Last week, the Ministry of Electronics and Information Technology unveiled India’s third attempt at a draft Digital Personal Data Protection Bill, with a slimmed down version that continues to raise issues like perpetuating surveillance and potentially diluting the Right to Information Act. As far as startups are concerned, though, there may be room for cautious optimism.
“This is a much leaner law,” Sreenidhi Srinivasan, Partner at Ikigai Law, told Entrackr. Indeed, the draft bill is now under 25 pages long, with several parts of previous drafts deleted. The new draft “is principle-based and focuses on the most critical aspects of data-processing,” Srinivasan said. “So, compliance costs for startups are likely to be lower. For instance, the law introduces the concept of ‘deemed consent’ or situations where consent is deemed to have been given.”
“Repeated consent-taking would have been onerous for businesses, especially startups and could have added friction to the customer journey,” Srinivasan said, pointing to how the law doesn’t need data fiduciaries (entities collecting data) to take consent for data collection once again as long as the purpose they are using it for can be “reasonably” expected.
A lot still hangs in the balance with subordinate legislation, though. “[E]d-tech platforms collecting children’s data must get parents’ consent,” Srinivasan pointed out as an example. “How this consent will be taken will be set out in rules [notified after the bill’s passing]. So, start-ups must look out for rules/notifications that the government comes up with.”
The government may also notify some entities like early stage startups that will be exempt from penalty provisions (fines for each violation extend up to Rs 500 crore), Minister of State for IT Rajeev Chandrasekhar told the Indian Express. He added, however, that such exemptions will come with a ‘sunset’ clause, meaning they will eventually be phased out.
“It will be impractical to impose a fine of 500 Crores on a start-up,” Amit Jaju, Senior Managing Director at Ankura Consulting Group (India), said in an emailed statement. “Remember, everyone will get hacked at some point.”
“The draft Bill has watered down the objective of a data privacy and protection framework,” Abhishek Malhotra, Managing Partner at TMT Law Practice said in a statement. “It appears to give a simpler framework for people to be able to adopt it seamlessly. Unfortunately, however, the scope and applicability provisions have also been curtailed and limited to where collection is online or digitized and where Indians are targeted for profiling.”
However, Malhotra said that the duties of individual data principals (i.e., people whose data is collected) to provide accurate information has eased the burden on data fiduciaries.
An interesting conundrum could be the designation of ‘significant data fiduciaries’, or entities that handle a large volume of data. With the possibility that these entities might be required to have a certain level of financial strength(penalties go up to Rs 500 crore) , this might force loss making startups to further abstain from storing any data themselves. Of course, for all we know this might create a startup or two also dedicated solely for the purpose.