Why should Indian start-ups care about India’s new data protection law?

India’s proposed data protection law introduced in Parliament in 2019 is being reviewed by a joint parliamentary committee. This piece discusses implications of the proposed law on the Indian startup ecosystem.

Rahul Seth and Anirudh Rastogi

India’s proposed data protection law, the Personal Data Protection Bill, 2019 introduced in Parliament late last year, is currently being reviewed by a joint parliamentary committee. Here we take a look at why Indian startups should be concerned with this forthcoming legislation.

The data protection bill imposes several obligations on startups without sufficient clarity on compliance. For instance, startups will need to put in place age verification mechanisms and take parental/guardian consent before processing children’s data. Under this new law, everyone below 18 years will need parental/guardian consent to access large parts of the internet. This is a problem, especially as teenagers form a large chunk of digital users today. Given the number of first-time internet users in India, in many cases children may actually be more digitally literate than their parents. This requirement means that companies will need to verify the age of each and every user to ensure that they are not children. The need for parental consent may also deprive children of access to valuable services. Remember the series of advertisements of a popular ed-tech platform, where Shahrukh Khan plays a disapproving father, unhappy with his kids using “new age” learning methods? While the ads today end on a happy note with kids and parents happily adopting the platform, such business models will need a re-look once the new bill becomes law.


Teenagers form a large chunk of digital users today.


The proposed new law requires sensitive personal data (such as health, financial and biometric data) and the yet-to-be defined critical personal data to be stored in India.  Startups will find the cost of setting up local data storage infrastructure prohibitive and it will take years for India to build the required cloud storage capacity domestically. This could result in a situation akin to India’s ambitious digital sky policy for drones that envisages building a technology platform for electronic permissions for drone operations, which has in effect grounded the drone industry because the platform is still under development. Local storage requirements in absence of a mature local cloud infrastructure could similarly stunt India’s startup ecosystem. This will also restrict the ability of startups to access newer cloud-based technologies, say for example certain new machine learning tools that may not be hosted on Indian servers.


Local storage requirements in absence of a mature local cloud infrastructure could similarly stunt India’s startup ecosystem.


India may soon have a new regulator with wide ranging powers, the Data Protection Authority of India (DPA). Among other things, the DPA is empowered to notify companies as ‘significant data fiduciaries’ (SDFs). SDFs must comply with several additional obligations such as conducting data protection impact assessments and appointing a data protection officer which in turn carry significant compliance costs. Classifying companies as SDFs is seemingly meant to ensure accountability of systemically important ‘big tech companies’ processing large volumes of data. But small companies and nascent startups may well be designated as SDFs if the DPA believes that their activities carry a risk of ‘significant harm’ or if they use ‘new technologies’, both terms with ambiguous meanings.

Much of the detail of our data protection framework will come through rules framed by the central government or the DPA, creating uncertainty about the nature and levels of compliance companies can expect. For example, the government can designate more categories of data to be sensitive (carrying stricter compliance requirements) if it wants to. Regulatory uncertainty is bad for business, stifles innovation and deters investment.

In an odd move for a law to protect user privacy, the draft data protection bill allows the government to requisition anonymized and other ‘non-personal data’ from any company to aid in its policy making. This should be a cause of concern for startups as it grants the government unrestricted powers to access data derived by businesses by investing significant financial and technical resources. This data may form the very basis for their business models and the source of their competitive advantage, apart from being a valuable form of intellectual property.


In an odd move for a law to protect user privacy, the draft data protection bill allows the government to requisition anonymized and other ‘non-personal data’ from any company to aid in its policy making.


The government has introduced several policies over the past few years to boost India’s startups. However, much of its efforts may come undone if the new data protection law is implemented without being thought through. Startups are an integral part of India’s vision of a trillion dollar digital economy and a highly restrictive data protection regime may prevent India from realizing it.


Rahul Seth manages WeWork Labs in North India and has been an entrepreneur, and mentor and investor to several startups. Anirudh Rastogi is the managing partner at Ikigai Law. The authors acknowledge inputs from Aman Taneja and Arpit Gupta, Senior Associates at Ikigai Law.

Challenge
the status quo

Sparking Curiosity...