Early this year in April, the Reserve Bank of India (RBI) released a circular directing all payment system operators in the country to store their data exclusively in India. As the 15th October deadline for compliance with the RBI directive edges closer, it is clear that Indian companies will soon have to revamp their data collection and processing practices. With the release of the Personal Data Protection Bill, 2018 (Bill) in August, it has now become important for stakeholders to anticipate the changes they will have to put in effect well in advance. Startups, in particular, will be significantly affected by these changes, since complying with the new privacy requirements will require considerable investments of time and money.
In order to prepare startups for the new privacy regime, Ikigai Law, in association with Inc42 had organised The Dialogue – an interactive roundtable session to discuss the impact of the Personal Data Protection Bill with startups. The discussion, led by Anirudh Rastogi, Founder Ikigai Law; Nehaa Chaudhari, Policy Lead, Ikigai Law and Vaibhav Agrawal, Founder and CEO, Inc42 focused on key issues under the Bill including the new notice and consent requirements; treatment of sensitive personal data; purpose and collection limitation; and data localisation.
Notice and consent requirements: Things to watch out for
Discussing the new notice and consent practices required under the Personal Data Protection Bill, in The Dialogue, Anirudh emphasized that earlier, privacy policies used to be taken fairly lightly. The new notice requirements under the Personal Data Protection Bill, however, are very specific. Information has to be given to the user in a simple and comprehensive manner, even in the case of vernacular languages. For startups involved with the Internet of Things (“IoT”), devices will need screens to provide notice, or an email will have to be sent in real time. This might come in the way of user experience for some devices and could entail a back-and-forth between the legal and UX/UI teams of companies during product development.
Voicing his concerns about the consent requirements, a participant explained how facial recognition could create challenges. For technologies that use facial recognition to track management and attendance of a group, the rules for consent are blurred. While it is easy to take consent on an individual basis, capturing hundreds of faces in a crowd is a whole other ballgame. Capturing consent for this seems near impossible at this stage.
Anirudh responded with the suggestion that perhaps they could rely on the ‘reasonable purpose’ ground under the Personal Data Protection Bill, while warning that it would be a fairly high standard to meet, since only the Data Protection Authority is empowered to list out what counts as a reasonable purpose, and businesses aren’t free to define what reasonable purposes are for themselves. An audience member responded to this observation saying, “It is very important to consider compliance costs. I fear that standards under this Bill are loosely defined. How does a company with an annual turnover of a million dollars set aside the money for compliance? How do you take this cost into effect in business?”
Sensitive personal data: Meeting a higher standard
The processing of data that is deemed ‘sensitive personal data’ (SPD) under the Personal Data Protection Bill is subject to a higher threshold for consent than personal data. All passwords, financial data, health data, official identifiers, biometric data, genetic data, data indicating religious or political beliefs, sexual orientation or caste/tribe status are considered SPD under the Personal Data Protection Bill.
Companies collecting or using this data will need to take the explicit consent of their users in order to process that data – meaning that they will have to inform users of the consequences of processing their data in addition to the regular notice and consent requirements.
Anirudh explained that this could have impractical implications – if users on social media platforms post information that reveals their sexuality, religious beliefs or political beliefs, that will be considered SPD, and explicit consent will have to be taken for the use of that information. Even freely available information like surnames that reveal caste will be labelled SPD under this Bill.
Purpose and collection limitation: Limits on how startups can monetise data
Once the Personal Data Protection Bill is in force as a law, startups will only be able to collect personal data for purposes that are clear, specific, lawful and communicated in advance. They can only collect that data which is necessary for processing. Explaining the implications of this requirement, Nehaa commented, “Consent has to be purpose specific. You cannot repurpose the data for another use without informing the user of that change.” Anirudh agreed and pointed out that this could be particularly relevant for pilot projects that collect data without a definite purpose, in the hope of monetising that data at some point in time.
Under the new privacy regime, startups will have to anticipate and inform consumers of the use cases and purposes of data collection in advance before processing any data, to ensure that the user consent that they obtain is valid.
Data localisation: Possible effects
On being asked how many companies stored data on the cloud, nearly everyone present responded in the affirmative. Many participants placed reliance on global cloud computing platforms such as Google Cloud, Microsoft Azure, and Amazon’s AWS. They explained that their choice of cloud platforms was determined by the responsiveness of the service, cloud service latency, availability of disaster recovery centres and overall efficiency. These services allow startups to cut costs significantly since they do not have to invest in large amounts of hardware to store their data.
The free access to global cloud computing platforms currently enjoyed by Indian startups may be affected by the data localisation requirements under the Personal Data Protection Bill. As Nehaa explained, localisation in the Bill has two aspects. First, at least one serving the copy of all personal data needs to be stored in India. This could be difficult to operationalise. Second, there is a carve-out for ‘critical personal data’, which can only be stored and processed in India. Critical personal data is currently undefined, the Central Government has to notify the kinds of data that will fall under this category. One theory is that certain kinds of SPD will be considered critical personal data, but it as yet unclear.
One of the participants, a data scientist working with a data analytics firm, pointed out that stringent data storage requirements lead to significant costs even for large companies, and so startups would be particularly affected by this measure. On the steep penalties and criminal liability prescribed for non-compliance with the Bill’s provisions, Vikas Chauhan of 1MG emphasized that we cannot have a system where digital health entrepreneurs are scared to operate digital health businesses and innovate, for fear of criminal prosecution. Per him, the penalty should be financial and there should be different levels of liability for companies that violate the same provision repeatedly. This will ensure that entrepreneurs do not face an existential threat for small offences.
How do startups engage with the Personal Data Protection Bill?
It is clear that the new data protection regime will have significant consequences for startups and businesses would benefit from engaging with the shaping of the Personal Data Protection Bill. Fortunately, the Ministry of Electronics and Information Technology (MeitY) has made a public call for comments, with the deadline fast approaching on September 30. We recommend all data-heavy startups to respond with their comments, to ensure that the concerns of the startup ecosystem are duly represented before the MeitY.