Tech startups, primarily in the consumer internet space, will have to take fresh consent from users for their past data as per the provisions specified under the Digital Personal Data Protection Bill, 2022.
Although startups are not required to take explicit consent for each category of data collected in the past, they will still have to specify some additional context, including reason for collection of data, further details on third parties with access to previous data and equip users with a choice to delete any previously collected data.
“Section 6 of the newly drafted Bill has very clearly said that consumer-facing startups will also have to provide customers with the right to withdraw their consent for such previously collected data and also provide a copy of the personal data collected on-demand,” said Vinod Joseph, partner at Argus Partners law firm.
However, industry and legal experts FE spoke with said that the current draft of the data protection Bill is much more convenient for startups and may not raise compliance costs considerably, especially in comparison to the previous drafts that imitated the European GDPR Act.
Rishi Anand, partner at DSK Legal, said that the compliance level specified under the current draft of the Bill isn’t capital-intensive for small companies and is, in fact, much cheaper to comply with in comparison to the GDPR law. “The new draft has also removed criminalisation for non-compliance by removing imprisonment, and this is the right approach, especially in the Indian context. Rather than using a criminal penalty, the ministry of IT has suggested a financial penalty as a way to discourage companies from ignoring cybersecurity measures,” added Anand.
The minsitry of IT is also said to be working on including some relaxations for early-stage startups to comply with a few sections of the privacy Bill, according to a PTI report on Monday. Such relaxations were being suggested so as to not stifle innovation, especially for data modelling, the report added. However, policy and legal experts are split over this decision.
Joseph of Argus Partners said that the previous draft of the data privacy Bill in 2018, 2019 and 2021 included a special provision for ‘small business entities’ basis on the company’s turnover. Small entities were exempt from compliance requirements for processing sensitive personal data in the previous version of the Bill. However, the concept of small entities does not exist in the November 2022 draft. “It’s a good idea to exempt small entities from complying with a few sections of the new privacy Bill but such exemption should not be given out after a 5-10 years’ timeline,” Joseph added.
However, Salman Waris, founder and managing partner of TechLegis Advocates & Solicitors, said that although compliance cost is bound to increase for tech startups, any moves to relax the law for a few entities may end up setting parallel regulatory regimes.
“The ministry of IT’s decision to relax some data privacy compliance requirements exclusively for early-stage startups would only create further confusion and lead to compliance uncertainty ultimately setting up parallel regimes under the same law. This would be very difficult to track where ultimately customer data collected by early-stage startups would end up being used. And such a setup may actually end up defeating the very purpose of the law,” added Waris.