystem is inviting all the stakeholders from the ecosystem to present their views on the PDP Bill and its impact on the startup and tech ecosystem in India.
The event is the ideal convergence point for startups, investors and other stakeholders from the Indian startup ecosystem, who will all be impacted by the PDP bill.Join The Discussion
The proliferation of digital services coupled with rapidly increasing data use poses significant risks to individuals and enterprises. With data breaches and security incidents on the rise, the Indian government acknowledged the need for a data protection law.
To work on the task of addressing such concerns and preventing the occurrence of security incidents in India, the ministry of electronics and information technology (MeitY), under the chairmanship of retired Supreme Court justice B. N. Srikrishna, formed a committee of experts. Set up in 2017, the committee submitted the draft Personal Data Protection (PDP) Bill in July 2018 to the government and opened it up for the public for comments and suggestions.
In December 2019, the union cabinet cleared the revised PDP Bill. Applying to all entities that collect, use, store, share or process ‘personal data’, the PDP Bill covers any data that can, directly or indirectly, identify a person.
If passed in its current state the PDP Bill is expected to have a significant impact on Indian startups. To address these concerns of the tech startup ecosystem Inc42 along with Ikigai Law is hosting ‘The Dialogue: Impact Of The Revised PDP Bill On The Indian Startup Ecosystem’.Make Your Voice Heard
Topics For Discussion
The latest edition of The Dialogue aims to cover all the pros and cons for the startups, entrepreneurs and companies from the PDP Bill. Covering all the major provisions under the Bill from the point of view of tech startups and the impact it will create on their operations, the topics of the discussion are:
Cross-Border Transfer Of Data
The local data storage norms put in place, apply to sensitive personal data (SPD), which includes categories such as health, finances, biometric and more, the government can also notify other categories of SPD. While the Bill allows entities to transfer SPD outside India on the basis of approved contracts, adequacy and more, critical personal data (CPD) can only be processed in India and transferred outside on the limited grounds of emergency services. The Bill does not define CPD or provide any guidance on what constitutes CPD, despite enabling the government to notify categories of it.
These storage requirements have the potential of shutting off access to global cloud service platforms for startups in India. Additionally, they may also limit access to global markets and the latest technologies. This could reduce the profit margins, productivity and undermine competitiveness for startups.
Additionally, cutting down operating costs is essential for startups in the early stages of growth, and the localisation requirements and restrictions threaten to increase operating costs and hinder the ability of startups to develop their services.
Data Access Obligations On Companies
While the PDP Bill specifically excludes anonymised data from its scope, the government is still allowed to demand this data from any entity, for the purpose of better service delivery and informed policy-making.
This provision can hamper the business operations of large, medium and small corporations alike. In particular, startups put in significant efforts to collect data and develop insights, and as such, a mandatory sharing requirement can hurt their efforts.
“The Bill should focus on personal data protection, and should not include provisions for regulating non-personal data (NPD). Moreover, a separate government committee is presently examining the issue of regulating NPD comprehensively. Startups should offer their views on the regulation of NPD to this committee as well,” said Nehaa Chaudhari, director, public policy, Ikigai Law.
Requirements Regarding Children’s Data
The PDP Bill defines a ‘child’ as anyone under the age of 18 years, while also requiring entities to verify the age of a child and obtain parental consent before processing data belonging to the child. The manner of age verification and obtaining parental consent will be laid down by the data protection authority (DPA).
The age-verification requirements can potentially impact all entities offering online services—when in effect the Bill would require age verification of every user to ensure no children’s data is being processed. Moreover, the requirement of parental consent may result in children losing access to valuable services—especially for startups in sectors such as edtech, healthtech and gaming—as processing children’s data will be faced with increased compliance requirements, the form of which is yet unknown.
The Purpose And Collection Limitations
The Bill requires entities to collect personal data for purposes that are clear, specific, lawful and communicated in advance. This can act as an impediment for startups, who sometimes collect data without a definitive purpose or for the purpose of monetising data. As such, startups will have to anticipate and obtain the consent of users before processing the data for any new use-cases or purpose.
Notice And Consent Requirements
In order to lawfully process data, entities must comply with strict consent and notice requirements. Startups processing personal data on the basis of consent must provide users with extensive notices at the time of collection. Requiring detailed notices at each instance of data collection can be impractical and costly, particularly for repetitive and routine transactions.
The requirement of multiple languages for each notice may also be cumbersome in practice. Furthermore, the sheer number of notices can lead to consent fatigue for users.
Rights Of Users
The Bill provides the users with several rights over their data, including rights for data access, data correction, data portability and data erasure. This will mandate entities to design their systems in a manner that enables users to make such requests, and ensure that these requests can be met.
“The rights given to a user under the Bill can have a significant commercial impact on startups, as reworking their core systems to enable such processes will increase business costs,” said Vijayant Singh, associate, Ikigai Law.
Excessive Powers Upon The DPA And The Government?
The PDP Bill vests the DPA and the central government with broad, overarching powers. For instance, the DPA can notify ‘significant data fiduciaries’ (SDF); notify new grounds for processing personal data; determine the form, manner and procedure for conducting data audits, and may require entities to submit ‘privacy by design’ policies for certification.
In addition, the government is empowered to determine to specify new categories of SPD, classify CPD, and the conditions for cross-border transfer of data in certain cases.
“Allowing the Government to notify categories of SPD and CPD causes significant business uncertainty. It is hard to disaggregate mixed datasets- it may not be practically possible to scrub datasets and store certain data locally while transferring other data freely,” explained Singh.
Other Provisions Under The Bill
Apart from covering all the above pointers, the roundtable will also cover the following concerns:
- The absence of a clear timeline for implementation and enforcement of the PDP Bill. The previous version proposed had specific timelines for implementation of provisions including cross border transfer restrictions, the establishment of the DPA, and others. An adequate time period is necessary for start-ups to make the required adjustments to their processing activities and comply with the law.
- The revised version of the Bill contains criminal liability provisions for re-identification of de-identified personal data. This has the potential to dissuade startups from undertaking data processing operations.
During our last edition of The Dialogue on the PDP Bill, held in September 2018, the discussion made it clear that there is a very evident gap between the policymakers and tech startups. To preserve the momentum and growth of India’s startup ecosystem, this gap needs to be bridged through dialogues, debates and discussions. The impact of the Bill needs to be highlighted through such efforts.
Scheduled in Delhi, The Dialogue is the perfect opportunity for all the stakeholders and members from the Indian startup ecosystem to come together and voice their concerns and opinions regarding the Bill. Book your slots now before all the seats are full.Join Us In The Discussion
Update: Due to the Coronavirus outbreak in Delhi, Inc42 and Ikigai law have decided to postpone the event. We will update the article as and when the date and venue for the same are finalised.