Data privacy deemed a fundamental right, but is the Indian startup ecosystem prepared for new protection law?

As India gears up for a tough data protection law, lawyers say most startups are yet to understand the implications for their clients and must simplify notices and their consent frameworks.

Someone tells you about a new meditation app. You quickly download it, accepting the terms and conditions without a second glance. Same goes for the new hyperlocal grocery app in town. And the latest ecommerce site for handmade products.

But what happens to all that data that you so readily share on your apps and networks? Very often, it ends up in the hands of third parties and companies that use it to analyse your online habits.

Last year, a Bengaluru-based startup was working with a third party to crunch data gathered through GPS. Unfortunately, that third party sold the data to a Chinese company, which began running ads in India based on this very data. The startup remained oblivious until it received an email from a Pakistani

ad marketing company, asking the company to share data.

“I was appalled that our data was going out of our company because we did not have processes around data protection. We took a year to ensure that customers’ data remained with us at all times, and never worked with a third party,” says the founder, seeking anonymity.

In the digital age, data privacy typically applies to critical personal information, including identification numbers (Aadhaar and PAN), health and medical records, financial data (bank account and credit card numbers).

Mukesh Ambani, the Chairman of Reliance Industries, is among the top business leaders worldwide who believes that data is the new oil. In the wrong hands, a data breach could lead to multiple problems. The world knows that.

A law passed in Europe and a judgment in India

Last year, the General Data Protection Regulation(GDPR) went live in Europe on May 25. The EU created GDPR to protect digital identities of its citizens by making companies liable for data being used without customers’ consent.

Under GDPR, all companies dealing with consumer data will have to give the consumer an “opt in” and “opt out” option to being tracked. The companies must also manage the data in the country of origin.

EU regulators can fine companies up to four percent of their worldwide annual revenue, or €20 million, whichever is larger, if the companies don’t proactively ensure that users are in the know of data guidelines.

Who owns our data?

India's efforts on digital privacy

The Indian data protection law is yet to come in to force, but lawyers believe that it is going to be as stringent as the GDPR.

Internet penetration has grown solidly in India in the last five years, courtesy the growth of startups, ecommerce companies, and technology innovations across industries. India’s online market stands second only to China.

Primary IT industry bodies such as Nasscom and Data Security Council of India (DSCI) have backed rigorous data privacy and protection for years.

And ever since the Supreme Court ruled in favour of the right to privacy being deemed “a fundamental right”, the focus on data protection to enhance citizen safety and security has increased.

The heart of India’s data bill has its roots in the Puttaswamy versus the Union of India case of 2012. Retired Judge K S Puttaswamy filed a petition with the Supreme Court, in 2012, challenging the Constitutional validity of Aadhaar over the right to privacy protected under Article 21 of the Constitution of India.

In 2017, nine justices declared that privacy was the “constitutional core of human dignity”. This 547-page judgment is a landmark one because no institution or government can enforce their authority on an individual unless established in accordance with the procedure of law.

This will eventually apply to several companies that use customer data and offer specific suggestions. Are they ready for the lawsuits that will follow if they don’t fall in line? The answer is no.

Nehaa Chaudhuri, Public Policy Leadat Ikigai Law, says,

“From a best practices perspective, every startup should be ahead of the curve and ensure that they are compliant with data privacy. This is the first time product managers and lawyers have to work together.”

She adds that, for now, startups must simplify notices shown to consumers and the consent framework.

Image: Shutterstock

Are startups ready for the data protection law?

Cisco’s Data Privacy Benchmark Study, released this year, covered 3,200 respondents from 18 companies, and revealed that India scores very high - 65 percent - in terms of being GDPR-ready. The country rates much higher than the US, China, Germany, and Japan on this. However, it must be kept in mind that the respondents were cybersecurity professionals; the study does not reveal whether the responses werefrom startups or large corporates.

Going forward, data privacy and protection will be at the centre of India’s startup ecosystem.

According to Nasscom, there were 7,200 startups in India as of 2018. YourStory data reveals that more than 90,000 entrepreneur stories have been told. Clearly, the startup ecosystem is serving millions of consumers and all these companies need to be ready with data protection features that are simplified for the user to understand.

Smriti Tipirneni, Partner at Delhi-based startup Burgeon Law, says,

“The truth is that startups are yet to understand the implications of data protection for their clients and users. As of now, they have terms and conditions that are lengthy and often take consent without giving people a chance to understand what is happening with their data.”

A look at the terms and conditions and privacy pages of most startups shows this. Most are lengthy, there is scant mention of how data can be used once consent is given, and there is no mention of the choice of opting out a closer look at mobility service startups reveals that neither do all put in the opt-out clause in their terms and conditions nor do they tell you how to opt out.

Bike-sharing company Bounce gives you an opt-out policy, for data tracking, if you send an email to the company. Others like Swiggy, Vogo, and Ola offer the user the right to privacy legally, but don’t give an opt-out model until one uninstalls the app. YourStory, which is committed to data privacy, gives users an opt-out option with a simple email. But not every website/app does that.

In fact, some of them say “don’t read the terms and conditions” because they are not “interesting’’. This is mentioned in an upcoming media company's website. Such startups may be in for a rude awakening when users take them to court for not taking explicit consent for data crunching.

A senior legal counsel at a mobility company, says: “All startups must simplify their terms and conditions when it comes to getting consent from users on using or crunching user data.That’s the journey that all of us are taking. The data is encrypted and protected. However, with data protection rights around the corner companies will have to be much more proactive about user protection.”

Focusing on the next 300 million internet users

Even as India gears up for its data protection law, which aims to balance companies doing business using people’s data and the need for individual privacy, it is time that startups ready for the changing digital environment.

Most VCs and startups today have presentations that tell the world that India’s next 300 million internet users will come from small cities and towns.

A study by Dvara Research shows that Indians in smaller towns are becoming much more aware about personal data protection. Many often stop using an app when informed that their data is being used to understand their behaviour.

“Most fintech companies giving loans to businesses in small towns will have to handle data privacy carefully as many people will be reluctant to share private data. It is their duty to convince the ecosystem that data crunching can be used for good too. That banks can work with fintech to underwrite risk better and collect better,” says Aparajita Srivastava, Senior Associate at Ikigai Law.

The draft Personal Data Protection Bill, which has to be tabled in Parliament by the end of the year, is what everyone is waiting for. 

Lawyers say that by the time the Bill becomes an Act, startups should not react to the legal implications of the Act, but can be ready by implementing the recommendations of the Justice Srikrishna Committee.

“It is not about paying lawyers anymore; it is about preparedness and protecting users. Our Constitution has ensured protection for all citizens and data privacy too will come under its ambit,” says Himanshu Mene, Associate at Bengaluru-based Link Legal.

(Edited by Teja Lele Desai)


Updates from around the world