With the 24X7 digital presence and inseparable dependence on internet, comes a new challenge of safety of data acquired by websites and mobile applications we use. Last few years have witnessed reasonable number of incidents of data breach and allegations of data misuse. The European Union’s General Data Protection Regulation (GDPR) notified on May 25, 2018, was one major international law initializing legal regulation of private data and modelled on similar concepts is its Indian counterpart, Personal Data Protection Bill which bears striking similarity with the prior. The Bill is currently under the scrutiny of the Joint Committee of Parliament and is yet to be implemented, however, it is not too far when India will have a comprehensive specialised legislation for Data Protection.
INTROSPECTING THE REGULATION
The proposed law levies new compliance requirements for data protection on most businesses in India with applicability upon almost all businesses across India’s economy. The only exemptions will be businesses like small sellers that collect information manually and meet other conditions to be specified by the Data Protection Authority. Businesses would have to communicate to users their data collection practices and seek customers’ consent. They would have to collect and store evidence of the fact that such notice was given and such consent was duly received. Because the proposed law gives consumers the right to extract their consent, businesses would also have to come up with systems to allow consumers to do so. Consumers will also get the right to access, correct, and erase their data or even to transfer their data, including any inferences made by these businesses based on such data, to other businesses as they may desire.
The law once notified will require all businesses to make organizational changes to protect data better and introduce privacy-by-design principles (an approach in which privacy is a key consideration in how the business is organized), security safeguards, and so on. Another landmark aspect of the proposed law is the concept of “sensitive personal data” and “critical personal data” and prohibitions in their transfer out of India. Other features of the proposed law include rules about non-personal data such as sharing of valuable non-personal data with the government. Penalties up to INR 15 crores, or 4 percent of the global turnover of the firm in the preceding financial year can be imposed on violation of the proposed law.
START-UP ECOSYSTEM IN INDIA: TO BE ANXIOUS OR EXCITED?
Start-ups processing personal data on the basis of consent must provide users with notices at the time of collection and then processing. All companies will have to put in place an infrastructure wherein the provisions of the proposed law can be met. A steady system will have to be put in place to avoid data breach and in case one does take place, a notice system to the user to avoid any penalties. Cutting down operating costs is essential for start-ups in the early stages of growth, however, localization requirements and restrictions as well as installation of data protection tools may lead to increased operating costs. Besides, data and user base being one of the driving fuel behind lightning growth of startups may also take a huge hit where the business model demands exchange of data with third party vendors, especially in case of aggregators. Compliance, data governance and handling shall also increase costs substantially. How the data protection law will impact the investor sentiment, particularly where multinational assets are in question and where the foreign investment has a vested interest of exploiting the Indian market and user base, we can only expect to see once the law is notified.
Looking diagonally opposite, most brands, from the unicorns to the century old salt to steel conglomerates already have robust systems in place for data protection and privacy and the industry rendering services for data protection especially against cyber attacks is growing at quite a pace in itself, transparency and fair trade practices may also be a determining factor in the customer’s mind and with Startups and IT being probably already in the centre stage now, the proposed law may just propel the growth further.