What Does India’s Proposed Data Protection Law Mean For Startups?

Nearly four years after the government first tasked the Justice Srikrishna Committee with bringing in a data protection law, India is finally inching closer to accomplishing it. The Joint Parliamentary Committee (JPC) recently tabled its long-awaited report on the Personal Data Protection Bill, 2019 (2019 Bill). It has also formulated its own version of the proposed law – naming it the Data Protection Bill (DP Bill). The name change reflects the JPC’s decision to expand the law’s scope to include non-personal data within its ambit.

The proposed law sets out do’s and don’ts for all companies handling data. So, to abide by the law, startups must re-think how they collect, store, use and share data. They must adopt a ‘privacy by design’ approach, i.e. embed privacy within the very design of their system/s and ensure its security. They will also need to create processes to handle requests from users wanting to exercise certain rights in relation to their data. In addition to this, it requires building technical capacity to share the data with the government for policy-making purposes, obtaining certifications for their hardware and software, and locally storing sensitive data, among other things. These changes bring with them significant compliance costs that companies will need to factor in and it is essential that startups have enough time to comply with the proposed law. 

In addition to changes to the text of the 2019 Bill, the JPC also posits general recommendations like treating social media platforms as publishers of content, enforcing mandatory verification of social media users, formulating a strict data localisation policy, among others. While the general recommendations may not translate into immediate regulatory action, they may drive the government’s thinking in the longer run. It is important for startups to engage with these recommendations so that they have a sense of what the future of regulation could hold.

To help startups understand the impact of the proposed law, Ikigai Law is hosting a virtual roundtable discussion — “Unscramble: Impact Of India’s Data Protection Law on Startups” —  on February 24, 2022, at 3 PM IST. Some of the themes being delved into during the session include the mandatory sharing of non-personal data with the government, restrictions on cross-border flow of data, the disclosure of fairness of algorithms and the overall compliance challenge for startups. 

Apply Here To Attend

Impact Of Including Non-Personal Data Into A Privacy Law 

The DP Bill seeks to regulate non-personal data (NPD) within the scope of a personal data protection framework. It gives central government broad powers to access NPD for formulating policies for the digital economy and empowers the Data Protection Authority (DPA) to investigate breaches of NPD.

But why should this matter to startups? 

NPD is envisaged to include a wide variety of data, including data that is stripped of any personally identifiable information, data that is anonymised, and data that never had any link with personal data such as weather data, geospatial data, telemetry data, travel data etc. Companies invest technical and financial resources to derive value from NPD by subjecting it to processing and data analytics tools. Such data includes raw data (data collected at source), inferred data, key business insights (which is proprietary in nature).

Permitting the government to access proprietary data could interfere with companies’ intellectual property (IP) rights over their datasets. This could also impact startups that rely on insights from data for a competitive edge in the market. Requiring companies to give up NPD could discourage them from investing in data collection, aggregation, storage and analytics. It may stymie innovation, impede the development of the data market, and hold-back companies from experimenting with data and other data related assets. 

The objective of regulating personal data is securing individual privacy, and that of regulating NPD is extracting economic value. Regulating personal data and NPD under one umbrella is likely to dilute both objectives. 

Uncertainty And Compliance Challenges

The DP Bill, like the 2019 Bill, categorises data as sensitive personal data and critical personal data. Sensitive data includes a non-exhaustive list of routinely processed information such as financial data, health data, genetic data, and more. Critical personal data is yet to be defined by the government. Processing sensitive data comes with stricter compliance obligations, including the requirement to obtain explicit consent from users.

The overbroad nature of both sensitive and critical data, and the ability of the government to notify additional categories, could create uncertainty. It could make it difficult for startups to assess how to classify data, and how to peg compliances for different categories. 

Unlike data protection laws in other jurisdictions, the proposed Indian law focusses heavily on user consent as a legal basis to process data. The proposed law would require companies to obtain consent even for routine operations like product improvement, bug fixes, etc., leading to over-notification and consent fatigue for users. It also creates two standards — consent and explicit consent — without a clear explanation of the difference between the two, adding to the uncertainty. 

The proposed data regulator will have the power to designate any data fiduciary (our equivalent to what the GDPR calls “data controllers”, entities that decide the purpose and means of collecting data) as a significant data fiduciary (SDF), based on certain criteria. This includes volume and sensitivity of data processed, use of new technologies, processing of children’s data, social media companies above a certain threshold of users, among others. 

SDFs have heightened compliance requirements such as conducting data protection impact assessments and appointing data protection officers. Fintechs that process financial data, and any startup which uses new technologies, will remain on edge about their classification as SDFs

Further, in an effort to build additional safeguards to protect children’s data, the law effectively requires all online businesses to age-gate their services in some manner. However, guidance on the standards of age-gating techniques will only come from the regulator at a later stage making it difficult to plan for compliance. 

Local Storage Requirements Could Affect Competitiveness Of Startups 

A large number of Indian startups depend upon cross border data transfers, for instance, to use services of cloud service providers located outside India. Provisions impeding the free flow of data will create difficulties for startups – who will be unable to access cost-effective and best-in-class technologies and infrastructure. Additionally, local storage requirements could pose obstacles for deep tech (AI/ML, data analytics) startups with ambitions to cater to consumers across the world. 

The 2019 Bill already imposed several restrictions on cross-border data transfers. The JPC, in the DP Bill, has proposed additional bureaucratic hurdles on data transfers, like requiring central government approval for transfers pursuant to a contract or intra-group schemes.

The free flow of data acts as an equalizer, allowing startups to compete globally on price and quality, regardless of their size. On the other hand, disproportionate restrictions on data transfers could shut off access to cheaper services and cutting edge technology offered by global cloud platforms and international markets for startups. 

Disclosing ‘Fairness’ Of Algorithms And Trade Secrets Could Impact IP Rights Of Startups

The proposed law requires entities to share information on the ‘fairness of algorithm’ with the data regulator. This is to ensure transparency in the processing and to prevent the misuse of algorithms. It is unclear what ‘fairness’ means or how much information would be required to be disclosed. It could also have implications for the IP rights of a business, especially if the algorithm is interpreted by the regulator to mean algorithmic source code.

The DP Bill also allows an individual to request companies to transfer their personal data to themselves or to another company. The scope of personal data that can be transferred is wide as it includes data generated in the course of providing services to users and any data which forms part of any profile of users. This could include confidential business insights.

While the 2019 Bill allowed companies to deny these requests — if it was necessary for protecting trade secrets — the JPC suggests removing the trade secret exemption, exposing the company’s confidential business information to competitors. Since startups significantly rely on their data moats to maintain competitiveness, this could harm their growth prospects.

More Certifications

The DP Bill also proposes to set up a certification and testing regime for software and hardware of computing devices to prevent data leakage or threat to national security on digital devices. This could lead to the creation of new hardware/software standards – in addition to existing local and global standards. This can disrupt production operations, and will only burden startups, who may have to alter their hardware and software systems, resulting in increased costs.

So What Is Next?

Though the JPC’s report recommends that the data regulator keep the interests of startups and small businesses in mind to encourage innovation, uncertain compliances, strict local storage requirements, among other things, could defeat this intent. Thus, it is crucial to communicate the concerns of startups to the government, as it deliberates over the DP Bill.

To this end, Ikigai Law is inviting all stakeholders from the ecosystem to discuss the impact of the proposed personal data protection framework in a virtual roundtable — Unscramble: Impact Of India’s Data Protection Framework For Startups on February 24, 2022, at 3 PM IST. 

Book Your Slots Now