Startups are aggressively trying to access global markets by using innovative technologies. One of the primary uses of such technologies is to harness and analyse data of users. The data is used to efficiently target users by offering them relevant products and services. Along with an understanding of the importance of the use of technology and data for business advancements, startups today have also realised the importance of data protection and privacy. These help startups build their brand image and attract investors. In this context, therefore, it is worthwhile to take a quick look at some of the data privacy and protection-related legal requirements under the present Indian laws, and the upcoming ones, in order to be future-ready.
Presently, the Indian Information Technology Act, 2000 (IT Act) prescribes rules for possessing, dealing, or handling sensitive personal data. It also prescribes provisions for compensation for failure to protect such sensitive personal data. In addition, the disclosure of personal information in breach of lawful contract is punishable with imprisonment or with a fine or both. Since startups mostly handle a good amount of personal and sensitive personal data, it is essential that they comply with the provisions of the IT Act, along with any other relevant sectoral law that may be applicable to them.
Recently, the draft Personal Data Protection Bill, 2018 (Draft Bill) has been submitted by the Srikrishna Committee to the Government for consideration. The Draft Bill mandates several additional obligations for entities engaged in the processing of personal data and is expected to increase the cost of compliance substantially. The Draft Bill prescribes penalties as high as Rs 15 crores or 4 percent of the total worldwide turnover (whichever is higher), in case of certain non-compliance.
Set out below are few of the key compliance requirements under the Draft Bill which may significantly impact startups:
Stringent requirements to provide clear notice at the time of collection of personal data have been proposed by the Draft Bill. The notice is required to mention the individuals or entities with whom personal data will be shared. Further, the Draft Bill also mandates that such notice should be comprehensible and be provided in multiple languages, where necessary and practicable. These requirements to provide effective notices, to simplify and translate notices into multiple languages, etc. may turn out to be a cumbersome and costly affair for startups.
As per the Draft Bill, the collection and processing of personal data should only be for purposes that are clear, specific, and lawful. Moreover, reasonable steps are required to be taken to ensure that the personal data processed is complete, accurate, not misleading, and updated. Another important obligation is that personal data should be retained only as long as may be reasonably necessary to satisfy the purpose of processing. In order to ensure that these requirements are met, startups will be required to maintain strong data management practices and undertake a continuous review of personal data stored by them.
Compliance with these provisions can substantially increase costs for startups as well as require them to have dedicated resources.
The Draft Bill requires that at least one serving copy of personal data should be stored on a server or data centre located in India. Further, the Central Government may notify certain critical personal data which is mandatorily required to be processed in a server or data centre located in India. The requirement of data localisation is expected to increase costs for retaining personal data on Indian servers. These costs may be fatal for startups who have been using third-party cloud service providers for data storage and with whom they have minimal bargaining power. Transfer of personal data outside India is also not permitted other than through certain mechanisms such as intra-group schemes or standard contractual clauses approved by the proposed Data Protection Authority of India (Authority).
Again, these may prove to be a heavy compliance burden for startups who are heavily dependent on the free movement of personal data for the success of their business.
The Draft Bill mandates certain security safeguards to be implemented and periodically reviewed considering the nature, scope, and purpose of processing of personal data. Some of the measures prescribed under the Draft Bill include de-identification, encryption, and steps for preventing misuse and unauthorized access to personal data. With most startups having skeletal IT teams performing peripheral functions, deployment of such advanced technologies may entail heavy investment in their IT set-up.
Notification to the Authority is required to be made where a breach of personal data is likely to cause harm to persons whose personal data is breached. The Authority may direct that a notification be made to the affected individuals and also to publish details of the breach on the concerned entity’s website. Therefore, in addition to the security safeguards, startups may also have to invest in organisational and technological solutions for operationalising the breach notification mechanism.
The Draft Bill, when enacted, will enhance the burden of compliance for businesses, especially startups. A substantial amount of time, money, effort, and resources may have to be spent by startups in this regard. However, startups which are looking to expand in the future may consider this compliance cost as an investment in their business. It is only a matter of time before potential investors make investment decisions largely based on a comparative assessment of data privacy and protection measures adopted by startups.
Supratim Chakraborty is an Associate Partner and Sumantra Bose and Aritri Roy Chowdhury are Associates at Khaitan & Co.
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)