India is home to a significant start-up culture, as the fourth largest startup ecosystem in the world, behind the United States, China and the United Kingdom, with about 51 (fifty-one) unicorns in India as of 2021 with many of them operating in the digital ecosystem. With over 500 million internet users as of 2020 , the exponentially rising digital interface is set to house and nurture this ecosystem further.
The Government’s initiatives to enable digital ecosystems such as the Digital India, Smart Cities missions and supporting start-ups in the innovation ecosystem through Startup India and the Scheme for Facilitating Startups Intellectual Property Protection offer valuable support to emerging start-ups. Parallel endeavors to facilitate ease-of-doing business through attempts to liberalize and develop business-friendly regulatory frameworks, apart from supporting innovation through regulatory sandboxes being undertaken are set to facilitate and support the start-up ecosystem further.
An important center-piece in the evolving regulatory puzzle for startups operating in the digital space concerns data protection and privacy. The existing information technology law and rules regulating collection, processing and disclosure of a specific subset of personal information, namely sensitive personal data or information (“SPDI”) remains inadequate to deal with complex privacy concerns arising out of automated processing and futuristic technologies such as artificial intelligence, as was also highlighted by the Supreme Court . This led to an array of regulatory developments, as outlined below.
The Ministry of Electronics and Information Technology (“MEITY”) constituted a committee of experts on a data protection framework in India which presented its report dated July 27, 2018 (“Report”) which led to the introduction of the Personal Data Protection Bill, 2019 (“PDP Bill”) in the Parliament. The PDP Bill is currently being reviewed by a joint parliamentary committee which is expected to present its report and recommendations in the monsoon session of the Parliament.
A parallel development in the form of legislative framework for governance of non-personal data is being undertaken, proposing a light-touch compliance regime to tap the potential of open-access of and interconnectivity between non-personal datasets for economic growth.
Enhanced obligations under the PDP Bill
The PDP Bill proposes enhanced obligations for entities collecting, storing and processing personal data, sensitive personal data (“SPD”) and a yet undefined category of critical personal data (“CPD”). Start-ups may have to reassess compliance requirements based on the sensitivity, volume and nature of personal data collected and processed. They may have to:
(a) Review datasets collected or processed and categorize sensitive or critical personal data upon enactment of the PDP Bill;
(b) Identify and analyze sectoral regulations related to data, information technology or cyber security (especially for critical sectors) applicable to them, in addition to PDP Bill;
(c) Determine legal basis for processing, including if any exceptions for processing without consent may be applicable and comply with consent (or explicit consent, for SPD), consent notice and other data practices, if consent is relied upon;
(d) Assess data processing operations for risk of significant harm to data principals, which may have to be disclosed to data principals or remedied;
(e) Evaluate data handling and storage practices and comply with requirements surrounding maintenance of records, as prescribed by the DPA; and
(f) Assess data flows and transfers of personal data to third-parties, especially if such transfers are outside India to ensure compliance with transfer conditions and requirements related to local storage (applicable to SPD and CPD).
Startups may be at risk of being categorized as significant data fiduciaries on the basis of volume, sensitivity of personal data, nature of processing operations, including technologies used, likelihood of harm to data principal and on the basis of turnover. This attracts significantly higher compliance requirements such as conducting data protection impact assessments , periodic data audits , enhanced requirements for maintenance of records and registration with the DPA . Entities handling or processing large volumes of children’s personal data may also be categorized as guardian data fiduciaries and are barred from conducting profiling, tracking or behavioral monitoring of such data principals.
Start-ups engaged in use of artificial intelligence, machine-learning or similar emerging technologies may also likely take advantage of a proposed sandbox for encouraging innovation. This may also be aligned with existing regulatory initiatives, such as the regulatory sandbox by the Reserve Bank of India .
Cross-border data transfers
The PDP Bill proposes a requirement to store one copy of SPD within India, while housing a yet undefined category of CPD within India only. While personal data may be transferred outside India without any restrictions, cross-border data transfers of SPD must meet any of the transfer conditions. These include transfers on the basis of contracts with third-parties or intra-group schemes for transfer to ground entities (provided such contracts and schemes have been approved by the DPA), to a country which ensures an “adequate level of protection” as determined by the Central Government, or on specific permission of the DPA (collectively the “Transfer Conditions”). On the other hand, CPD is permitted to be transferred pursuant to a very limited conditions, mostly around emergency services or on the permission of the Central Government, in consultation with the DPA.
Entities processing SPD may be required to reassess their data storage policies and handling procedures to align with localization and cross-border transfer conditions under the PDP Bill. In recognition of this localization requirement and with a view to facilitate the growth of data centres, MEITY has also released a Draft Data Centre Policy, 2020 which discusses the need for growth of data centres in India and provides strategies for growth of the sector. Harmonization of sectoral codes with the requirements under the PDP Bill, especially concerning data localization requirements applicable to specific types of data such as payment data and insurance policyholder data , may be particularly useful for entities in critical and heavily-regulated sectors.
Anonymized and non-personal data
It is noteworthy that the Central Government has the ability to solicit any personal data anonymized or non-personal data for better targeting delivery of services or for formulation of evidence-based policies under the PDP Bill . This omnipotent clause does not provide any specifics around licensing, compensation or related aspects. On the other hand, the NPD Report, which discusses pertinent issues relating to anonymized personal data and non-personal data, provides that ownership of non-personal data would rest with the individual and provides for a comprehensive governance framework for non-personal data. The NPD Report proposes a data-trust model to enable sharing of data, establishment of a Non-Personal Data Authority (“NPDA”) and other key aspects with a view to balance economic value of data vis-à-vis ownership and risks to data principals.
Considerations for start-ups
Startups may actively consider adopting certain preparedness measures prior to enactment of the PDP Bill. While the measures may vary from sector-to-sector, it is particularly important for start-ups in active regulatory spaces such as finance and healthcare. This includes:
(a) Assessment of data in-flows and out-flows and identifying sensitive data sets to which enhanced requirements may be applicable;
(b) Identification of legal basis for collection, processing, disclosure and transfer outside India of such information;
(c) Review of consent documentation, agreements with customers and third-parties and structuring data sharing arrangements, especially in view of the local storage requirements and conditions for cross-border transfer; and
(d) Review of internal policies such as employee documentation, cyber security and incident response plans may also be warranted on account of specific requirements, such as breach reporting.
Impact on critical sectors
Start-ups in specific sectors such as finance and healthcare may have an additional impact in view of dealing with critical datasets. The Report discusses critical data to include all kinds of data necessary for the wheels of the economy and nation-state to keep turning and may include health and infrastructure data. Some of the key perspectives that may be useful in such situations include:
(a) Identifying processing operations and specifically, those operations which are conducted using automated means and the possibility of harm that may be caused to data principals as a result of such processing. For instance, start-ups using automated processing to determine eligibility of a customer for loan may have to evaluate and factor-in the possibility of harm to customers as a result of such processing. Such evaluations may be useful in making disclosures to customers, assessing compliance burden and extending data principal rights, such as the right of portability;
(b) Due regard must be had to possible categorization of processing activities that analyze or predict aspects of behaviour, attributes or interests as ‘profiling’ within the meaning of the PDP Bill, which may lead to enhanced compliances and possibility of harm to data principals. For instance, start-ups using or engaged in development of AI-assistive technologies for the healthcare sector may have due regard to possibility of harm owing to processing of sensitive data; and
(c) Entities providing services targeted towards children may have to evaluate data processing activities and the possible categorization as guardian data fiduciary. Resultantly, such entities may be restricted from offering targeted advertising at children or undertaking any processing which may cause significant harm to a child.
Start-ups may evaluate personal data processing operations to target potential exemptions or relaxations under the PDP Bill. These include:
(a) Relying on legal basis for processing other than consent, which may be applicable to them;
(b) Processing of personal data which does not relate to Indian residents, such as outsourcing services, may consider identifying exemptions available to data processors;
(c) Processing by small entities where such processing is manual in nature;
Entities may also be wary of impact of classification as significant data fiduciaries, guardian data fiduciaries and social media intermediaries, especially in instances where large volumes of sensitive datasets are processed, where automated tools are used for processing, which may increase risk of harm to data principals or where personal data related to children is processed.
In view of the notification of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, it would be interesting to track the Government’s approach to regulating internet and social media intermediaries, digital media entities, publishers of digital news and online curated content and other intermediaries under the PDP Bill and the possibility of harmonizing these requirements.
Enactment of the PDP Bill will require entities to evaluate data practices at every instance of data processing. Data Fiduciaries may be required to review consent notices and other consent documentation and agreements with third-parties, such as Data Processors. Development of internal processes, privacy by design policies, systems for responding to Data Principal requests, interactions with consent managers, data storage, retention policies and process flows for incident response and management would likely be prerogatives for start-ups in
In view of the above, start-ups may have to be vigilant in aggressively tracking legislative developments on the PDP Bill and meeting compliance timelines, as may be notified by the Government. It may also be useful for entities in the critical sectors to engage with the DPA and the Government on extending relevant exemptions to entities in such sectors and call for harmonization of rules and regulations with sectoral regulations applicable to them.
This article has been written by Sameer Avasarala, Anirban Mohapatra and Arun Prabhu from Cyril Amarchand Mangaldas for Databyte.
Information Technology Act, 2000;
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011;
Sensitive personal data or information means such personal information which consists of information relating to: (a) passwords; (b) financial information such as bank account, credit card, debit card or other payment instrument details; (c) physical, physiological and mental health condition; (d) sexual orientation; (e) medical records and history; and (f) biometric information;
Justice (Retd) K. S. Puttaswamy v. Union of India, (2017) 10 SCC 1;
‘Report by the Committee of Experts on Non-Personal Data Governance Framework’ dated July 12, 2020;
Sensitive Personal Data under the PDP Bill includes financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation or any other data categorized as sensitive personal data;
Section 27, PDP Bill;
Section 29, PDP Bill;
Section 28, PDP Bill;
Section 26, PDP Bill;
Section 16, PDP Bill;
Section 40, PDP Bill;
Section 33, PDP Bill;
Regulation 18, IRDAI (Outsourcing of activities by Indian Insurers) Regulations, 2017;
Section 91, PDP Bill;