What does the data protection bill mean for start-ups?

I was recently speaking on a panel at an event in Bangalore. The audience comprised primarily of start-ups. There was palpable anxiety about the personal data protection bill that was introduced in Parliament in Dec 2019, and is now with a Joint Parliamentary Committee for consideration. Many participants asked what was the 'so-what' hidden behind the 98 clauses and 56 pages of dense legalese? How would the bill affect them, and what would it mean for their costs, revenues, growth and operations?

The answer is pretty simple - we don't know yet! The bill lays down many data rights that businesses need to provide their users. It also specifies many duties for holders of data, especially those that will be classified as 'significant data fiduciaries'. This is par for the course for any data protection law. Any business, big or small, will need to make these changes. However, the lived experience of an entrepreneur will depend heavily on how the Data Protection Authority (DPA) functions. Let's take a short detour to the contours of the Indian regulatory state to understand why.

If you are in the banking sector, your entrepreneurial journey is determined to a large extent by the actions of the Reserve Bank of India (RBI). Similarly, if you are trading in securities, the Securities and Exchange Board of India (SEBI)'s decisions can create disruptive change - good or bad - for your business. This is a natural outcome of India's transition to a 'regulatory state'. Since liberalisation, India has created several regulators, each of them entrusted with a particular sector. These regulators enjoy varying degrees of independence from the government, and fuse legislative, executive and judicial functions. This governance innovation makes regulators very powerful.

The DPA is going to be another such regulator, and one might argue that it might even be the most powerful regulator of them all. Not only is its scope limitless - it will regulate each and every institution or person that processes data - but it will also have the powers to impose large fines of up to four percent of global turnover. For start-ups that are barely surviving on short runways, these fines can be the death knell. The DPA will also have significant impact on how businesses run their operations. This is especially true for start-ups, most of whom rely heavily on the collection and processing of user data. The DPA can fundamentally alter this lifeblood of the modern digital start-up.

But will the DPA actually impose such large fines? What will be the cost to business of actions that the DPA mandates? Will the DPA go soft on start-ups, recognizing the need to balance innovation and privacy? All such questions are currently unknown. The DPA, as and when it is set up, will have a high degree of discretion for all three of its functions - legislative, executive, or judicial. For example, the DPA has the power to make over 40 consequential decisions, ranging from the banal to the consequential. The list below shows some of the decisions the DPA will make as per the draft bill, and which will affect businesses directly.

Each of these decisions will have an impact on start-ups and the cost of doing business. For example, the DPA will determine the time period within which a business needs to respond to a request for data from an individual. If set very low (e.g. four days), this threshold can drive up costs, especially for start-ups. Or the DPA could choose to give start-ups enough time to respond to such requests. Incase the start-up is non-compliant, the judicial arm of the DPA (which sits within the same entity making the law) can impose stiff fines. Or it may choose to have lower fines for start-ups, recognising that they do not have the same cash leeway that larger companies have. How the DPA will work is therefore simply unknown at this point!

Therefore, the key question facing us is whether the DPA will be transparent, predictable and consultative while making these decisions. My colleague Roopa Kudva made a similar point during her interview with CNBC recently (see video starting 4:02 mins).

Over the next few weeks, I will be posting some thoughts on what I believe the data protection bill should look like. In particular, I will return to this question of the DPA, and the how it can be made predictable, transparent, and consultative. This will involve mandating that the DPA follow due process while making laws, undertaking investigations, and passing judgments. Watch this space for more!

So, what can start-ups do in the meantime? I made two points at the event:

• Firstly, start-ups need to become aware of their data collection and handling practices whatever form the data protection bill eventually takes. They need to know what data they collect, where from (e.g. app, website etc), how it moves through their system, which third parties they share it with, what security practices it has in place etc. This is the bare minimum, and every start-up should invest in such an investigation early, so that it is well prepared for the law when it comes.
• Secondly, the law is still before Parliament and is not yet final. As job-creators of our economy, and as important stakeholders to the data privacy discussion, start-ups should communicate what their needs are to the committee, which is currently accepting comments. You can write to the committee through the channels specified here. The committee is likely to receive inputs from many stakeholders, and start-ups should make their voice heard.