SUMMARY
While the Act provides clarity to users on how their data can be used by corporations, it also provides clarity to companies (including startups) on how they must deal with users’ personal data, and consent
While the startup ecosystem has welcomed the Act, many have highlighted that it falters on aspects like implementation and a few other parameters
Unlike Europe’s GDPR, which has detailed the fine print of implementing the law, the DPDP Act, 2023, misses details on multiple fronts
After much back and forth in the Parliament, President Droupadi Murmu has finally granted her assent to the Digital Personal Data Protection Bill, 2023. The bill that has remained in limbo for the last six years has now become a law that is expected to uphold the sanctity of every citizen’s fundamental ‘right to data privacy’ both in the real and the virtual realms.
However, before we delve deeper into what impact the Act will have on the world’s third-largest startup economy, let’s take a quick look at its evolution.
Six years ago, in July 2017, the Ministry of Electronics and Information Technology (MeitY) appointed a 10-member panel (aka Srikrishna Committee), under the chairmanship of Justice BN Srikrishna, to submit a detailed report on data privacy and draft a bill on personal data protection.
The Bill, after being introduced in the Parliament and referred to a Joint Parliamentary Committee, was later withdrawn in August 2022. Consequently, a new bill called the DPDP Bill, 2023, was introduced in Parliament earlier this month. Between 2017 and 2023, the bill went through multiple revisions before landing on the President’s table, requesting her assent.
Interestingly, despite the opposition’s demand that the new draft bill (2023) should be handed to either a Joint Parliamentary Committee or a Standing Committee, it was upheld by the Parliament this week (on August 9).
It seems that the fifth and final version of the bill addresses some of the key issues raised by the startups in 2022 when it was released for public consultation.
For instance, the provision of penalty was reduced from an earlier INR 500 Cr to a maximum of INR 250 Cr under the newly received bill (now an Act). The government is also expected to extend further relief to early-stage startups under the DPDP Act, 2023.
Moving on, while the earlier version proposed publishing a list of countries where data transactions would be allowed, the Act specifies a list of countries that are barred from data transactions, giving more clarity to the startups that handle data.
Speaking with Inc42, Sanjay Jain, a partner at Bharat Innovation Fund, said that the DPDP Act is an important milestone in the way we govern technologies. Given the rate of change (or lack of maturity) in the technology ecosystem and the governance thereof, it is the first attempt to provide clarity to technology companies on how users’ rights must be protected.
While the Act provides clarity to users on how corporations can use their data, it also provides clarity to companies (including startups) on how they must deal with users’ personal data, and consent. The Act is also expected to make industries and sectors respect users’ rights and control over their data.
“I expect that we will see companies that will start to incorporate this thinking into their tools and architectures as they build a safer online existence for all of us… This Act is a signal from the government that it (data) is an important space, and that they are keen to protect the rights of users. Certain exemptions have also been provided to startups to ensure that they are able to innovate without any undue burden on them,” Jain said.
Given that we have already covered the first draft of the Personal Data Protection Bill, 2018, and the draft DPDP Bill, 2022, in detail, allow us to highlight some key amendments in the DPDP Bill, 2023, and how the new Act directs Indian startups to maintain the sanctity of the user data.
Bringing More Clarity To Digital Personal Data
The DPDP Bill, 2022, had many complicated parts and therefore needed clarity. For instance, the provisions of the last draft of the bill would not apply to the non-automated processing of personal data; offline personal data; personal data processed by an individual for any personal or domestic purpose; and personal data about an individual that is contained in a record that has been in existence for at least 100 years.
This portion was removed from the fifth revision of the bill, which simply states that the Act shall apply to the processing of digital personal data within the territory of India where the personal data is collected (i) in digital form or (ii) in non-digital form and digitised subsequently.
Thus, the DPDP Act, 2023, shall not apply to the processing of personal data in the non-digitised form.
Govt To Publish A Negative List For Cross-Border Data Transactions
The earlier draft of the bill stated that the central government may, after an assessment of certain factors and as it may consider necessary, notify countries or territories outside India to which an Indian data fiduciary may transfer personal data, in accordance with terms and conditions as may be specified.
However, this, too, has been removed from the Act, giving much-needed relief to startups that have clients outside India.
According to the Act, the central government may, by notification, ‘restrict the transfer of personal data by an Indian data fiduciary for processing to such country or territory outside India as may be so notified’.
“With respect to cross-border data transactions, the Act prescribes a simplified process. Under the Act, such transfer may occur with prior approval of the Centre. The government may, while providing such approval, prescribe additional provisions that will have to be followed. However, unlike the GDPR, the Act does not have an elaborative framework for cross-border data transactions,” the founder of Fountainhead Legal, Rashmi Deshpande, told Inc42.
Certain Exemptions Can Be Granted To Startups Under The Act
According to the DPDP Act, 2022, the central government retains the right to exempt certain classes of data fiduciaries, including startups.
Earlier, the Union Minister of State for Electronics and Information Technology (MeitY), Rajeev Chandrasekhar, indicated that early stage startups could be exempted from certain penalty provisions. However, there will be a sunset clause for the exemption.
Jain of Bharat Innovation Fund said that the Act provides for the board to consider certain factors when it determines the penalty to be imposed. This includes the size and significance of the breach, along with the actions taken to mitigate the breach. This could also include the impact of the monetary penalty on the offending party.
“To this extent, I do think that some consideration has been provided to spare smaller companies from large penalties. However, we will only get clarity on how regulators use their powers and set up a process to determine these fines, among other things,” Jain added.
While the Act is a move in the right direction, it still gives little clarity over its implementation and additional operational costs.
Startups Fear An Increase In Expenses
While the entire consent mechanism would increase the data transaction cost, startup founders feel that significant data fiduciaries will come under additional obligations. They may also be required to fulfil additional requirements such as the appointment of a data protection officer to address data principals’ grievances and an independent data auditor to carry out data audits and periodic data protection impact assessments.
According to the founder of fintech startup Niro, Aditya Kumar, fintech companies will now be required to establish systems that grant users access to their data and allow them to have the final say in its usage. Under the new regime, digital lenders are expected to fare better, given that customer experience and grievance redressal are already part of their regulatory framework.
“However, one significant consequence of this Act could be an increase in the expenses related to implementation and compliance, potentially demanding more resources and a heightened level of awareness,” Kumar added.
Implementation Challenge In The Age Of AI
The Act directs setting up a Data Protection Board of India to ensure the implementation. However, unlike GDPR, which has detailed the fine print of implementing the law, the DPDP Act, 2023, misses details on multiple fronts.
The founder and MD of Tech Whisperer, Jaspreet Bindra, said that the formation of the Data Protection Board and the fact that it will be housed by professionals is welcome. However, the implementation of the same will be a real challenge.
This is because technology tends to move much faster than regulations, and implementing regulations effectively and speedily is expected to pose a challenge.
Take Generative AI for example. The EU is groping in the dark to integrate this new technology into its regulation framework, however, by the time the new framework will be ready, the technology will have changed.
“There are many aspects to GenAI like plagiarism of data, data bias, deep fakes, etc. that would be difficult to track and regulate, given the power and wide distribution of technology,” Bindra added.
The New Bill Gives The Government A Free Pass
Clause 17(2) of The DPDP Act, 2023, allows exemptions to the government with respect to the processing of personal data.
Former union minister, MeitY, Manish Tewari said that this Act drives the entire digital universe into two parts — First, the bill will apply in full force to all non-government organisations, and second, the entire government entities are going to be exempted from it.
Meanwhile, Deshpande said that the fact that the central government, and in certain cases, the state governments, including the Data Protection Board and its members, are exempt from the provision of this framework, it could pose a major threat to the right to privacy (including data) of Indians.
The right to privacy, as upheld by the Supreme Court of India in multiple cases, is a fundamental right, which cannot be violated even by the government. Therefore, there exists a conflict and it cannot be said that the Act provides absolute protection of data and ensures that the right to privacy is upheld.
Since DPDP Act, 2023 has retained the powers given to the Central Government, Justice BN Srikrishna who headed the first committee on data protection and had vouched for an independent authority/board for data protection found it worrying.
Speaking to Inc42, Justice BN Srikrishna had earlier stated that it is simple with regard to simple things but does not rise to the level required for complex things. For example, it gives too much margin to the government and does little to protect individuals’ fundamental right of data privacy. It will not be able to safeguard citizens or individuals against the poaching of data and misuse thereof by government agencies.
Is India On The Brink Of The Privacy Revolution?
Despite concerns, the Indian startup ecosystem has welcomed the Act. For starters, many founders agreed that the DPDP Act, 2023, is simple and easier to implement.
They also believe that the Act will set the stage for a new era of data privacy and accountability in the country’s digital landscape. Further, embracing data protection can forge stronger user relationships and propel responsible innovation.
“We’re on the brink of a privacy revolution. By embracing it (the Act), we not only comply but also build stronger connections with our users,” a startup founder said.
The Act that has received the President’s green light signifies the government’s recognition of the critical nature of data protection and its commitment to preserving user rights. Meanwhile, it is all set to usher in a new era of trust and innovation for the world’s third-largest startup economy.
