Arun Prabhu
The Personal Data Protection Bill, 2019, which was tabled in the Lok Sabha on December 11, may be modified before it is actually enacted. This article seeks to analyse its impact on startups in India.
Personal Data
Personal data is all data -- online or offline -- relating to an individual with reference to features of their identity, directly or in combination with other information. Photographs, email, IP (Internet protocol) addresses, locations as well as conclusions drawn from any of them may constitute personal data.
When the Bill becomes law, entities will be required to ensure that they process all personal data of individuals “fairly and reasonably” while ensuring the latter’s privacy.
Such processing, which includes collection, storage, alteration, use, disclosure or even deletion, can be done only for clear, lawful and specific purposes to which such individuals have directly or indirectly given their consent.
There is a limited ground for processing without consent, which may include lending, fraud prevention, credit scoring, debt recovery etc. Other parameters may be specified by the Data Protection Authority to be created under the Bill.
Consent and Consent Managers
Entities need to provide a ‘consent notice’ to individuals before processing their personal data. The notice, inter alia, will have to specify the nature of data being collected, the purpose of collection, the period of its retention, entities with whom such data may be shared, data trust scores where applicable, and procedures for grievance redressal.
Consent, once provided, may also be withdrawn in which case personal data can no longer be processed. Entities cannot retain personal data after the period necessary for the purpose for which processing was consented to.
Even more stringent obligations apply to the processing of “sensitive” personal data which include information on health, biometric, healthcare, financials and the like.
The enactment and implementation of the Bill will result in Indian businesses being required to modify -- and in some cases completely reorient -- the manner in which they collect, store or use data.
To somewhat mitigate the onerous burden of consent, the Bill introduces the concept of a ‘consent manager’. The manager can manage the entire consent process, including collection, review or withdrawal, on behalf of an individual across multiple entities through a platform that is transparent, interoperable and accessible. Implemented properly, such platforms have the ability to streamline the consent process and assist in reducing compliance costs and user fatigue.
This may turn out to be a significant avenue of business for startups who develop robust consent management platforms.
Regulatory Sandbox
The proposed restrictions on the collection and storage of information do have the potential to limit operations and growth of businesses which rely on large volumes of data pertaining to individuals.
Perhaps to offset this, the Bill proposes creation of a regulatory sandbox for promotion of innovation in artificial intelligence, machine learning and related areas.
Technology in these sectors is often reliant on large volumes of “training data” and entities operating in these areas have been equipped to make an application to the authority under the Bill for a temporary exemption from the above purpose, collection and storage limitations.
Non-personal Data
A draft Personal Data Protection Bill recommended to the government in 2018 by a committee under Justice B N Srikrishna (Retd.) proposed exclusion of non-personal data from its ambit. Indeed, a separate committee has been appointed under Kris Gopalakrishnan to deliberate on a data governance framework for such non-personal information. While the report of the latter is still pending, the Bill has proposed to create wide-ranging rights for the government to require entities to provide anonymized personal or other non-personal data for delivery of services or formulation of evidence-based policies.
This broad access may make businesses hesitate to send data and may, in certain cases, lower the value of such information.
The Bill, which provides for a stringent penalty regime, may prove expensive and onerous for the existing businesses. It might be beneficial for nimble and compliant new businesses, which can leapfrog legacy issues by embracing compliance and developing technology for automation.
Arun Prabhu is Partner with Cyril Amarchand Mangaldas. Samraat Basu, Associate, contributed to the story. Views are personal.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
