Modified data protection bill to bring ease for startup ecosystem: Experts

The modified version of the draft digital personal data protection (DPDP) bill has brought reasons to cheer for the startup ecosystem with relaxations for cross-border data transfer, removal of non-personal data, and certain exemptions, industry stakeholders and experts said.

The Ministry of Electronics and Information Technology (MeitY) on Friday released a draft version of the much-awaited data protection law, in the fourth such effort since it was first proposed in July 2018.

The 24-page document seeks to provide a legal framework for collecting and processing personal digital data in India. The government has argued that the draft manages to secure the digital rights of citizens, without impacting the ease of doing business.  

Rohit Kumar, legal expert and founding partner at TQH consulting said the draft bill may reduce the compliance burden, making sure that it is easier for small players to comply with the law. “The requirements of data localisation and privacy by design, which needed to be certified by the data protection authority in the previous draft, could have added to a lot of compliance burden. It has been relaxed now that will definitely help the IT-ITeS sector,” Kumar said.

Apart from general obligations such as giving an itemised notice to users before collecting their data, the draft has prescribed additional obligations for significant data fiduciaries. The significant fiduciaries would be determined by the volume and sensitivity of the data and also based on the risk of harm to the users of the data.

Kumar said the risk-based approach used to define significant data fiduciary instead of having volume-based criteria will be helpful for start-ups. “There are many startups that have a lot of users on their platforms, but not enough active users. The risk of harm on these platforms is also lower. So, generally speaking, this approach can benefit such platforms,” he said. “On the face of it, the bill is industry-friendly and does take into account some concerns from start-ups.”

However, there are concerns with some provisions of the bill. The draft document also provides the users with the right to withdraw their consent to share their data at any time.

Devashish Goyal, CEO and Founder of Ohlocal, an AI-enabled hyperlocal bidding marketplace said this could create problems for his startup in the future.

“We use many third-party platforms for serving our users. For example, we upload our user data on WhatsApp Marketing for sending them some alerts and invoices. If on one fine day, a user tells us to stop processing their data, we would also need to ask this third-party software to stop using that data and verify that our request is implemented. We need to understand how this entire ballgame will work and how transparent the third-party service providers will be.”

Sanjay Jain, partner at Bharat Innovation Fund – an early-stage venture capital fund – said the draft bill, if implemented, will have a sizable impact on startups, and compliance costs will go up.

He said, “Taking consent (from the users) is an important area, but the burden of telling users what is collected can be high. I believe that there are two aspects of this - being transparent with users about the data collection and users can increase trust in the companies. The other is that companies will be incentivised to collect less data as a result of this, which will make it easier to comply.”

The draft bill prescribes financial penalties of up to Rs 250 crore for failing to take security safeguards to prevent personal data breaches.

Jain said, “The numbers in the bill are the maximum penalty, and we will hope that the regulations grade these in proportion to the offense, and the size of the company so that they are not onerous.”

The draft bill is also seen as a simplified version compared to its predecessors. It has scrapped the provisions on non-personal data, which forms the raw material for Artificial Intelligence. It has also exempted non-automated processing of personal data and offline personal data.

Manish Sehgal, partner at Deloitte India said, “The structure of this draft is simplified with just 30 articles under 6 chapters while earlier versions or global regulations like GDPR (General Data Protection Regulation) came with close to 100 articles. The inclusion of illustrations is very apt and makes it even simpler to relate with the corresponding article.”

Sehgal added that “the stringent requirements of data localisation from earlier versions could have impacted start-ups, especially the ones which are supporting global partners, and enterprises. Now, as that requirement is revised allowing cross-border data residency to trusted destinations (once assessed by the government), it will offer leverage for the startup ecosystem to work at a global scale.”