Ikigai LawIkigai LawIkigai LawIkigai Law
  • About Us
    • About
    • Our Team
    • FinTales
    • Tech Ticker
  • Practice Areas
  • Blog
  • News & Events
    • Ikigai Law in the news
    • Ikigai Law at events
    • Ikigailaw on the social media
  • Careers

Comments of certain start-ups on the Personal Data Protection Bill, 2018: Consolidated views

    Home Data Governance Comments of certain start-ups on the Personal Data Protection Bill, 2018: Consolidated views
    NextPrevious

    Comments of certain start-ups on the Personal Data Protection Bill, 2018: Consolidated views

    By Ikigai Law | Data Governance | 0 comment | 17 October, 2018 | 6

    Context: In response to the Ministry of Electronics and Information Technology’s (“MeITY”) call for comments on the Personal Data Protection Bill, 2018 (“Bill”), Ikigai Law and Inc42 submitted a consolidated set of comments reflecting the views of certain startups on the proposed law. These comments were published in connection with ‘The Dialogue’[1] – a roundtable session organised by Ikigai Law and Inc42, to discuss the impact of the Bill with startups. Please see below for the submission made to MeITY.

     

    I. Background

    In order to prepare startups for the changes in the data protection regime in the country, Ikigai Law (formerly TRA Law), in association with Inc42 had organised ‘The Dialogue’[2] – a roundtable session to discuss the impact of the Personal Data Protection Bill, 2018 (“Bill”) with startups, on September 7th, 2018. The event, which was hosted at the Taj Palace in New Delhi, was led by Anirudh Rastogi (Founder, Ikigai Law); Nehaa Chaudhari (Policy Lead, Ikigai Law) and Vaibhav Agarwal (Founder and CEO, Inc42). The discussion focused on three key issues under the Bill: (i) the new notice and consent requirements; (ii) the treatment of sensitive personal data; and (iii) data localisation.

    This note contains a consolidated set of comments, observations and concerns voiced by representatives of the participating companies, to provide a sense of where startups stand on the Bill. It is important to note that the views contained in this note are not the views of Ikigai Law or Inc42, we have only aggregated the responses of participants who attended ‘The Dialogue’. We have attributed comments to individuals wherever their specific comments have been used.

     

    II. Comments on the Bill

    This section provides an overview of comments, observations and concerns raised by startups on the Bill.

     

    1. Need for a thorough assessment of the pros and cons of data localisation

    Many startups place reliance on global cloud computing platforms such as Google Cloud, Microsoft Azure and Amazon’s AWS. Their choice of cloud platforms is determined by the responsiveness of the service, cloud service latency, availability of disaster recovery centres and overall efficiency. For instance, as per Vivek Jain of Interactive Media, he prefers using global cloud platforms over domestic platforms since the domestic cloud computing platforms are not available at the same cost and they do not offer the same quality of services. He is concerned that data localization may not be immediately possible since improving the quality of cloud services in India will take enough time. It is unclear why startups can no longer freely rely on servers located outside the country, when such practices may in fact be better for data security than storing all the data in one location, which can enable attacks.

    Vivek Kothari, a data scientist working with Mobileum, believes that since stringent data storage requirements lead to significant costs even for large companies, startups would be particularly affected by this measure. Another participant found the possible effects of localisation on the health sector to be worrisome, since restricting the free flow of health data outside the country could limit the full potential of medical technologies. As per this participant, “Patient information, such as oncology data, should be shared as learnings outside India. This sharing of information helps improve the efficacy of drugs and diagnostic services.” Restricting the free flow of health data outside the country could limit the full potential of medical technologies. Given the potential negative consequences associated with data localisation, there is a need for a thorough reassessment of the measure, that includes and addresses stakeholder concerns.

     

    2. Need for clarity on timelines for compliance

    Given the particular constraints of time and money that startups operate under, it will be important to set timelines for compliance in consensus with industry stakeholders. This is particularly concerning given that in April 2018, the Reserve Bank of India had directed the storage of all payments data in the country within the short span of six months.[3] Requiring companies to completely renew their data processing practices is going to be a time-intensive exercise, and it is imperative that stakeholders are given enough time to ensure compliance with all the provisions of the Bill, once it becomes a law.

     

    3. Need for guidance on how to operationalise notice and consent practices

     One of the participants, a startup founder, was concerned that the consent practices mandated under the Bill may be difficult to operationalise for certain technologies. Giving the example of facial recognition technology that is used to track and manage attendance of groups of students, he explained that while it is practicable to take consent on an individual basis, it would become extremely difficult to obtain the valid consent of larger groups of people in a crowd while capturing their faces.

    Startups using Internet of Things (“IoT”) devices too may face issues providing notice and obtaining valid consent. IoT devices will need screens to display notices or will have to send emails in real time to users. This can come in the way of user experience and dissuade consumers from using these devices.

    Thus, there is a need to evaluate the practical effects of the strict notice and consent requirements for certain technologies, and tweak the requirements accordingly. Without specific guidance on how to operationalise these safeguards, startups will find it extremely difficult to ensure compliance and could risk violation of the Bill.

     

    4. Need for guidance on how to treat sensitive personal data

     It is unclear how social media platforms and applications that allow users to post information revealing their sexuality, religious beliefs, political views or their caste status (all of which are sensitive personal data under the Bill) will be expected to treat the processing of this data. It would be impractical and expensive to treat freely available public information with the same security safeguards that are accorded to sensitive personal data under the Bill. There is a need for clarification on this front, to prevent startups from incurring unnecessary costs.

     

    5. Need for a carve-out for small businesses and entrepreneurs

    Boot-strapped startups operating under tight budgets and resource constraints will be hit by the increased compliance costs entailed by the Bill. In order to facilitate compliance for smaller businesses, startups would like to see a carve-out for small businesses below a certain financial threshold– with relaxed standards for compliance being applied to such businesses. While the Bill does contain a carve-out for manual processing by small entities under Section 48 at present, this exemption is too limited in its scope and ignores automated processing.

    On the subject of steep penalties and criminal liability prescribed for non-compliance with the Bill’s provisions, Vikas Chauhan of 1MG feels that we cannot have a system where digital health entrepreneurs are scared to operate digital health businesses and innovate, for fear of criminal prosecution. Per him, the penalty should be financial and there should be different levels of liability for companies that violate the same provision repeatedly. This will ensure that entrepreneurs do not face an existential threat for small offences.

     

    6. Need for clarity on ‘critical personal data’

    The Bill creates a class of ‘critical personal data’ (“CPD”) which can only be stored and processed in India. However, this class of data is currently undefined, since only the Central Government has the authority to notify the kinds of data that will fall under this category. However, the Bill has not even specified whether this data should be treated as sensitive personal data or personal data. This distinction has consequences for the grounds of processing for CPD – since personal and sensitive personal data are subject to different levels of safeguards. In order to avoid unintended violations of the Bill, startups need clarity on the exact scope of CPD.

     

    [This set of comments and views has been consolidated by Ikigai Law and Inc42]

     

    [1] Detailed information on the topics covered during the event may be found at:

    A. Draft Personal Data Protection Bill: Make your voice heard in ‘The Dialogue’ by Inc42 & Ikigai Law, Inc42, published on 28 August, 2018, available at : https://inc42.com/buzz/draft-personal-data-protection-bill-make-your-voice-heard-in-the-dialogue-by-inc42-tra-law/ (Last accessed on 25th September, 2018).

    B. ‘The Dialogue’ By Inc42 & Ikigai Law: PDP Bill marks a clear divide between mindsets of policymakers & start-ups, Inc42, published on 9th September, 2018, available at: https://inc42.com/buzz/the-dialogue-by-inc42-ikigai-law-pdp-bill-marks-a-clear-divide-between-the-mindsets-of-policy-makers-and-startups/ (Last accessed on 25th September, 2018).

    [2] Detailed information on the topics covered during the event may be found at:

    C. Draft Personal Data Protection Bill: Make your voice heard in ‘The Dialogue’ by Inc42 & Ikigai Law, Inc42, published on 28 August, 2018, available at : https://inc42.com/buzz/draft-personal-data-protection-bill-make-your-voice-heard-in-the-dialogue-by-inc42-tra-law/ (Last accessed on 25th September, 2018).

    D. ‘The Dialogue’ By Inc42 & Ikigai Law: PDP Bill marks a clear divide between mindsets of policymakers & startups, Inc42, published on 9th September, 2018, available at: https://inc42.com/buzz/the-dialogue-by-inc42-ikigai-law-pdp-bill-marks-a-clear-divide-between-the-mindsets-of-policy-makers-and-startups/ (Last accessed on 25th September, 2018).

    [3] See RBI notification on the storage of payments systems data, published on 6th April, 2018, available at: https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244&Mode=0 (Last accessed on 25th September, 2018).

     

    AI, ArtificialIntelligence, AWS, BigData, cloud, CloudServicePlatforms, CloudServiceProviders, Consent, DataLocalisation (different spellings, DataLocalization, GDPR, GoogleCloud, hence twice), Ikigai Law, IndiaDataProtection, IoT, MeITY, MicrosoftAzure, Notice, PDPBill, PDPBill2018, PersonalDataProtection, PersonalDataProtectionBill, Privacy, SensitivePersonalData, SPDI, SrikrishnaCommittee, Startups

    Ikigai Law

    More posts by Ikigai Law

    Related Post

    • Clause-wise mapping of the JPC’s recommendations on India’ data protection law

      By Ikigai Law | 0 comment

      A detailed clause-wise analysis of the Parliamentary committee’s report on India’s data protection law. On 16 December 2021, the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 tabled its report in Parliament. TheRead more

    • Clause by Clause Redline: 2018 and 2019 Personal Data Protection Bills

      By Ikigai Law | 0 comment

      The Indian government’s endeavour to regulate the collection and use of personal data dates back to 2012 when the A.P. Shah led committee released its report on privacy[1]. Seven years hence, the much awaited PersonalRead more

    • Draft Personal Data Protection Bill, 2018: what are the practical concerns?

      By Ikigai Law | 0 comment

      The draft Personal Data Protection Bill, 2018 (“Bill”) raises many concerns for businesses – start-ups and established companies alike. Companies will be required to revamp several of their operational practices once the Bill becomes anRead more

    • Stakeholders’ responses to the White Paper on a data protection framework in India

      By Ikigai Law | 0 comment

      In a 4 part series, we have mapped the publicly accessible opinions of 27 stakeholders on the White Paper of the Committee of Experts on a Data Protection Framework for India, released on 27th November, 2017Read more

    • What will be the fate of TRAI recommendations and the RBI circular after the PDP Bill is enacted?

      By Ikigai Law | 0 comment

      An edited version of this piece by Nehaa Chaudhari was first published by Inc42 and is available here.   About ten days ago, the Ministry of Electronics and Information Technology (MEITY) appointed Committee of Experts chairedRead more

    Leave a Comment

    Cancel reply

    Your email address will not be published. Required fields are marked *

    NextPrevious

    Tags

    #DataProtection #Fintales bitcoin Blockchain Budget Consent Consultation Consultation Paper cryptocurrency data Data Controllers data governance Data localisation Data Protection Data Subjects digital economy Digital India Drones E-Commerce Facebook Fintech Government Government of India healthtech Ikigai Law India Indian government Innovation MeITY Notice Payments Personal Data policy Privacy RBI Recommendation Regulation Srikrishna Committee Stakeholders Startups Surveillance Technology Tech Policy TechTicker TRAI

    Connect with Ikigai Law

    Copyright 2018 Ikigai Law | All Rights Reserved             

    Information

    • Practice Areas
    • Blog
    • Careers
    • Contact Us
    • Privacy Policy

    Contact us

    Office
    T-7/402, Commonwealth Games Village Apartment,
    New Delhi, Delhi 110092 India.

    Email Address

    contact@ikigailaw.com

    • About Us
      • About
      • Our Team
      • FinTales
      • Tech Ticker
    • Practice Areas
    • Blog
    • News & Events
      • Ikigai Law in the news
      • Ikigai Law at events
      • Ikigailaw on the social media
    • Careers
    Ikigai Law