SUMMARY
'The Dialogue’ discussed the PDP Bill in detail, including changes startups will have to make in data collection and processing practices
It also discussed how the Bill's data localisation mandate will affect startups’ cost efficacy and operations
It discussed how startups can keep costs in check while meeting the mandate of taking users' consent and classifying their personal data
While the Ministry of Electronics and Information Technology (MeitY) has invited public comments on the Draft Personal Data Protection Bill, 2018, (PDP Bill) latest by September 30, Inc42, in association with Ikigai Law (Formerly TRA), on September 7, organised a roundtable interactive session with startups to discuss the impact of the Bill on their businesses once it gets enacted in Parliament.
Moderated by Vaibhav Agrawal, founder and CEO, Inc42, Anirudh Rastogi, founder, Ikigai Law, and Nehaa Chaudhari, Policy Lead at Ikigai Law, ‘The Dialogue’ addressed the key points of the PDP Bill — data localisation, data criticality, consent notices to users, and consent requirements among others. The invite-only roundtable was attended by startup founders who brought up a host of challenges that have not been addressed or answered in the existing draft Bill.
Personal Data Protection Bill: Key Points
Data Collection
Be it offline or online, the data collection practices of startups will need to change once the Bill is enacted. The Bill mandates data fiduciaries (entities collecting or processing the data) to issues notices to their users about the data they seek to collect, the purpose of collection, whether the data will be transferred to third parties or outside the country, how it will be stored, for how long it will be retained, and so on.
The draft, thus, makes the collection of personal data limited and subject to notice and agreement. Accordingly, startups will have to notify existing users of their data collection and use practices and obtain fresh user consent. Startups at the roundtable expressed concerns that a large part of their userbase may not provide consent again and in the manner required, thereby leading to disruption in their business. “This problem is amplified in India given that the average Indian user is not very tech literate and may not provide granular consent,” said Vivek Jain, CEO of InteractiveMedia, which provides interactive platforms for management, legal, and finance professionals.
The Bill primarily applies to “personal data”, which is data that can be used to identify an individual. However, personal data is not limited to name, address, etc. It could be any data that can be combined with other data — even publicly available information — to somehow identify the individual. For instance, if a cab company knows that someone is going to a particular coffee shop on a daily basis, the dataset could be used to identify a unique individual and will constitute personal information, explained Anirudh Rastogi from Ikigai Law.
While some of the attending startups felt that this personal data clause could be one of the major hurdles for them, some were of the view that the draft Indian PDP Bill does not prioritise the ‘Right To Business’ like the General Data Protection Regulation (GDPR) has done.
Data Localisation
For each and every data fiduciary directly or indirectly involved in data collection or processing data belonging to Indian data principals, the draft PDP Bill makes it essential to store at least a copy of the data on a server or data centre located in India. Further, certain data such as “critical” data, which will be defined by the government in conjugation with the proposed Data Protection Authority (DPA), will be stored only in India-based servers.
Thus, the data localisation mandate requires the data fiduciaries to set up their servers in India as well. However, at the roundtable, startup founders pointed out that opting for a data server in India is costlier than having data servers based in the US and Singapore; the mandate also limits choices of startups, imposes a higher administrative burden, and is detrimental from a data security standpoint, they argued. Others said that various cloud-based services are not available on Indian servers today and will not necessarily be localised since the Indian market for many such services is tiny in comparison to the global market.
Therefore, mandates such as data localisation, consent notice, entertaining users’ right to access and the right to be forgotten will not only increase startups’ costs and reduce their profit margin but will adversely affect their’operations, efficiency, and global competitiveness.
The participants also highlighted the point that it’s not only the PDP Bill that startups need to be compliant with. They need to comply with multiple data-related laws, which could be sectoral as well as country-specific data protection laws, and this will add to their burden.
Many were of the view that the data localisation provision has been included in the draft Bill due to a particularly strong lobby backing the issue. The prescribed hefty penalties of up to Rs 15 Cr and criminal liability would hamper the businesses of startups at large, they added.
Sensitive Personal Data
The draft PDP Bill also invokes the concept of Sensitive Personal Data (SPD). Sensitive personal data includes information such as health data, official identifiers (Aadhaar ID, driving license, etc), biometric data, religious or political beliefs, and caste-related data.
However, there is no clarity on whether “critical data” is a subset of SPD or not. The definition of “critical data” is yet to be outlined by the government.
Taking Data Principals’ Consent
In line with the GDPR, the PDP Bill too has clearly defined that information related to seeking consent needs to be free, comprehensive, unambiguous, and indicated through affirmative action. It is not advisable for companies to offer pre-checked “I agree” boxes to users at the beginning of the privacy policy, but rather users should actively check the box appearing only at the end of the privacy policy so as to determine that they have at least scrolled down the policy to actually read it. In such a case, it will be important for product teams to work closely with lawyers to strike a balance between good data collection practices and user-experience, explained Rastogi.
Besides consent, the draft Bill has also given certain rights to data principals which data fiduciaries will be bound to entertain within a given period of time frame. These include the right to access, the right to be forgotten, etc.
PDP Bill: Challenges Ahead
The roundtable conference listed a number of challenges that remain ambiguous, unanswered, and must be addressed before the Bill gets introduced in Parliament. Some of the challenges brought into account are:
- In India, a significant amount of data is still handled offline but the PDP Bill doesn’t mention the mode of consent in offline data collection. How are data fiduciaries supposed to send the notice of consent to data principals while collecting their data?
- The standards laid down in the Bill are loosely defined or not defined at all.
- Collection of data for repetitive transactions or using new technologies such as IoT devices or facial recognition will become harder to implement, explained Nehaa Chaudhari of Ikigai Law.
- Cross-border data sharing for research in areas such as drug efficacy, etc will be impacted by the Bill.
- The cost of compliance will shoot up significantly for companies and will especially burden startups.
- Compliance for startups aspiring to offer services globally is going to be even more problematic since they will need to comply with different standards prescribed under different laws.
- Participants also pointed out that people’s mobiles contain their contacts’ personal data and can get lost; people often exchange business cards without specifically mentioning the purpose. They questioned how would the Bill affect such scenarios in the future? What happens if someone loses his or her mobile? Is he/she liable to litigation under the current draft Bill?
The draft PDP Bill also outlines that companies can collect only specific data related to specific purposes defined by the Data Protection Authority. For startups, this could be a major hindrance. For example, a number of pilot projects are carried out where the purpose of the data collection remains agnostic in nature. The current draft Bill does not provide any clarity on such cases. The participants added that if the Bill gets enacted in its current form, it would negatively impact the disruptive technology advancements that are usually achieved through pilot projects run by startups.
PDP Bill: The Dialogue Must Go On
Inc42 and Ikigai Law’s ‘The Dialogue’ saw a heated, insightful discussion with active participation from all the participants. In essence, the conversation highlighted a clear gap between the mindsets of policymakers and technology-driven startups. This gap needs to be bridged to keep up the momentum of the Indian startup ecosystem. The Dialogue must go on.
The MeitY is open to the comments, feedback on the draft PDP Bill till September 30, 2018. Don’t forget to make your voice heard before it’s too late and becomes more difficult to fix the bugs!
Update 1: September 9, 2018, 21.46
The date for submissions for feedback on the draft Indian Personal Data Protection Bill, 2018, has been extended to September 30, 2018.
