Context: In response to the Ministry of Electronics and Information Technology’s (“MeITY”) call for comments on the Personal Data Protection Bill, 2018 (“Bill”), Ikigai Law and Inc42 submitted a consolidated set of comments reflecting the views of certain startups on the proposed law. These comments were published in connection with ‘The Dialogue’[1] – a roundtable session organised by Ikigai Law and Inc42, to discuss the impact of the Bill with startups. Please see below for the submission made to MeITY.
I. Background
In order to prepare startups for the changes in the data protection regime in the country, Ikigai Law (formerly TRA Law), in association with Inc42 had organised ‘The Dialogue’[2] – a roundtable session to discuss the impact of the Personal Data Protection Bill, 2018 (“Bill”) with startups, on September 7th, 2018. The event, which was hosted at the Taj Palace in New Delhi, was led by Anirudh Rastogi (Founder, Ikigai Law); Nehaa Chaudhari (Policy Lead, Ikigai Law) and Vaibhav Agarwal (Founder and CEO, Inc42). The discussion focused on three key issues under the Bill: (i) the new notice and consent requirements; (ii) the treatment of sensitive personal data; and (iii) data localisation.
This note contains a consolidated set of comments, observations and concerns voiced by representatives of the participating companies, to provide a sense of where startups stand on the Bill. It is important to note that the views contained in this note are not the views of Ikigai Law or Inc42, we have only aggregated the responses of participants who attended ‘The Dialogue’. We have attributed comments to individuals wherever their specific comments have been used.
II. Comments on the Bill
This section provides an overview of comments, observations and concerns raised by startups on the Bill.
1. Need for a thorough assessment of the pros and cons of data localisation
Many startups place reliance on global cloud computing platforms such as Google Cloud, Microsoft Azure and Amazon’s AWS. Their choice of cloud platforms is determined by the responsiveness of the service, cloud service latency, availability of disaster recovery centres and overall efficiency. For instance, as per Vivek Jain of Interactive Media, he prefers using global cloud platforms over domestic platforms since the domestic cloud computing platforms are not available at the same cost and they do not offer the same quality of services. He is concerned that data localization may not be immediately possible since improving the quality of cloud services in India will take enough time. It is unclear why startups can no longer freely rely on servers located outside the country, when such practices may in fact be better for data security than storing all the data in one location, which can enable attacks.
Vivek Kothari, a data scientist working with Mobileum, believes that since stringent data storage requirements lead to significant costs even for large companies, startups would be particularly affected by this measure. Another participant found the possible effects of localisation on the health sector to be worrisome, since restricting the free flow of health data outside the country could limit the full potential of medical technologies. As per this participant, “Patient information, such as oncology data, should be shared as learnings outside India. This sharing of information helps improve the efficacy of drugs and diagnostic services.” Restricting the free flow of health data outside the country could limit the full potential of medical technologies. Given the potential negative consequences associated with data localisation, there is a need for a thorough reassessment of the measure, that includes and addresses stakeholder concerns.
2. Need for clarity on timelines for compliance
Given the particular constraints of time and money that startups operate under, it will be important to set timelines for compliance in consensus with industry stakeholders. This is particularly concerning given that in April 2018, the Reserve Bank of India had directed the storage of all payments data in the country within the short span of six months.[3] Requiring companies to completely renew their data processing practices is going to be a time-intensive exercise, and it is imperative that stakeholders are given enough time to ensure compliance with all the provisions of the Bill, once it becomes a law.
3. Need for guidance on how to operationalise notice and consent practices
One of the participants, a startup founder, was concerned that the consent practices mandated under the Bill may be difficult to operationalise for certain technologies. Giving the example of facial recognition technology that is used to track and manage attendance of groups of students, he explained that while it is practicable to take consent on an individual basis, it would become extremely difficult to obtain the valid consent of larger groups of people in a crowd while capturing their faces.
Startups using Internet of Things (“IoT”) devices too may face issues providing notice and obtaining valid consent. IoT devices will need screens to display notices or will have to send emails in real time to users. This can come in the way of user experience and dissuade consumers from using these devices.
Thus, there is a need to evaluate the practical effects of the strict notice and consent requirements for certain technologies, and tweak the requirements accordingly. Without specific guidance on how to operationalise these safeguards, startups will find it extremely difficult to ensure compliance and could risk violation of the Bill.
4. Need for guidance on how to treat sensitive personal data
It is unclear how social media platforms and applications that allow users to post information revealing their sexuality, religious beliefs, political views or their caste status (all of which are sensitive personal data under the Bill) will be expected to treat the processing of this data. It would be impractical and expensive to treat freely available public information with the same security safeguards that are accorded to sensitive personal data under the Bill. There is a need for clarification on this front, to prevent startups from incurring unnecessary costs.
5. Need for a carve-out for small businesses and entrepreneurs
Boot-strapped startups operating under tight budgets and resource constraints will be hit by the increased compliance costs entailed by the Bill. In order to facilitate compliance for smaller businesses, startups would like to see a carve-out for small businesses below a certain financial threshold– with relaxed standards for compliance being applied to such businesses. While the Bill does contain a carve-out for manual processing by small entities under Section 48 at present, this exemption is too limited in its scope and ignores automated processing.
On the subject of steep penalties and criminal liability prescribed for non-compliance with the Bill’s provisions, Vikas Chauhan of 1MG feels that we cannot have a system where digital health entrepreneurs are scared to operate digital health businesses and innovate, for fear of criminal prosecution. Per him, the penalty should be financial and there should be different levels of liability for companies that violate the same provision repeatedly. This will ensure that entrepreneurs do not face an existential threat for small offences.
6. Need for clarity on ‘critical personal data’
The Bill creates a class of ‘critical personal data’ (“CPD”) which can only be stored and processed in India. However, this class of data is currently undefined, since only the Central Government has the authority to notify the kinds of data that will fall under this category. However, the Bill has not even specified whether this data should be treated as sensitive personal data or personal data. This distinction has consequences for the grounds of processing for CPD – since personal and sensitive personal data are subject to different levels of safeguards. In order to avoid unintended violations of the Bill, startups need clarity on the exact scope of CPD.
[This set of comments and views has been consolidated by Ikigai Law and Inc42]
[1] Detailed information on the topics covered during the event may be found at:
A. Draft Personal Data Protection Bill: Make your voice heard in ‘The Dialogue’ by Inc42 & Ikigai Law, Inc42, published on 28 August, 2018, available at : https://inc42.com/buzz/draft-personal-data-protection-bill-make-your-voice-heard-in-the-dialogue-by-inc42-tra-law/ (Last accessed on 25th September, 2018).
B. ‘The Dialogue’ By Inc42 & Ikigai Law: PDP Bill marks a clear divide between mindsets of policymakers & start-ups, Inc42, published on 9th September, 2018, available at: https://inc42.com/buzz/the-dialogue-by-inc42-ikigai-law-pdp-bill-marks-a-clear-divide-between-the-mindsets-of-policy-makers-and-startups/ (Last accessed on 25th September, 2018).
[2] Detailed information on the topics covered during the event may be found at:
C. Draft Personal Data Protection Bill: Make your voice heard in ‘The Dialogue’ by Inc42 & Ikigai Law, Inc42, published on 28 August, 2018, available at : https://inc42.com/buzz/draft-personal-data-protection-bill-make-your-voice-heard-in-the-dialogue-by-inc42-tra-law/ (Last accessed on 25th September, 2018).
D. ‘The Dialogue’ By Inc42 & Ikigai Law: PDP Bill marks a clear divide between mindsets of policymakers & startups, Inc42, published on 9th September, 2018, available at: https://inc42.com/buzz/the-dialogue-by-inc42-ikigai-law-pdp-bill-marks-a-clear-divide-between-the-mindsets-of-policy-makers-and-startups/ (Last accessed on 25th September, 2018).
[3] See RBI notification on the storage of payments systems data, published on 6th April, 2018, available at: https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244&Mode=0 (Last accessed on 25th September, 2018).
